A powerful voice at Google wants websites to be more secure.
In a move that experts say could make it harder to spy on Web users, Google is considering giving a boost in its search-engine results to websites that use encryption, the engineer in charge of fighting spam in search results hinted at a recent conference.
The executive, Matt Cutts, is well known in the search world as the liaison between Google’s search team and website designers who track every tweak to its search algorithms.
Cutts also has spoken in private conversations of Google’s interest in making the change, according to a person familiar with the matter. The person says Google’s internal discussions about encryption are still at an early stage and any change wouldn’t happen soon.
A Google spokesman said the company has nothing to announce at this time.
Encrypting data transmitted over the Internet adds a barrier between web users and anyone that wants to snoop on their Internet activities, or steal their information.
Google uses its search algorithm to encourage and discourage practices among web developers. Sites known to have malicious software are penalized in rankings as are those that load very slowly, for instance. In total, the company has over 200 “signals” that help it determine search rankings, most of which it doesn’t discuss publicly.
If Google adds encryption to the list, it would give websites a big incentive to adopt it more widely.
“This would be a wonderful thing,” says Kevin Mahaffey, chief technology officer at mobile-security company Lookout. He says encryption assures that a user’s data can’t be seen by others while moving across the Internet, that it can’t be tampered with, and that it gets to the correct recipient.
Of course, that assumes that the encryption works. Internet users were jolted this week by disclosures that a popular encryption scheme, known as OpenSSL, contained a bug that could allow hackers to steal personal information.
Danny Sullivan, editor of the Search Engine Watch blog and host of the conference where Cutts voiced support for encryption, thinks Google ultimately may not favor encrypted sites in its results.
“Rewarding sites for [encrypting pages] in the algorithm would be a huge step,” says Sullivan. “It also possibly causes an immediate change by all the wrong sites,” he says referring to sites that focus more on gaming Google results than developing good content.
Google is among many Internet companies that have moved to encrypt more of their services in recent years, including Gmail and Google Search. It stepped up those efforts last year, moving to encrypt traffic between its data centers after revelations that the NSA was exploiting vulnerabilities in Google’s infrastructure.
More websites are encrypting their pages. Still, some only encrypt parts of their pages, which can leave users vulnerable to attacks, says Matthew Green, a computer science professor at Johns Hopkins University. He says hackers can take advantage of such vulnerabilities by capturing “cookies,” allowing them to log in to a website as someone else.
Eric Butler, a software developer at Uber, in 2010 designed an extension for the Firefox browser called Firesheep that snooped on users logging into insecure websites, allowing the Firesheep user to impersonate that person at the push of a button. “All websites should be using [encryption] everywhere with no exceptions,” Butler says.