
HTTPS as a ranking signal - cleverjake
http://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html
======
pierrefar
I was involved in this launch and I want to address a very common
misconception I'm seeing here and elsewhere.

Some webmasters say they have "just a content site", like a blog, and that
doesn't need to be secured. That misses out two immediate benefits you get as
a site owner:

1\. Data integrity: only by serving securely can you guarantee that someone is
not altering how your content is received by your users. How many times have
you accessed a site on an open network or from a hotel and got unexpected ads?
This is a very visible manifestation of the issue, but it can be much more
subtle.

2\. Authentication: How can users trust that the site is really the one it
says it is? Imagine you're a content site that gives financial or medical
advice. If I operated such a site, I'd really want to tell my readers that the
advice they're reading is genuinely mine and not someone else pretending to be
me.

On top of these, your users get obvious (and not-so-obvious) benefits. Myself
and fellow Googler and HNer Ilya Grigorik did a talk at Google I/O a few weeks
ago that talks about these and a lot more in great detail:

[https://www.youtube.com/watch?v=cBhZ6S0PFCY](https://www.youtube.com/watch?v=cBhZ6S0PFCY)

~~~
radmuzom
In my country, the cost of a SSL certificate is around 60% of my hosting
costs, per year. I run a low-traffic blog with comments disabled, so users do
not "interact" with the site in any way - except consume the content. I don't
see any benefit from this.

~~~
lazylizard
[https://www.startssl.com/?app=1](https://www.startssl.com/?app=1) and
[https://www.namecheap.com/campaigns/2014/reset-the-
net.aspx](https://www.namecheap.com/campaigns/2014/reset-the-net.aspx) ???

~~~
spain
StartSSL is pretty harmful as evidenced by the events after Heartbleed. The
certificates are free but they charge you to revoke them, and after we found
out about Heartbleed and realized a lot of those free certs were compromised a
lot of people refused to pay up for their free keys and continue using the
compromised ones. What's more is that StartSSL refused to do the right thing
and revoke them, leading a lot of folks to even go as far as petitioning to
remove StartSSL from Firefox's Certificate Authorities because any given site
using their free certs could be compromised. [0]

[0] [https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=744027](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=744027)

~~~
ayrx
Erm... Heartbleed has absolutely _nothing_ to do with what version of OpenSSL
you use to _generate_ the cert.

~~~
EwanToo
No, but if your SSL certificate has been exposed by Heartbleed, it would be
sensible to revoke that certificate to prevent potential spoofing attacks,
wouldn't it?

StartSSL charge you for revoking that exposed certificate, so your choices are
you pay for the revocation, or wait until the certificate expires.

~~~
dspillett
In there defence this their treatment of revocation requests is made quite
plain in their policies, and any heartbleed exposure was not their fault
(their signing certs were not affected IIRC).

Now if there _had_ been a problem with their signing certificates _then_ I
would have expected them to revoke anything affected for free and offer
replacements similarly at no cost.

OK, they could have done that anyway (or perhaps offered a discount on the
revoke charge) as an good will gesture, but they didn't, so what.

~~~
Joeboy
Leaving aside the question of whether their response was reasonable (I see the
arguments either way), it turned out that using their service to secure your
website was not free.

~~~
dspillett
_> it turned out that using their service to secure your website was not free_

All they claim is to provide free certificates for non-commercial use, and
that they do provide. If people read something else into that it isn't because
they were deliberately led to.

Though many people picking up a cert without really knowing the infrastructure
won't know about revocation infrastructure and such so might have mislead
themselves by having not read the Ts&Csm.

------
Smerity
Considering the importance of HTTPS to, in Google's words, "[making the]
Internet safer more broadly", this seems like a good time to again suggest
that Google enable HTTPS for Google Analytics by default[1].

Google Analytics is on 50.8% of the top million domains on the Internet, and
on 26.96% of a randomly selected 48.5 million domains[1]. Of the 42 billion
links analyzed in my research, over 48% of them had Google Analytics on either
the start or the end. That's a lot of information leakage.

Anyone who is eavesdropping on HTTP connections to the Google Analytics
endpoints can observe a web user's traffic history trivially. This enables
simple mass surveillance by specifically looking for these connections and
recording them. HTTPS would prevent that.

I should note, whilst there is an option to specifically force SSL in the new
Google Analytics[2], it must be enabled by default in order to have a positive
impact. We can't rely on the owners of millions of domains to upgrade to
ensure an end user's privacy.

