|Google Looks to Improve SSL Security|
Google Looks to Improve SSL Security [googleonlinesecurity.blogspot.com]
|Given the current interest it seems like a good time to talk about two projects in which Google is engaged. |
The first is the Google Certificate Catalog. Googleís web crawlers scan the web on a regular basis in order to provide our search and other services. In the process, we also keep a record of all the SSL certificates we see. The Google Certificate Catalog is a database of all of those certificates, published in DNS.
|The second initiative to discuss is the DANE Working Group at the IETF. DANE stands for DNS-based Authentication of Named Entities. In short, the idea is to allow domain operators to publish information about SSL certificates used on their hosts. It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts. So, once more, if a certificate is seen that isnít consistent with the DANE records, it should be treated with suspicion. Related to the DANE effort is the individually contributed CAA record, which predates the DANE WG and provides similar functionality. |
|Improving the public key infrastructure of the web is a big task and one thatís going to require the cooperation of many parties to be widely effective. We hope these projects will help point us in the right direction. |
This could get interesting. The number of secure cert warnings that my browsers generate is pretty big, even for truly authoritative e-commerce sites.
Hey, didn't crobb mention in one of the posts that SSL certificates may be a factor in the recent update?
|Hey, didn't crobb mention in one of the posts that SSL certificates may be a factor in the recent update? |
I did. In the past 18 months, my Verisign SSL certificate expired twice. Within a few months of expiration I saw big ranking drops (-50 last January, then again this year with Panda). This could be a timing coincidence, especially with the one last January, but with Panda, it really could have played a role. I just renewed the certificate this week.
If the SSL certificate played a role, it might be because I have had one for 5 years and Google was giving me a "trust" boost in the rankings. Upon expiration, perhaps that trust was diminished, ultimately reducing my rankings. This is speculative, but it seems reasonable to me. I shouldn't have ever let my SSL expire, either time. My renewal this time was for several years, so I am good for a while.
Some of the top remaining sites that survived Panda in my industry have Verisign SSL certificates. E-how has Verisign SSL. Even Google has a Verisign SSL cert effective March 27 for the next 2 years. I'm not sure if this is a brand new certificate, or if it was a renewal from March 27. Regardless, they have one. Why? Testing? I just noticed the Google/SSL Beta yesterday (which has been out for about 10 months and linked the article posted by engine above).
I think there is something to having SSL certificates from a reputable provider who does extensive verification, because they can be a sign of trust for consumers (and algorithms). Consumer awareness is increasing and they are being warned (by watchdog groups and the media) to look for https: in the address bar "before doing business online." An SSL certificate also falls into the category of "reputed credibility, 3rd party certifications and awards" in the Microsoft Web Credibility Study [webmasterworld.com]
In another thread, someone presented the argument along the lines of "why would a blog need an SSL certificate?" Granted, in theory, a blog doesn't need one. But the algorithms may not always know how much "business" is being conducted on a blog. An SSL certificate shows that the site, its owner, its contact emails/phone numbers, whois, business registration, etc are legit, and can signal quality. Some SSL certificates are better than others with respect to verification (making them more reliable). Remember, ecommerce sites were hit during Panda, and ecommerce sites would benefit most from SSL certification.
One of the criteria mentioned in the Google article that engine posted says "It must have the correct domain name ó that is, one that matches the one we used to retrieve the certificate."
The question I still have is how to know which domain that would be. My SSL is valid for www.example.com but not for example.com. I am uncertain as to which domain Google would try to fetch (although my SSL is valid for my canonical). I doubt it is a problem, but it makes me wonder if I should upgrade to a wildcard SSL cert.
*added** I also want to say that my speculation in the previous post is simply that. Granted, it seems to be supported by the Microsoft article AND by Google's work on SSL Beta since before May 2010 (the time period during which they were also working on Panda). The Google blog post seems to point to the Comodo breach last month as the impetus, but again, Google SSL Beta was launched over 10 months ago. I am not suggesting a rush to have SSL installed on the server or rush out and purchase SSL certificates. It *may* be a ranking/quality factor, but I think many other factors for Panda are at play. I doubt SSL would even make a difference for 99% of sites affected, especially domains that were completely obliterated.
There are a few things to note here.
1. SSL is not needed unless you have some kind of privacy or online transaction on the site. HTTPS is often only "engaged" when on the "privacy" part of the web site - ie entering personal/card payment or similar details.
2. SSL will increase the bandwidth requirement for a site considerably AND slow it down - the data needs to be encrypted at the server and decrypted at the client. Images and other content has to be served as SSL otherwise browsers will warn of mixed content, which could well force a visitor to leave the site. This may or may not be noticeable to the user.
