December 21, 2015 By Douglas Bonderud 2 min read

Google will now prioritize HTTPS pages in search engine results, and according to Threatpost, it will also prefer secure pages even when an HTTP variant exists. It’s a big step forward from just a year ago, when the search giant was testing the waters and looking for outside assistance in finding and indexing secure URLs.

For users, this should mean a safer browsing experience by default, but is this the only impact of the new search ranking rollout?

HTTPS: Five-Letter Security

The secure connection has been making headlines for the better part of a year as some companies embrace the new, more secure standard and others lament the complexity and cost of making the move. For example, initiatives like the Electronic Frontier Foundation-sponsored Let’s Encrypt project is looking to offer free secure certificates. The program has already been cross-CA approved and launched into its beta phase last month. Google was less committal about the secure Web protocol at first, although the search giant did back the EFF’s Everywhere extension, which creates a secure Web connection if no safe alternatives exist.

Now, Google appears to be fully on board with five-letter security. As noted by Search Engine Journal, the search site will index the more secure pages by default even if identical HTTP offerings exist. It will also make HTTPS the priority for connections if both indexed offerings are available.

It’s worth nothing that this isn’t a simple rank boost like the one Google gave the secure protocol back in August 2014. Rather, it’s a deliberate move to depreciate HTTP and take the first steps to pushing it off the Web altogether. Companies running HTTP only won’t see a hit to their ranking — at least at first. But as users become accustomed to the security provided by high-ranking pages, expect pressure to mount on businesses choosing to opt out of available security offerings, especially since new certs will be available for free.

Back and Forth

There’s still some pushback over HTTPS, with some companies unconvinced the per-page security offered is necessary to protect the user experience. Legal challenges have also emerged as the secure protocol makes its way into the mainstream. As noted by The Register, encryption developer CryptoPeak is suing a host of big companies for supposedly infringing on its patent rights by using elliptic curve cryptography. While the lawsuit appears largely baseless, it’s a critical step forward: HTTPS is now popular enough that companies are looking to cash in any way they can.

Ultimately, Google’s preference for HTTPS won’t force developers and companies to use the new standard, and in cases where sites don’t have valid TLS certificates or can’t be crawled by robots.txt, Google’s change won’t apply. But when the front-running search engine decides to throw its support behind five-letter security, the world will take notice. Search is changing, the Web is becoming more secure and HTTPS is quickly becoming the answer to the question instead of an exception to the rule.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today