By Rolfe Winkler
A powerful voice at Google wants websites to be more secure.
In a move that experts say could make it harder to spy on Web
users, Google is considering giving a boost in its search-engine
results to websites that use encryption, the engineer in charge of
fighting spam in search results hinted at a recent conference.
The executive, Matt Cutts, is well known in the search world as
the liaison between Google's search team and website designers who
track every tweak to the company's search algorithms.
Mr. Cutts has also spoken in private conversations about
Google's interest in making the change, according to a person
familiar with the matter. The person says Google's internal
discussions about encryption are still at an early stage and any
change wouldn't happen soon.
A Google spokesman said the company has nothing to announce at
this time.
Encrypting data transmitted over the Internet adds a barrier
between Web users and anyone that wants to snoop on their Internet
activities or steal their information.
Google uses its search algorithm to encourage and discourage
practices among Web developers. Sites known to have malicious
software are penalized in the company's rankings, for instance, as
are those that load very slowly. In total, the company has more
than 200 "signals" that help it determine search rankings, most of
which it doesn't discuss publicly.
If Google adds encryption to the list, websites would have a big
incentive to adopt it more widely.
"This would be a wonderful thing," says Kevin Mahaffey, the
chief technology officer at mobile-security company Lookout. He
says encryption ensures that a user's data can't be seen by others
as it moves across the Internet, that it can't be tampered with,
and that it gets to the correct recipient.
Internet users were jolted this week by disclosures that a
popular encryption scheme, known as OpenSSL, contained a bug that
could allow hackers to steal personal information. Still, despite
any vulnerabilities, experts say it is safer to encrypt data to
keep it secure.
Danny Sullivan, founding editor of the Search Engine Land blog
and host of the conference where Mr. Cutts voiced support for
encryption, believes Google ultimately may not favor encrypted
sites in its results.
"Rewarding sites for [encrypting pages] in the algorithm would
be a huge step," says Mr. Sullivan. "It also possibly causes an
immediate change by all the wrong sites," he says, referring to
sites that focus more on gaming Google results than developing good
content.
Google is among many Internet companies that have moved to
encrypt more of their services in recent years, including Gmail and
Google Search. It stepped up those efforts last year, moving to
encrypt traffic between its data centers after revelations that the
National Security Agency was exploiting vulnerabilities in Google's
infrastructure.
More websites are encrypting their pages. Still, some encrypt
only parts of their pages, which can leave users vulnerable to
attacks, says Matthew Green, a computer science professor at Johns
Hopkins University. He says hackers can take advantage of such
vulnerabilities by capturing "cookies," for instance. This can
allow hackers to track where users are going to log into a website
as someone else.
To highlight security vulnerabilities on the Web, Eric Butler, a
software developer at Uber, in 2010 designed an extension for the
Firefox Web browser called Firesheep that snooped on users logging
into insecure websites, allowing the Firesheep user to impersonate
that person at the push of a button. "All websites should be using
[encryption] everywhere with no exceptions," Mr. Butler says.
Write to Rolfe Winkler at rolfe.winkler@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires