By Rolfe Winkler
A powerful voice at Google wants websites to be more secure.
In a move that experts say could make it harder to spy on Web users, Google is considering giving a boost in its search-engine results to websites that use encryption, the engineer in charge of fighting spam in search results hinted at a recent conference.
The executive, Matt Cutts, is well known in the search world as the liaison between Google’s search team and website designers who track every tweak to the company’s search algorithms.
Mr. Cutts has also spoken in private conversations about Google’s interest in making the change, according to a person familiar with the matter. The person says Google’s internal discussions about encryption are still at an early stage and any change wouldn’t happen soon.
A Google spokesman said the company has nothing to announce at this time.
Encrypting data transmitted over the Internet adds a barrier between Web users and anyone that wants to snoop on their Internet activities or steal their information.
Google uses its search algorithm to encourage and discourage practices among Web developers. Sites known to have malicious software are penalized in the company’s rankings, for instance, as are those that load very slowly. In total, the company has more than 200 “signals” that help it determine search rankings, most of which it doesn’t discuss publicly.
If Google adds encryption to the list, websites would have a big incentive to adopt it more widely.
“This would be a wonderful thing,” says Kevin Mahaffey, the chief technology officer at mobile-security company Lookout. He says encryption ensures that a user’s data can’t be seen by others as it moves across the Internet, that it can’t be tampered with, and that it gets to the correct recipient.
Internet users were jolted this week by disclosures that a popular encryption scheme, known as OpenSSL, contained a bug that could allow hackers to steal personal information. Still, despite any vulnerabilities, experts say it is safer to encrypt data to keep it secure.
Danny Sullivan, founding editor of the Search Engine Land blog and host of the conference where Mr. Cutts voiced support for encryption, believes Google ultimately may not favor encrypted sites in its results.
“Rewarding sites for [encrypting pages] in the algorithm would be a huge step,” says Mr. Sullivan. “It also possibly causes an immediate change by all the wrong sites,” he says, referring to sites that focus more on gaming Google results than developing good content.
Google is among many Internet companies that have moved to encrypt more of their services in recent years, including Gmail and Google Search. It stepped up those efforts last year, moving to encrypt traffic between its data centers after revelations that the National Security Agency was exploiting vulnerabilities in Google’s infrastructure.
More websites are encrypting their pages. Still, some encrypt only parts of their pages, which can leave users vulnerable to attacks, says Matthew Green, a computer science professor at Johns Hopkins University. He says hackers can take advantage of such vulnerabilities by capturing “cookies,” for instance. This can allow hackers to track where users are going to log into a website as someone else.
To highlight security vulnerabilities on the Web, Eric Butler, a software developer at Uber, in 2010 designed an extension for the Firefox Web browser called Firesheep that snooped on users logging into insecure websites, allowing the Firesheep user to impersonate that person at the push of a button. “All websites should be using [encryption] everywhere with no exceptions,” Mr. Butler says.
Write to Rolfe Winkler at firstname.lastname@example.org