Google To Index HTTPS Web Pages By Default

Google announced that it will begin to prioritize the indexing of HTTPS versions of webpages from any sites that support encryption. The announcement comes after Google had already made the change to give HTTPS websites a small boost in ranking in its search engine.

Google believes that “browsing the web should be a private experience between the user and the website, and must not be subject to eavesdropping, man-in-the-middle attacks, or data modification.” That’s why the company has ramped up its efforts to encourage the use for encryption for website connections, but also for email services.

Google will now begin to index HTTPS equivalents of HTTP web pages, even when the former don’t have any links to them. However, Google will only index an HTTPS URL if it follows these conditions:

It doesn’t contain insecure dependencies.It isn’t blocked from crawling by robots.txt.It doesn’t redirect users to or through an insecure HTTP page.It doesn’t have a rel="canonical" link to the HTTP page.It doesn’t contain a noindex robots meta tag.It doesn’t have on-host outlinks to HTTP URLs.The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL.The server has a valid TLS certificate.

Although Google's new indexing process will try and show users HTTPS versions of websites by default in its search engine, other search engines don't currently work like that. This is why the company is asking web site owners to redirect HTTP URLs to the HTTPS equivalents, so their readers can benefit from the same security, even when they’re using search engines other than Google.

The company also suggested that web site owners use HSTS (HTTP Strict Transport Security) headers so that the HTTPS connections are always enforced after the user’s first visit to the web site. Using HTTPS encryption should protect users against content injection attacks, which can happen over insecure connections.


Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • esco_sid
    At this day and age everyone shoulda been https a long time ago and using at least sha2
  • chicofehr
    They will make it a private experience so only they can spy on us.
  • dstarr3
    They will make it a private experience so only they can spy on us.

  • Somasonic
    They will make it a private experience so only they can spy on us.

    Exactly what I was thinking. What? You think Google is doing this out of the kindness of their hearts? ROFL.