LIMITED TIME OFFER - Save 35% OFF on Password Policy Manager. Code: 35PPMWP

Why are Google Using HTTPS for Website Ranking?

Last updated on April 12th, 2019 by Robert Abela. Filed under WordPress Security Tutorials & Tips

Many think  it is unfair, or that there is no need to have all websites running on HTTPS. We look at it from a different angle; as Google said will it really make the internet a better and more secure place?

A few weeks back Google announced that it will use HTTPS (HTTP over TLS) as a ranking signal, thus encouraging every website owner to run the website on HTTPS. Google took this decision in the hope that one day all of us can have a more secure and safer internet. But even though having every website running on HTTPS is all for the common good of the internet many people questioned Google’s move.

Questioning the Facts: Is HTTPS Necessary for All Websites?

Browsing the internet you cannot but notice that a lot of people are complaining and questioning Google’s decision; why should Google police the internet? Why should static, read only websites run on HTTPS?

Many think that HTTPS is only used to encrypt the communication between two end points, hence it is not needed when browsing read only websites; it is only needed when submitting sensitive data over the internet, such as credentials or credit card details.

In reality HTTPS has several other purposes other than encryption and Google’s decision makes a lot of sense if we want a safer and more secure internet, as this article explains.

What is the Use of HTTPS?

HTTPS, or as technically known Hypertext Transfer Protocol over Secure Socket Layer serves for three main purposes, all of which are listed in this section.

HTTPS is used for Authentication

When browsing a website over a normal HTTP connection it is not possible to verify the owner of a website, hence there is no guarantee that the website really belongs to the company or brand it claims. On the other hand if a website is running on HTTPS it is possible to verify the owner of the website from the details in the HTTPS certificate.

When applying for an HTTPS certificate businesses have to provide official documentation and go through a number of verification checks to prove that the business is legitimate and that they own a specific website and domain, hence making it possible to verify the owner of a website from its HTTPS certificate.

If all websites were to run on HTTPS it would be possible for everyone to verify the website owner, thus protecting internet users from a number of attacks. For example malicious hackers take advantage of this limitation and the fact that users cannot and do not verify the website owner since most websites still run on HTTP. So they build phishing websites, i.e. a website that looks like a legitimate business website, such as an online banking portal and trick their victims into visiting their website. Once the victims visit the phishing site, thinking that it is a legitimate website they submit their online banking details, which are then recorded by the phishing website for the attacker to use.

HTTPS is used to Encrypt Communication

When browsing a website over HTTPS the communication between your browser and the website is encrypted; it cannot be read by third parties even if captured, thus ensuring privacy. Encryption should ALWAYS be available, even when browsing read only / static websites. If the communication is not encrypted, it is possible for a third party to monitor your activity. And by monitoring your activity an attacker can build a wealth of information on what browsing intends you have, hence making yourself an easier target.

For example if the attacker notices that you are looking for something specific, he or she can easily trick you into a phishing attack. For those who are not familiar with such term, a phishing attack is the activity of defrauding an online account holder of financial information by posing as a legitimate company.

Therefore by encrypting all communication, even when browsing read only and static websites you are actually improving your privacy and making it more difficult for attackers to target you.

HTTPS Ensures Data Integrity

When browsing a website over a normal unencrypted HTTP connection your data can be captured by third parties and modified in transit, hence it is not possible to guarantee that the data you received is legitimate. Such type of attacks could lead to misinformation and make it easier for attackers to craft an attack against you. On the other hand, when browsing a website over an HTTPS connection the communication between the website and the visitor’s web browser is encrypted. Therefore if such data is captured it cannot be tampered with, ensuring data integrity.

Ensuring that the data that reached you has not been tampered with is very important, even when browsing a read only / static website. For example if you are following a guide to setup your VPN client, how can you make sure that the guide you are reading was written by the developer and not by a malicious hacker that has written the guide to fool users to connect to his server? It is only possible to very that if the website is running on HTTPS.

Does HTTPS Make a Better and More Secure Internet?

Yes – if every website runs on HTTPS the internet will be a better, safer and more secure place. There will be fewer attack opportunities for malicious hackers to exploit. By encrypting all communication internet users can also better protect their own privacy and can verify that the content they are reading is legitimate, and the data has not been tampered with.

Therefore were Google right to enforce HTTPS on every website? Yes they were, although technically speaking they never enforced anyone; they are just telling web masters that if they want to keep ranking well in search engine results they should implement HTTPS. It is all for the common good.

WordPress Hosting, Firewall and Backup

This Website is:

4 comments

Damon Gant 25/08/2014

I missed the part that said CAs are a useless ripoff, where did you write that?

And of course there’s still sslstrip which works nicely around “enforced TLS” by rewriting requests as long as users don’t bookmark the TLS version.

Robert Abela 25/08/2014

lol good one Damon.

Some of the CAs are indeed a ripoff. It is funny how prices vary from $30 to hundreds of dollars a year for a simple certificate. Considering it is a yearly payment they can reduce a bit the price tag!

As regards SSL stripping, yes unfortunately it is still widely popular and still being exploited, though there is a resolution for it. The problem as usual is the weakest link, we humans, in this case web masters. They are taking way too much time to adopt the resolution.

Jeff Huckaby 26/08/2014

Actually, I think switching to HTTPS will have little impact on WP exploits.

Most WP exploits are XSS, file upload vulnerabilities and similar code-level issues. Since these actions happen server-side, the HTTP protocol is irrelevant to payload delivery.

Certainly privacy may be enhanced by reducing the ability to sniff data openly, but this will have little impact on most WP attacks.

A nasty side effect of Google’s move is that they are contributing to the cert industry’s effort to make security a marketing feature rather than a security necessity.

Similar to the EV-SSL, this will encourage people to improperly deploy HTTPS.

This can already be seen by Cloudflare’s move to offer a free, turn-key way to enable HTTPS. They are offering a “flexible ssl” service that only encrypts the client-proxy communications while the backend communications remain unencrypted.

Robert Abela 27/08/2014

Hi Jeff,

Thanks for your comments.

I agree with you that HTTPS won’t improve the state of WP problems, not even of the security state of all other web applications. In fact as the article explains all the advantages are for the end user (the website visitor) hence nothing will improve in terms of security for web applications.

As regards marketing security, yes I agree with you but unless someone like Google does so, no one will even bother about HTTPS.

Leave a Reply

Your email address will not be published. Required fields are marked *