December 21, 2015 By Douglas Bonderud 2 min read

Google will now prioritize HTTPS pages in search engine results, and according to Threatpost, it will also prefer secure pages even when an HTTP variant exists. It’s a big step forward from just a year ago, when the search giant was testing the waters and looking for outside assistance in finding and indexing secure URLs.

For users, this should mean a safer browsing experience by default, but is this the only impact of the new search ranking rollout?

HTTPS: Five-Letter Security

The secure connection has been making headlines for the better part of a year as some companies embrace the new, more secure standard and others lament the complexity and cost of making the move. For example, initiatives like the Electronic Frontier Foundation-sponsored Let’s Encrypt project is looking to offer free secure certificates. The program has already been cross-CA approved and launched into its beta phase last month. Google was less committal about the secure Web protocol at first, although the search giant did back the EFF’s Everywhere extension, which creates a secure Web connection if no safe alternatives exist.

Now, Google appears to be fully on board with five-letter security. As noted by Search Engine Journal, the search site will index the more secure pages by default even if identical HTTP offerings exist. It will also make HTTPS the priority for connections if both indexed offerings are available.

It’s worth nothing that this isn’t a simple rank boost like the one Google gave the secure protocol back in August 2014. Rather, it’s a deliberate move to depreciate HTTP and take the first steps to pushing it off the Web altogether. Companies running HTTP only won’t see a hit to their ranking — at least at first. But as users become accustomed to the security provided by high-ranking pages, expect pressure to mount on businesses choosing to opt out of available security offerings, especially since new certs will be available for free.

Back and Forth

There’s still some pushback over HTTPS, with some companies unconvinced the per-page security offered is necessary to protect the user experience. Legal challenges have also emerged as the secure protocol makes its way into the mainstream. As noted by The Register, encryption developer CryptoPeak is suing a host of big companies for supposedly infringing on its patent rights by using elliptic curve cryptography. While the lawsuit appears largely baseless, it’s a critical step forward: HTTPS is now popular enough that companies are looking to cash in any way they can.

Ultimately, Google’s preference for HTTPS won’t force developers and companies to use the new standard, and in cases where sites don’t have valid TLS certificates or can’t be crawled by robots.txt, Google’s change won’t apply. But when the front-running search engine decides to throw its support behind five-letter security, the world will take notice. Search is changing, the Web is becoming more secure and HTTPS is quickly becoming the answer to the question instead of an exception to the rule.

More from

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today