Search engine company Google recently declared that websites which use secure, encrypted connections for the transmission of data will earn better rankings than those which don't, a move which has created flurries of speculation amongs webmasters and the security industry alike.
Always secretive about exactly how it ranks websites, smaller enterprises are wondering whether they will be affected by this change and what they need to do in order not to be penalised and placed at a disadvantage when compared to their larger competitors that may already have an encrypted structure.
Similarly, questions are being asked about whether this means that all websites need to be encrypted or just those which store or transmit sensitive data such as user credentials. The longer the debate continues, the thicker the fog becomes.
Google isn't renowned for making trivial changes without thinking things through first and it is highly unlikely that the company will make a change which demands the blanket encryption of the entire internet structure, which would have enormous performance impacts. Encryption has always been a necessary part of protecting sensitive data that's held on the internet. This data could relate to financial transactions or personally identifiable information such as tables of subscribers. It also relates to login credentials so companies which store plain text usernames and passwords are a prime target for de-ranking. Although these types of website have always been required to encrypt, not all of them do and those that don't will fall in Google's rankings regardless of whether they're corporate giants or a one-man-band.
SafeNet's VP Cloud Solutions, Jason Hart told us: "Data in a plain-text state is easily readable, so any website that’s storing or transmitting user credentials or data in plain-text is putting customers’ data, and the company’s reputation, at risk."
But what about the cost implications? Some smaller companies are going to be unable to put the encryption requirements in place simply because it's too costly for them. Jason continued, “Previously organisations have shied away from encryption due to cost concerns or fears of slowing website response times. But there are now high speed encryption technologies available that mean cost and speed need no longer be an issue. So there really is no excuse for any data to be transmitted or stored in plain text.”
However, there is something which Google might not have considered. According to Toyn Adelakun of Sestus, there are certain outstanding issues relating to public-key cryptography which need to be sorted out first of all. Such issues include:
1 The robustness of certificate status checking which is essential for establishing trust.
2 A browser's ability to clearly understand the certification of a website and its true ownership
3 Eliminating the probability of attacks on the Public Key Infrastructure
4 Improving the certification pricing model to reduce the temptation of budget organisation to go to dodgy certificate authorities
According to Toyn, "With issues such as these resolved, and other search engines joining Google in rewarding the use of encryption, the decades-old vision of an open and loosely-coupled public key infrastructure (PKI) may yet be realised."
Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan