Google Will Begin Indexing HTTPS/Encrypted Pages by Default

Google has announced today that it is adjusting its all-important indexing system to favor HTTPS pages over the HTTP versions of the same page. The tweak is more than certain to encourage web administrators and website runners to embrace HTTPS by default for their websites.

Google figures among the companies that has long been a proponent for encryption and better user security.

In 2008, Google provided Gmail users the option to always use HTTPS. In 2010, Google followed up its earlier offering by switching over to HTTPS by default for Gmail along with its encrypted search offering that could be switched on by Google search users. 2011 saw Google enable forward secrecy, a secure protocol wherein the compromise of long-term communication keys does not compromise past session keys. Again, by default. Google also pledged to make its search function more secure in the same year.

Last year, Google blatantly put out a blog post to claim that the search giant was favoring HTTPS URLs by helping them with a ranking boost. An excerpt from the post read:

[We do this] because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

HTTPS Indexing, by Default

In an announcement made today, Zineb Ait Bahajji, a member of Google’s Security and Indexing teams has revealed that Google’s webpage indexing system will be adjusted to look for more HTTPS pages. She added:

Specifically, we’ll start crawling HTTPS equivalents of HTTP pages, even when the former are not linked to, from any page.

In essence, when a HTTP URL and a HTTPS URL appear from the same domain with the same content, the HTTPS URL gets picked over the HTTP URL. This will occur when:

  • The URL does not contain insecure dependencies.
  • The URL is not blocked from crawling by robots.txt.
  • The URL does not redirect users to or through an insecure HTTP page.
  • The URL does not have a rel=”canonical” link to the HTTP page.
  • The URL does not contain a noindex robots meta tag.
  • The URL doesn’t have on-host outlinks to HTTP URLs.
  • The sitemaps of the website lists the HTTPS URL. Alternatively, if the HTTP version of the URL isn’t listed on the sitemaps.
  • The web server contains a valid TLS certificate.

Google also recommends website owners to start redirecting their HTTP site to the HTTPS versions of the website, as well as implementing the HSTS header on their servers.

Featured image from Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.