3. As you note, the certificate is usually only for a single subdomain (or domain). A cert taken out for www.example.com is not valid for example.com - unless you purchase a more expensive multi-domain certificate.
4. A site using SSL requires its own IP. Several certificates on a single virtual server that uses only a single IP will probably get confused and show the wrong certificate. It took me ages to convince one compny of that a few years ago.
5. There is no reason why (eg) a virus-serving site, scammer or content thief cannot obtain a valid certificate. There was a recent issue where someone actually stole details that enabled them to issue several bogus certificates for major companies, including Live, Google, Yahoo, Skype and Mozilla. The issuance was noticed and the certificates revoked in this case, although it would have taken a while to update browsers. But legitimate issuance by a certification company is still easy to obtain for "own" sites.
|SSL is not needed unless you have some kind of privacy or online transaction on the site. HTTPS is often only "engaged" when on the "privacy" part of the web site - ie entering personal/card payment or similar details. |
Good points, but none of them really negate the fact that SSL certificates, particularly from companies that perform strict verification, can add credibility/trust to a site (algorithmically and to human visitors). I had to prove that my business was registered with the State or incorporated to get my SSL cert from Verisign -- short of giving a blood sample, it was a strict verification...they don't just hand them out like candy when you have SSL installed on your server. Again, I point to the Microsoft website credibility study. They specifically discuss 3rd party certifications and awards as a sign of trust and potential ranking signal. An SSL certificate fits into that category.
We can debate the merits of SSL certification all day, but as algorithms add more and more trust/quality-detection signals, there is no reason to believe that SSL certificates couldn't help. It would be just ONE sign of quality, not the be-all and end-all, and certainly not all sites "need" to have one, but I, along with many other consumers, expect to see SSL and trusted certification when I do business with any e-commerce site.
Read the Google blog entry that Engine provided above. Google wouldn't be keeping a catalog of valid SSL certificates just for kicks. They just might be using them as a quality signal. The article also mentions the Comodo security breech that you mentioned.
|There is no reason why (eg) a virus-serving site, scammer or content thief cannot obtain a valid certificate. |
This is true, particularly if the verification process is lax. This is why some certificates would be more trusted than others. Some companies will provide them as long as you have a valid CSR. Other companies will call to verify the number, verify the whois, and verify company/business registration.
I accept SSL certs MAY show an improved trust but the vast majority of web sites use virtual servers on a common IP. They will never get a certificate. At least, not until vp6 finally (if ever!) gets off the ground.
And, of course, if a "trusted" site gets infected (not uncommon) and becomes part of a botnet serving viruses?
|I accept SSL certs MAY show an improved trust but the vast majority of web sites use virtual servers on a common IP |
Well ranking signals aren't necessarily a function of what the vast majority do. There seem to be plenty of signals in the algorithms that the vast majority of websites/webmasters might not be capable of achieving. I know people who use WYSIWYG websites for their business, with very limited control.
I have SSL and I am still on a shared server. All it took was filling out a 6 or 8 field form requesting SSL and paying $2 extra each month for a dedicated IP. My webhost provides free SSL for their business account holders. Trust signals have to start somewhere, and perhaps you have to be willing to pay $2 a month. I don't expect everyone to be willing/able to do it. The vast majority of websites aren't going to win a Webby Award either, but it was specifically mentioned in the website credibility study.
It's just speculation, as we've been talking about the possible ranking/trust signals for quite a while. This might be a signal (one of many possible signals). I'm not suggesting that it's a make-or-break signal, or that everyone needs to get SSL certified. It's clearly a judgment call. Google wouldn't have TrustRank if there were no trust signals.
I wanted to be clear that I am not trying to be argumentative or know-it-all, just throwing around some ideas and my own theories (for what they are worth) after many weeks of thought on this topic. I tend to get wordy and type very quickly, so my wording can sound abrasive. I hope I didn't come across that way.
I appreciate your input/thoughts on this and hope others will have some input on this subject. I am very intrigued by the website credibility studies, and have been giving a lot of thought to how those human signals can be incorporated into the algorithms. Anyway, I felt compelled to say this so you didn't think I was dismissing your points.
No problem, crobb! :)
I would love to see google try to drive everyone to use SSL certs, though. At one IP per web site we'd be out of ivp4 and into ivp6 in weeks! And half the web would probably be broken because it can't handle ipv6 properly. :)
Alternatively, a few of the broken parts of the web dealing with SSL certs may get fixed, allowing a cert to be per domain instead of per domain/IP. Less secure, of course... Vamp 'til ready. :)