Internet giant Google is to adjust its search ranking algorithms to favour HTTPS encrypted websites over and above non-encrypted HTTP websites.
“Specifically, we’ll start crawling HTTPS equivalents of HTTP pages, even when the former are not linked to from any page,” announced Google in a blog posting. It continued: “When two URLs from the same domain appear to have the same content but are served over different protocol schemes, we’ll typically choose to index the HTTPS URL.”
There are a number of caveats attached to the move, it continued:
It doesn’t contain insecure dependencies;
It isn’t blocked from crawling by robots.txt;
It doesn’t redirect users to or through an insecure HTTP page;
It doesn’t have a rel=”canonical” link to the HTTP page;
It doesn’t contain a noindex robots meta tag;
It doesn’t have on-host outlinks to HTTP URLs;
The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL;
The server has a valid TLS certificate.
“Browsing the web should be a private experience between the user and the website, and must not be subject to eavesdropping, man-in-the-middle attacks, or data modification. This is why we’ve been strongly promoting HTTPS everywhere…
“By showing users HTTPS pages in our search results, we’re hoping to decrease the risk for users to browse a website over an insecure connection and making themselves vulnerable to content injection attacks,” it concluded.
At the same time, Google has also joined Mozilla, producer of the Firefox web browser, and Microsoft in pushing for an early phase-out of the SHA-1 certificate hashing function. According to reports, Google is planning on banning certificates signed with SHA-1 from 1 July 2016.
The move brings forward the retirement of SHA-1 by six months.
“In line with Microsoft Edge and Mozilla Firefox, the target date for this step is January 1, 2017, but we are considering moving it earlier to July 1, 2016 in light of ongoing research,” wrote Google Chrome’s Lucas Garron and David Benjamin in a blog post on Friday. “We therefore urge sites to replace any remaining SHA-1 certificates as soon as possible.”