[1]:
[http://smerity.com/articles/2013/google_analytics_and_nsa.ht...](http://smerity.com/articles/2013/google_analytics_and_nsa.html)

[2]:
[https://developers.google.com/analytics/devguides/collection...](https://developers.google.com/analytics/devguides/collection/analyticsjs/field-
reference#forceSSL)

~~~
madaxe_again
Sorry to jump in with a tangential reply, but BEWARE of the following!

Google treat the http and https versions of a domain as SEPARATE PROPERTIES.
This means that even if you 301 every http page to https when you transition,
all of your current rankings and pagerank will be irrelevant.

You can verify this behaviour for yourself in webmaster tools.

I suppose this is because it's possible to serve up different content on
http/s, but really, who does that?!

In short, don't do this until google rethink their stance on what counts as a
property. I'm currently nursing a client with a 30% revenue hole as a result
of this.

~~~
pierrefar
> Google treat the http and https versions of a domain as SEPARATE PROPERTIES.

That's not quite accurate. It's on a per-URL basis, not properties. Webmaster
Tools asks you to verify the different _sites_ (HTTP/HTTPS, www/non-www)
separately because they can be very different. And yes I've personally seen a
few cases - one somewhat strange example bluntly chides their users when they
visit the HTTP site and tells them to visit the site again as HTTPS.

> This means that even if you 301 every http page to https when you
> transition, all of your current rankings and pagerank will be irrelevant.

That's not true. If you correctly redirect and do other details correctly (no
mixed content, no inconsistent rel=canonical links, and everything else
mentioned in the I/O video I referenced), then our algos will consolidate the
indexing properties onto the HTTPS URLs. This is just another example of
correctly setting up canonicalization.

By the way, if you're moving to HTTPS, following our site moves guidelines:

[https://support.google.com/webmasters/topic/6033102?hl=en&re...](https://support.google.com/webmasters/topic/6033102?hl=en&ref_topic=6029673)

specifically, the site moves with URL changes:

[https://support.google.com/webmasters/answer/6033049?hl=en&r...](https://support.google.com/webmasters/answer/6033049?hl=en&ref_topic=6033084)

But you did say you have a client with an issue. I suspect they either
implemented the move to HTTPS incorrectly or something else is going on.
Please ask for more help at our forums:

[https://productforums.google.com/forum/#!categories/webmaste...](https://productforums.google.com/forum/#!categories/webmasters)

~~~
madaxe_again
Nope, we followed the instructions to the tee. Straight 301 redirects from
http to https, appropriate canonicals on all pages referencing https, and
their SEO has seemingly started from scratch - used to be in position 1 for a
variety of important keywords and searches, now they're beyond page 10.

Oh, and you _can 't_ do a change of address from
[http://www.whatever.com](http://www.whatever.com) to
[https://www.whatever.com](https://www.whatever.com) \- you don't allow it!

~~~
pierrefar
This suggests something else is going on. Please post in the forums with the
site details.

~~~
madaxe_again
Done. Thanks.

------
hosay123
I'm sorry, but this simply isn't something a search engine should be
dictating. Turning enabling SSL into some arms race that panics small
businesses into buying millions of new, pointless certificates just isn't very
fair.

This kind of policy needs to be discussed openly in a suitable forum, e.g. the
IETF, not handed down to us by a single company who think they have a right to
dictate how the Internet works - and have provably done a horrible job of it
in the past (websocket over SPDY, anyone? Yeah, I'm not even sure which
version combination of SPDY and websocket I'm talking about either - pick one
of the hundred)

There are strong arguments for not enabling privacy by default - not least
since it prevents any kind of decentralization or caching of content. At a
time when OpenSSL just suffered one of its worst bugs in history, forcing
small sites to assume the risk of running code like this, which they
inevitably will get wrong, _materially worsens security for all_ , it doesn't
improve it.

~~~
icebraining
_This kind of policy needs to be discussed openly in a suitable forum, e.g.
the IETF, not handed down to us by a single company who think they have a
right to dictate how the Internet works_

I don't see how is this any different from any other signal that Google uses
to prioritize sites. Forcing small businesses to buy certificates doesn't seem
any different than forcing them to have faster websites, for example.

There's an argument for more diversity in search engines, but I don't see how
is that specific to this signal.

 _There are strong arguments for not enabling privacy by default - not least
since it prevents any kind of decentralization or caching of content._

How does it prevent decentralization?

 _At a time when OpenSSL just suffered one of its worst bugs in history,
forcing small sites to assume the risk of running code like this, which they
inevitably will get wrong, materially worsens security for all, it doesn 't
improve it._

How many people could exploit Heartbleed before it was publicly announced
compared to how could sniff traffic on open networks, as countless tutorials
explain how to do?

Heartbleed was bad, and OpenSSL is a mess, but let's pretend that unencrypted
logins are somehow less bad.

~~~
julioademar
> I don't see how is this any different from any other signal that Google uses
> to prioritize sites. «Oh, they're screwing up before, too? Then I guess it's
> alright»

> How does it prevent decentralization? Because only a handful of companies
> can issue certificates.

~~~
icebraining
_«Oh, they 're screwing up before, too? Then I guess it's alright»_

How is it screwing up? How are they supposed to run a search engine without
prioritizing? "Here's 30000 results, we've randomly sorted them for you"?

 _Because only a handful of companies can issue certificates._

Fair enough.

~~~
julioademar
Apologies, I haven't made myself clear with that idiotic of a snarky remark :)
What I meant is that their actions in the past shouldn't be an excuse to their
actions today.

The principles behind PageRank are based on unbiased reputation, and provide
for a good ranking system (spammers aside). Whatever's thrown on top needs to
be carefully considered not to enforce biases towards any group in particular.

------
sorbits
Would be more awesome if they offered free certificates and an API to renew
them.

Right now enabling https is not a one-time investment, since a new certificate
has to be requested and installed each time the old one expires.

Computers are supposed to bring down cost and automate tedious tasks, for
https the opposite is the case.

It’s worth mentioning that
[https://www.startssl.com/](https://www.startssl.com/) does offer free
certificates. But without a paid account they last only a year and cannot be
issued to wildcard domains, so you quickly end up with a lot of certificates
that has to be manually renewed each year.

~~~
diafygi
What about a kickstarter to subsidize SSL costs? Or how about one to buy a
root CA and make it free?

~~~
icebraining
There is already a community-driven CA:
[http://www.cacert.org/](http://www.cacert.org/)

The problem is that it's not only about money. You need to follow certain
procedures or browsers and OSs won't include your root certificate.

~~~
iancarroll
I don't think anyone has confidence in CACert anymore. IIRC they bombed their
internal audit...

------
wtbob
My issue with SSL everywhere is that I have to effectively buy my domain
twice: once for the domain, and one again for the certificate. My registrar
should give me a wildcard certificate good for the time I've paid for my
domain.

~~~
drdaeman
Maybe because there isn't much of demand for that, yet.

Shall the transition come and we'd all perceive HTTPS as a default, it's very
likely registrars would also offer certificate signing.

~~~
tootie
The price wars for domain registration pushed the cost way down over the past
few years. Certs are starting to move in the same direction. As volume picks
up, they can cut margins. And some guys will start to treat it as baseline
feature and not a buy-up.

------
ckuehl
I'm interested in statistics (especially from websites with non-technical and
international audiences) about what percent of visitors are using
browsers/devices that don't support SNI.

I don't know how representative this is, but it looks like StatCounter Global
Stats [1] says that slightly over 10% of recorded visitors are still using
Windows XP, and many of these users won't have SNI support.

Small websites without strict security requirements often use shared hosting,
where SNI is the only practical way to implement HTTPS. Alienating something
like 10% of visitors with a security warning is probably not desirable. I
imagine this could be a not insignificant roadblock to widespread SSL adoption
on small websites, but would like to see more detailed stats.

[1] [http://gs.statcounter.com/#os-ww-
monthly-201307-201407](http://gs.statcounter.com/#os-ww-monthly-201307-201407)

~~~
eli
[http://www.utilitydive.com/](http://www.utilitydive.com/) is a US-based news
site for the electric utility industry. About 4.5% of visitors are on Win XP
and most of those people are using XP. It's trending down pretty sharply; it
was nearly twice that at the start of the year.

------
maj0rhn
I don't get it. I have a website that is purely content and available to
everyone. It has no user accounts, no sign-ups, no nothing but static pages.
Why should I use HTTPS for that? To prevent man-in-the-middle attacks?

~~~
nemesisj
Using HTTPS will let you know if the website you're visited is being messed
with by a company, country, or regionally controlled firewall or content
filter. If someone operating one of these filters took issue with your site,
they could block certain content and users wouldn't necessarily know that it's
happening.

------
hardmath123
Usefulness of SSL aside, is anyone else terrified that Google can essentially
dictate what it wants developers to do, with low search rankings as the
penalty for not following them? In my opinion, this sets a scary precedent.

~~~
jenscow
Yes. Fortunately, they're doing it in the name of improving the web.

So far.

------
jasonkester
Makes sense. The reason seo spam is effective is because it's so cheap to get
a new site (or ten thousand new sites) up and running. If you make that cost
$50 per domain for the ssl cert, that will help ensure all those sites sift
nicely down to the bottom of the rankings.

Bonus points if they allow a single bad site to tarnish the reputation of all
sites under a milti domain cert.

We could have had this from the start if domain names weren't essentially free
via domain tasting. But hey, better late than never.

~~~
tristanperry
I do agree, however remember that you can get SSL certs from $9 (e.g. from
NameCheap). You might be able to pay lower if you shop around too.

Also even if it was used as a fairly strong ranking signal, if Google still
approach their rankings like they do now, spammers might still have sufficient
ranking 'weight' to overcome a lack of SSL certificate.

~~~
ldng
Don't forget you have to manage your certs. It's an extra burden.

Let's say I am a freelancer, I make website for small restaurant. Until now I
could make a website with frontpage, menu and gallery put it on a server and
be done with it and collect a monthly fee.

Now, you have to manage the cert, that is say every year re-issue a new cert
and invalidate the old. It adds costs. Without much if any benefits for some
class of websites.

~~~
cmg
I'm a freelance web developer for dozens of restaurants. They pay for the
site, then a yearly hosting fee every year after launch. They get a basic CMS
so they can update their hours/menus/etc.

I host all their sites on a few VPS servers. Some of my contracts require
support for IE 7 or IE 8 on Windows XP, and those browsers don't support SNI.
So in addition to what you've mentioned - maintaining certificates and losing
more of what little money I make on hosting (I basically charge a small % of
the VPS cost plus a few hours' worth of work), I now will need to figure out
another solution. It seems like a waste to spin up a new VPS for each site
that requires XP support.

Clients look at the <10% of visitors coming from Safari and IE7+8 on XP and
say "those are potential customers." It's difficult to argue with that.

For now though, I'm going to do nothing new. All indications are that HTTPS is
going to be maybe 1% of the ranking, and I know my market well enough that the
sites rank highly for local searches - which is the important part. They're
responsive and they've all got social media presences, so until SSL is more
important for PageRank, I'll wait it out.

~~~
ldng
A few people I've talked with told me the same. For now they won't care. But
as told me a friend, if too much client start to ask for it will be troubles
for him.

But that is to be kept in mind : "But over time, we may decide to strengthen
it, because we’d like to encourage all website owners to switch from HTTP to
HTTPS to keep everyone safe on the web."

------
Scoundreller
Google has a strong case to have HTTPS implemented:

It prevents ISPs etc. from being able to profile your traffic, but not
Google's, since you're probably visiting a site with Adsense or Analytics
running on it anyway.

Through HTTPS, Google is the only one with a profile of your traffic, and your
ISP is no longer a competitor to them.

~~~
lauradhamilton
Hm. I think this is the real answer.

------
Tomte
It probably bugs me the way it does, because this "signal" has nothing to do
with the contents or the usability of the web site (unlike speed, validity of
HTML or, well, content itself), but is purely a "we just think you should do
X" situation.

~~~
x1798DE
I would definitely prefer to use a site that supports HTTPS over HTTP. For
personal safety reasons in addition to privacy and general welfare of the web.

If you're searching for something and roughly the same content is available at
safedomain.com vs. notoriouslysketchy.ru, I'd think you'd prefer to be shown
the former above the latter. I don't see how this is much different.

------
thejosh
We recently changed our existing clients site to 100% SSL when we launched
their new site.

If only webmasters had an option to change [http://](http://) to
[https://](https://), the entire move would have been slightly easier as
"fetch as googlebot" returns "redirect" since we direct [http://](http://) to
[https://](https://).

Apart from that, we've had no ranking loss for their keywords.

~~~
dsl
Take a look at HSTS. It effectively tells clients to try HTTPS first when a
user types in your domain.

[http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)

~~~
xyzzy123
... after the first visit...

~~~
richbradshaw
Unless your site is on the HSTS list
([https://src.chromium.org/viewvc/chrome/trunk/src/net/http/tr...](https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json)
for Chrome, Firefox use the same list by verifying by connecting via HTTPS and
checking for a long HSTS time.)

~~~
xyzzy123
Right, unless your site is on the HSTS list AND all your users are using
Chrome or firefox....

Which was basically my original point, which is that if you want your site to
be generally accessible by just typing in the domain name, you still can't
just turn off port 80...

Which I guess is why google.com itself is still reachable on port 80.

------
drsintoma
I'm surprised by the amount of negative comments. Independently of what do you
think about HTTPS and CAs in general. Given there the alternative currently is
plain text, I'm actually surprised that it wasn't a signal before.

