Google have announced that use of HTTPS is going to be included as a ranking signal in search results.

This means that sites using SSL or TLS by default will gain a slight boost in their search engine rankings. Google have said that they “may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web”.

It’s part of a significant push, post-Snowden, by Google, IETF, Mozilla and others to improve the default security on the Internet. In late 2013, Chrome and Firefox developers coordinated to ship AES-CGM support and modernise the default cipher suite used by these browsers.

Because Google controls both the client (your web browser) and the servers (YouTube, GMail, Google Search, Google Analytics) they can make security changes and start securing people right away, without waiting for the rest of the world to catch up.

A nearly perfect SSL installation.

This news from Google comes the same week that Mozilla is having a public discussion about labelling plain HTTP as “non secure” or “less secure”. This could potentially turn the lock metaphor on its head, showing an open unlocked padlock on web sites that don’t secure themselves with SSL.

It’s early days for both of these efforts, but it’s never too soon to take your users’ and your own security seriously. iWeb’s FTP hosting platform has been SSL by default for months, and even eCommerce sites like Sample Magic are seeing the trust benefits that always having that lock icon visible brings.

Just having any old cert on any server isn’t enough either. Look at the Qualys Labs report on this certificate for 247 Blinds – it’s a strong certificate with a 2048 bit key, with extended validation, installed on a server running a modern TLS stack, patched against known weaknesses. We will be rolling out changes to get our A- moved to an A soon, too, because iWeb is constantly improving our security posture.

Finally, it’s important to note that these improvements are for sites that are wholly covered by SSL – it’s not enough to just have SSL on your login page, or in the cart. Every page needs to be protected. This closes off almost all of the common security issues that OWASP has identified with SSL deployments, such as the widespread use of insecure cookies.

If you’re interested in TLS to improve your search engine rankings and the security position of your web site, please get in touch.