I applaud Google for finally adding a preference for HTTPS in their page ranking algorithm.
One thing which I believe is necessary to prevent websites from being thrown under the bus is affordable HTTPS certificates. Currently there is only one company (which I know of) who is granting free domain-validated certificates. The process (I imagine) is fully-automated, therefore it costs the company nothing to support. That company is Startssl.
Startssl's root certificate is trusted in almost all major browsers, but their signup and installation process is convoluted at best.
Google has its own Certificate Authority, and although it is an intermediate CA, it is still trusted by all browsers.
Google's decision to rank HTTPS enabled sites is influenced by many things, but first and foremost is the recognition that http is too easy to MITM. Google needs to put their money where their mouth is, and support the thousands (millions?) of websites which do not yet have ssl certificates. I would argue that google has a social responsibility to protect their users, and one way to do that would be to make adoption of ssl incredibly easy.
I therefore call on Google to provide free domain-validated certificates to all domain name owners upon request. This will remove the barrier to entry for anyone looking at getting their site encrypted.
It might even be possible to put those domains in to the preloaded HSTS list in chrome and firefox, for the duration of the certificates. Or there could be some other means of pushing the list to the browser, given that it's a huge list. Another option would be for the server owner to pledge that they will enable HSTS within a certain window, and Google can revoke the certificate if not implemented in time. It would be a great opportunity to add the headers when adding the certificate itself.
Subscribe to Greg Cochard
Get the latest posts delivered right to your inbox