~~~
ldng
I see this has negative for several reasons :

* Certificates are expensive (to buy _and_ to manage)

* Crypto is hard and there will be a lot of screw up with inadequate certs in the wild for a long time. Just having a certificate does not mean much if it weak or broken.

* Can't help the feeling it's an indirect push for cloud business hence possibly eating the margin of freelancers / ISV

* Security Theatre : a lot of critical information for business still transit by email. Will Google force encrypted emails for the greater good ? I don't think so.

~~~
drsintoma
Google is not "enforcing" anything, people react like if you are not going to
show up in the results at all, or Chrome won't work via HTTP. HTTPS is signal,
just like having a link from a well ranked website like HN is a signal, and
probably dozens other.

The points you mention are in fact indicators that someone has put care and
resources to make their site work more securely, which says a good thing about
the site, which google rewards with some points in their algorithm. Makes
perfect sense to me that this will somewhat improve the quality of their
results. Would you also complain about google using fast response times as a
signal because that "forces" people to pay for better servers?

About your security point, google can not do that without loosing 50% of its
customers, I really don't understand what that has to do with the rewarding
HTTPS being good or bad. Looks like a red herring.

~~~
ldng
Right, you will not disappear from the results. The reaction (granted maybe
overreaction) is about Google pushing HTTPS hard for security (which could be
good but not automatically so) and not caring in areas where it is as
important if not more.

You are just proving my point. Google rewards the richest, those who have the
resources as you say. As for care, I would be clad if people were not going to
do it for the wrong incentives. Will Google just check if HTTPS is available
and reward or will it also check for broken cipher and penalize ?

I am not against HTTPS. Just saying that rewarding HTTPS is not enough. It's
worst actually, some will set it up quickly and badly just for the extra
ranking points and not the actual security it should be providing.

To me the red herring here is pretending doing it for security. What is the
point of HTTPS if I receive my password by mail ? To me email is more
important to secure first. Google could perfectly incentive security practices
in Gmail without loosing a single customer. I would even settle for just
signing instead of encrypting mails.

As for enforcing, HTTP2 (that is SPDY) IS enforcing HTTPS.

IMO, Good HTTPS where it matters is more important then Crappy HTTPS
everywhere just is ridiculous and could even be dangerous thanks to a false
sense of security.

~~~
drsintoma
> Google rewards the richest, those who have the resources as you say.

Google doesn't care who is it rewarding, google cares about the users that
search, they've said that multiple times. And yes, people with better
resources build on average better things than people without them.

> I am not against HTTPS. Just saying that rewarding HTTPS is not enough. It's
> worst actually, some will set it up quickly and badly just for the extra
> ranking points and not the actual security it should be providing.

Even then, still 10 times better than plain text HTTP so my whole office can
see what I'm browsing with a simple console command.

> What is the point of HTTPS if I receive my password by mail ?

Your email inbox should be accessed via TLS, it's something up to you. And
while you don't control the origin (nobody can without breaking compatibility)
intercepting a message in transit like that if not exactly something most
people I know can do. While getting that password over HTTP is almost trivial
for anyone sitting around me.

> As for enforcing, HTTP2 (that is SPDY) IS enforcing HTTPS.

The day you can only see a website via SPDY then I would call that enforcing
it. Yes if you want to carrot (performance) you have to pass through the hop
(security), nobody forces you to eat the carrot.

> IMO, Good HTTPS where it matters is more important then Crappy HTTPS
> everywhere just is ridiculous and could even be dangerous thanks to a false
> sense of security.

I really can not get which scenario you are picturing here. Setting it up is
not rocket science.

~~~
ldng
> Google doesn't care who is it rewarding, google cares about the users that
> search, they've said that multiple times.

Hum, well I've grown wary of what Google say. Like puting comercial mail in a
separated inbox is to help the user. It also happens to indirectly help
Adsense.

> And yes, people with better resources build on average better things than
> people without them.

Does that mean content created by association without a dime for instance is
on average inferior ?

I happen to like cooking. I often find websites with great content by word of
mouth. They are generally badly ranked because they look like they were done
on Frontpage and from Geocities ages. Yet the content is very good and even
sometime quite unique. They rank badly because they are not speedy and in
beautiful html5. That's elitism. Maybe they should by Adwords.

> Even then, still 10 times better than plain text HTTP so my whole office can
> see what I'm browsing with a simple console command.

That is one of the few good arguments for HTTPS everywhere : privacy.

> And while you don't control the origin (nobody can without breaking
> compatibility)

You can encrypt or even just sign emails without breaking compatibility. Put
commercial email in a separated inbox is OK but put unencrypted and/or
unsigned email in a separated inbox is not ?

