Security

What Google’s HTTPS Algorithm Means for Hosting Providers

1 comment

It is not often that the world’s most dominant search engine reveals the inner workings of it’s ranking algorithm. That is precisely what occurred earlier this month when the Google Online Security Blog published a post detailing the positive effects of HTTPS on a website’s search ranking.

In brief, Google stated that secure websites mean a better and more secure Internet overall. This means that Google will now give search preference to websites that automatically have a secure connection to their visitors via HTTPS.  As stated on the Google blog: ”Over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal.”

This is a positive development for all web hosting and cloud providers in that the hosting platform is the vehicle for website security. A strong signal from Google on security is likely to lead to more security products and services being offered and sold via web hosts. We asked several web hosting providers to weigh in on the new initiative and the importance of security in their operations. Here’s what they had to say:

DreamHost co-founder and VP of hosting Dallas Kashuba

”Security has always been important when dealing with sensitive information. Ecommerce sites rely on credit cards as part of their function so it’s strictly required for those. Now many non-ecommerce sites also rely on some form of sensitive information, such as login credentials, that should be encrypted. Any website that sends or receives any information that could be used to identify an individual or access private accounts needs to be using HTTPS. Is there a ‘best’ method to secure a site? What’s ‘best’ depends a lot on the nature of the website itself. The difference between no encryption at all and some encryption is huge, and the basic SSL certificates are enough for most. EV certificates add on an additional layer of trust because you have more information about who you are dealing with. You should also consider the security of the server you’re sending your data to, and HTTPS doesn’t help at all with that.”

“DreamHost has a team dedicated to ensuring the underlying server environment of every website we host is as secure as it can be,” Kashuba says. “That involves keeping system software up to date, continuously monitoring for suspicious behavior, proactively blocking common web-based attacks, and scanning for and identifying malware that has snuck in. We also manage common website software like WordPress to keep those up to date and secure. That’s a great starting point for website security, and adding SSL on top of that prepares you for handling any kind of data. We also recommend encrypting all data you store on the server for complete end-to-end security. To make it easier for all of our customers to adopt SSL for their websites we also support SNI, an extension to TLS that allows websites to use HTTPS without requiring a separate IP address for each website. That lowers the cost associated and it also helps conserve the dwindling supply of IPv4 addresses. Our web control panel has always been exclusively over SSL, and our website is also available with SSL. We encrypt all sensitive information in our database and our network is segmented into security zones to restrict access. Server system security is also continuously monitored and maintained. Security is the most critical function of our technical operations teams.”

34SP.com technical director Daniel Foster

”The hundreds of signals that Google uses to determine the relevance of a site to a search query are a mystery to all but a few inside the Googleplex. Any webmaster would give their eye teeth to know just a few of those signals, so for the big G to reveal one is almost unprecedented. Google must really care about widespread adoption of HTTPS across the internet. It makes sense to encrypt information where that encryption is easily available, and adding one little ‘s’ to a URL is about as easy as it comes. This could well be one of those examples of Google doing something simply for the improvement of the Internet as a whole.”

“Using HTTPS for your website has always been recommended practice for any site where the use submits information, whether that’s sensitive financial information such as credit card details, or personal information as simple as a name and e-mail address,” Foster says. “It has also been ideal for any site sharing potentially sensitive information – showing the contents of a stock portfolio or any other personal information. Expanding this to all websites will ensure that any information is encrypted in transit, which certainly isn’t going to harm the website owner or visitor. I wouldn’t expect Google to penalise sites that use plain old HTTP but when comparing them to similar sites in order to determine search result rankings, if the sites would be matched but for HTTPS availability, clearly the secure site is going to be ranked higher.”

ColocationAmerica business development manager Albert A. Ahdoot

“The obvious reason for HTTPS would be for personal protection, or identity/financial fraud on an e-commerce website. There are other advantages like preventing your website from being overridden by spammers and the like. You wouldn’t want your company’s brand (or your own) to get tarnished because it was left susceptible to an online attack. Months and months of marketing and social recognition could go down the drain in a minute causing immeasurable monetary damage. Long story short: protect your site. It benefits an individual greatly to have their or their company’s information online to be accessed quickly and from anywhere. Just like you would secure your own house, the same measures should be taken on your virtual house as well.”

“I would recommend an SSL certificate, to have firewalls installed on your server, and to go with a dedicated server over a shared server. The SSL certificate will protect your users’ login information which, if you’re running an ecommerce site, is particularly valuable. Setting up a firewall on your server is key because it filters and protects your data from anything that’s trying to attack it. Firewalls are constantly updated and are a must for any website. Going with a dedicated server over a shared server is simple enough, too. If you’re using a shared server, you’re submitting yourself to rely on other as well as yourself. If someone who’s sharing your server with you is taxing it, it may cause your site to slow down. With your very own server, you can install what you like and be able to protect it with all the other bells and whistles listed above.”

Verio director of IT services and global operations Eric Carsrud 

”SSL provides a secure connection between the user and the website. But it doesn’t ensure protection for the database where customer credit card and other sensitive information is stored. Using an SSL to protect your site is one level of security, but without proper site development to secure stored data, it’s the same as alarming your car, but failing to lock it; don’t be surprised if its stolen.”

derekvaughanAbout the Author: Derek Vaughan is a hosting industry veteran who attended the very first HostingCon event. Vaughan has architected the marketing growth of several web hosting businesses leading to acquisition. He was previously responsible for online marketing at The Walt Disney Company where he marketed ecommerce for the ESPN.com and NASCAR.com brands. Derek Vaughan received his M.B.A. from Vanderbilt University in Finance and Marketing.

Add Your Comments

  • (will not be published)

One Comment

  1. I'd like to say something here about https and Google. We have all heard of massive and "secure" websites getting nailed hard, eBay was one of them just recently. I know it is safer to have a https, but I doubt it should mean that your site will rank higher. Let me explain, amateur websites will attract amateur hackers. Large professional sites will attract professional hackers. A pro hacker will never bother with a small no name and likewise, an amateur hacker will never bother with a site such as eBay. It is relative. I think this new update is more about money than anything else and is just another spanner in the works for the smaller guys and extra leverage for the big fish to push them around in terms of ranking factors. Not fair Google, once again.

    Reply