> While getting that password over HTTP is almost trivial for anyone sitting
> around me. > I really can not get which scenario you are picturing here.
> Setting it up is not rocket science.

Is it better to have open WiFi or WiFi with WEP ? It's the same because WEP is
nowadays easily broken by script kiddies with simple tools.

That the scenario I'm picturing here. A web full of weak/broken certs to
comply for ranking, people feeling safe (it's encrypted right ?) and script
kiddies with trival tools to break the WEP equivalent of weak/broken HTTPS
certs.

Granted, maybe I'm over-pessimistic here but the trend annoy me. i don't take
Google at face value anymore. You know they excel at long play.

On the bright side, maybe people will use their certs for more than HTTPS ...
say mail server for instance :)

------
ayrx
Excellent move by Google that should push people to use HTTPS more.

Hopefully this will take into account the supported TLS versions and
ciphersuites as well. It's sad to see sites that only supports TLS 1.0 and
prefers a CBC ciphersuite.

------
kmfrk
This is great, but it should also be a reminder that SSL is currently not
possible for custom domains hosted on GitHub:
[https://konklone.com/post/github-pages-now-supports-https-
so...](https://konklone.com/post/github-pages-now-supports-https-so-use-
it#using-your-custom-domain).

I hope a solution materializes eventually.

~~~
bobfunk
It's still expensive to offer SSL when you have a CDN in front unless you go
with just SNI support (which could cost a significant portion of your
visitors).

We have CDN backed HTTPS for custom sites on BitBalloon
([https://www.bitballoon.com](https://www.bitballoon.com)) if you're
interested in a Github pages alternative that supports SSL.

~~~
bigiain
Yup - Akamai must be rubbing their hands in glee at this announcement. I've
already started the conversations here about how much this is going to cost
for big CDN hosted projects...

------
riobard
Here's the big differentiation that the now still beta and invite-only Google
Domains could take on: assign free wildcard SSL certificate for every domain
registered/transferred there.

------
BorisMelnik
Don't have a ton of experience with SSL and only recently started messing with
TLS on my Apache server but question: Google makes mention of a 2048 bit
certificate but most of the certificates I see are 128/256\. Is this number
referring to something else other than the strength of the encryption?

~~~
ckuehl
Messages like "your connection is encrypted with 256-bit encryption" don't
tell you anything about the size of the RSA keys in use.

During the TLS handshake, your browser and the server do public-key crypto to
authenticate each other and share private information without a previously-
known shared secret. Because public-key crypto is really, really slow, they
then share a small secret (say, 128 or 256 bits), and use that secret as the
key for a traditional symmetric encryption algorithm like AES. That's the
number you're seeing.

Take a look at
[https://en.wikipedia.org/wiki/Transport_Layer_Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)

~~~
BorisMelnik
thank you both, that really makes sense. I thought it was a little peculiar
that Google decided to mention the whole 2048 bit thing, I couldn't have been
the only one that was thrown off by that a bit.

------
d0ugie
Perhaps more people would be more inclined to get nudged by Google in this
direction if Google got in the CA game and sold certificates themselves, 2048
bit, right on Google Play, Chrome Optimized certs, NFC and QR code-enabled.
How about that?

------
elsewhen
there is something odd about this announcement. since it is no harder for a
black hat publisher to switch to https than a white hat publisher, this signal
will likely get noisy very quickly. i think google knows this, and its why
they rarely specify ranking signals.

so, then really, they are just using their dominance in search to effect
change. now, you may agree with the change (they did something similar by
announcing pageload time as a signal), but it makes me a little uneasy for
google to leverage their dominance in this way even if i happen to agree with
the goal.

------
viperchilldude
The irony is that this will help Symantec, Comodo and Godaddy who are well
known for stuffing their users sites with anchor-text (followed) links back to
their own SSL pages.

------
JensRantil
Lol, they are not using HTTPS to serve that content. Look who's talking...

------
jon_wu
Do you have to throw out all your social rankings?

I've been wanting to switch to HTTPS but have been avoiding it due to
significant accumulation of Facebook likes and some +1's. Last I checked, you
had to do some big hacks to maintain your Facebook like count. Has anybody
found a good way to handle this or do you just have to start over?

------
EwanToo
I've just signed up for a 5 year certificate using
[https://www.gogetssl.com/comodo-ssl-certificates/comodo-
posi...](https://www.gogetssl.com/comodo-ssl-certificates/comodo-positive-
ssl/) for $18 - I know there's annual free ones, but at that price is it worth
the hassle of renewing?

Never used them before, but they're just a Comodo reseller, and they take
Paypal, so there seemed little that could go wrong.

Has so far gone smoothly, certificate installed, passes the SSL test google
mention, [https://www.ssllabs.com/ssltest/](https://www.ssllabs.com/ssltest/)
so it all seems good

------
arca_vorago
I'm going to come out and say it. HTTPs is borked, in a functional way. On a
social/technical level, it has become a false sense of security. The PRISM
revelations let us know that the three letters and any corporate wannabe was
doing MITM not just on http but on HTTPS whenever possible. I would say the
ISP's and the CA's should all be considered compromised.

We need something new and better, not to push HTTPs on everything as an
imagined stop gap...

That being said though, I do understand that if this was pushed to wider
adoption, it would create a higher cost to perform such attacks, for ISP's and
three letters?

------
hadoukenio
A good move. Well done for pushing the world towards a safer internet.

Quick question though. There was no mention of the type of certs used. Will
plain certs be worth less than EV certs?

Hopefully Matt or any other Google search representative here can comment.

~~~
Nilzor
Newb question: Is plain cert locally generated certificates (free), while EV
certs are those you pay for from a "trusted authority"?

~~~
tokenizerrr
No. A plain cert is one you normally buy, an EV cert stands for Extended
Validation which only specific CAs can give out and there's extra guidelines
for that, plus they're generally much more expensive. Browsers generally show
the identity of the certificate in the URL bar when they are EV, which they
otherwise do not.

------
AdamN
I'm all about this but what about third party static sites like everything on
Github Pages? We're using Github to host [http://kili.io](http://kili.io)
which has all of our marketing material but there's no way to upload a
certificate there. I'd rather not move off of Github Pages for the main site
because it's easy to just push changes, it's fast, it makes it easy to tie
into the rest of our open code
([https://github.com/kili](https://github.com/kili)), and it's free.

~~~
BorisMelnik
Nice organization and cause, looks really interesting. Not being snarky at all
but asking - you provide hosting but aren't able / won't host your marketing
site on your own servers? Even if you don't have your own infrastructure, even
grabbing a VPS from digital ocean or linode and throwing up a cert there could
solve your problem.

------
BorisMelnik
Just doing a little more research. It appears as though many of these EV certs
require you to verify your company information, domain registration, phone
number and even address. With Google using however many hundred or thousand
ranking signals, this makes sense. It is essentially another layer of trust
and really great for UX as well. Online shoppers trust a site with the "green
location bar" much more than ones without it, and I could definitely see how
Google might reward this type of website.

------
ksk
I don't buy the 'this is for your own safety' nonsense. Having said that, when
are Google going to improve their search algorithm? These days there are so
many shitty content farm results that clog up the first page itself. How about
improving that first?

Unfortunately, Google is pretty much a monopoly when it comes to online
advertising and search that few companies will have a choice in this matter.
Google unilaterally forcing them to buy stuff doesn't sit well with me.

------
arikrak
After you buy an SSL certificate, Heroku charges $20/month to use it. You can
circumvent this with Cloudflare, but they also charge $20/month for SSL. Is
there any easy way to use SSL on Heroku for $0-5 / month?

(See [http://www.quora.com/Is-there-any-way-to-use-HTTPS-on-
Heroku...](http://www.quora.com/Is-there-any-way-to-use-HTTPS-on-Heroku-for-
less-than-20-month/answer/Tim-Dierks) for one possibility.)

------
CalRobert
This wouldn't be so bad if there were more support for CAcert. It's great news
for the commercial certificate authorities, though.

~~~
Tomte
After some interaction (including assuring people), my impression of CAcert is
much more negative than my impression with any of those big bad CAs everyone
likes to complain about.

They are so far off this side of "sane" it's really not funny.

~~~
CalRobert
Are you able to elaborate? If not that's fine, but I just don't think paying
for a cert makes it somehow better, so I liked the idea of CAcert. If I should
be concerned about using them to secure personal sites (in this sense really
only used by myself and a few friends who have the CA root cert) I'd be
interested in knowing.

------
ldng
Let's kill small ISV and raise the bar of entrance to the internet. Oh
certificate management is too complex and expensive for too little ROI ? Well
see, here we have a nice "cheap to the eye" cloud solution just for you.

Security isn't the priority here. Selling cloud is.

Edit: IMHO, same goes for SPDY/HTTP2 by the way

------
wildpeaks
I guess this article from a month ago was right when they observed a boost of
their ranking: [https://blog.httpwatch.com/2014/07/07/google-has-given-
https...](https://blog.httpwatch.com/2014/07/07/google-has-given-https-a-huge-
boost/)

------
netforay
But this site is still on HTTP. When I tried HTTPS it redirected to HTTP. Even
they are not ready it seems.

------
cynusx
This is great, it's just a fact that ssl will not have major adoption unless
there's a clear UI or business reason for it.

I hope google takes it one step further and updates chrome to show an insecure
warning when it detects a password field on the page and it is sent plain over
http.

------
Oculus
I'm not sure I agree with this. I don't see a point in HTTPS for 100% static
sites.

~~~
dsl
The NSA and other state actors can use non-secure pages to inject code to
exploit the browser and compromise your visitors.

[http://en.wikipedia.org/wiki/FOXACID#QUANTUM_attacks](http://en.wikipedia.org/wiki/FOXACID#QUANTUM_attacks)

~~~
icebraining
State actors are probably irrelevant in this discussion; few of them won't be
able to get a certificate to any website they want, in my opinion.

~~~
dsl
This is a known issue and being addressed as well.

[http://tools.ietf.org/html/draft-ietf-websec-key-
pinning-11](http://tools.ietf.org/html/draft-ietf-websec-key-pinning-11)

[http://dev.chromium.org/sts](http://dev.chromium.org/sts)

------
corford
If this change is here to stay they should update their Adsense SSL advice...
[https://support.google.com/adsense/answer/10528?hl=en-
GB](https://support.google.com/adsense/answer/10528?hl=en-GB)

~~~
kmfrk
I do not envy the googlers who have to keep stuff like that up to date.

~~~
corford
I'm sure their salary more than makes up for it ;)

------
franze
upside: security, further migration to HTTP/2 easier (when it's ready)

downside: HTTPS negotiation time overhead (slower website) (as long as we use
HTTP 1.1), costs (certificate, technical migration)

all in all i think it's a great move by google, thx

~~~
guruz
Only the first connection should be delayed a bit
[http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-
rfc5...](http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html)

------
sireat
So what reasonable options does a small to medium site operator now have to
buy SSL certs?

For example there is Comodo "FREE" certificate and the one that costs 64.95
Euros.

What is the catch with the free one?

~~~
tomjen3
Likely nothing relevant - you just can't revocate it, but it should still give
you the speed boost.

------
scott_karana
Wow. For those needing to support non-SNI browsers, this is going to become a
real IPv4 address land-grab.

IPv6 is disturbingly uncommon still...

~~~
notatoad
supporting non-SNI browsers is less common. Over the last two years i've seen
a huge drop off in ie8/XP traffic on my sites.

~~~
scott_karana
Android 2.x doesn't support SNI either, it's not just IE. (20% of Android
users:
[https://developer.android.com/about/dashboards/index.html](https://developer.android.com/about/dashboards/index.html))

But I agree, it has dwindled rapidly. :-)

~~~
notatoad
20% of android devices, but definitely not 20% of any website's android
traffic. the amount of web traffic that comes from those android phones is
approximately 0 unless maybe you're in africa or china - the people who still
have android 2.x phones aren't browsing the internet with them.

~~~
scott_karana
> the people who still have android 2.x phones aren't browsing the internet
> with them.

Not true. Only devices with regular Google Play store access get shown in
those statistics.

The 20% are users with _at least_ regular Wi-Fi access.

------
afarrell
I hope that at least one site runs without https so that when I am using
airport/airline/FlyingJ/Starbucks/etc wifi, I can access it and be presented
with the button I need to press to access the network.

I currently use [http://xkcd.com](http://xkcd.com) for this purpose.

~~~
cbr
Funny; google.com works fine for me for this, even though it's definitely
https.

------
mythz
"Security is a top priority for Google. We invest a lot in making sure that
our services use industry-leading security, like strong HTTPS encryption by
default."

\-- Says Google site that forces HTTP.

~~~
SquareWheel
People that write content for websites are not always the same people that
build those websites. In this case, the search engine team is entirely
separate from the Blogspot team.

~~~
mythz
> People that write content for websites are not always the same people that
> build those websites.

Wow Seriously? You don't say.

Seems the irony escaped you: announcement was made on a Google site that
forces (i.e redirects from HTTPS) you to read it over HTTP.

If you read closely enough it refers to all of Google, not just "the search
engine team" or (Google - Blogspot).

~~~
rando289
Internet law: Your good post will be ruthlessly torn apart. Agreement is
drivel. The best you can hope for is a slightly different point which happens
to agree.

Btw, I agree with you, and I think this phenomenon is dumb.

~~~
kevinmrose
Another internet law: Do as Google says, not as Google does.

