By Brandon Bailey San Jose Mercury News
MOUNTAIN VIEW, Calif.
One of the world's most powerful Internet companies is using its leverage to prod other websites into adopting a key safeguard against malicious hackers who try to steal Internet users' passwords or eavesdrop on their online activity.
Google said its popular Internet search engine will start assigning a higher priority to websites that use a kind of encryption known as HTTPS, in a move that was welcomed by experts who say it's a significant step toward increasing security and privacy on the Web.
"I don't expect the Internet to change overnight, but over the next few months and years, more and more websites will see this as something they must do," said Kevin Mahaffey, chief technology officer at Lookout, which makes security programs for mobile devices.
The move comes just days after a disturbing report that a Russian hacker gang has amassed a stockpile of 1.2 billion Web users' names and passwords from around the world.
Experts say HTTPS encryption might not have blocked the methods used by that group, but it can foil other common techniques that hackers use to gather sensitive personal and financial information.
Anyone who uses an unsecure Wi-Fi hotspot, in a coffee shop, shopping mall or other public place, can be vulnerable to malicious snooping, said Dwayne Melancon, chief technology officer for the computer security company Tripwire.
But outsiders generally can't read information that a person sends or receives from a website that's encrypted, as indicated by an Internet address that starts with the letters HTTPS.
Google has spent tens of millions of dollars to beef up its own online services in recent years. It's also pushed for broader use of encryption, industrywide, both to guard against tech-savvy criminals and, after last year's revelations about controversial National Security Agency spying, to curtail snooping by government agencies.
In a blog post this week, the company said it hopes to encourage HTTPS encryption by using it as a "ranking signal," or one of many factors the company uses in deciding which websites to show more prominently when it displays search results.
"For now, it's only a very lightweight signal," the company added. "But over time, we may decide to strengthen it."
Strengthening the signal, or giving more weight to sites that use encryption, means those sites may appear higher in Google's search results.
That can make a huge difference in how many people visit a site, as many Web operators and online businesses have learned over the years.
"It will tend to drive people to sites that are being more responsible in how they interact with users," said Melancon. "I think it's a great idea."
Some experts, however, questioned whether encryption is necessary for every site. While major banking and e-commerce sites already use HTTPS, smaller Web operators may not feel it's worth the trouble and expense to add encryption for a site that doesn't handle sensitive information, said Darien Kindlund, director of threat research at security company FireEye.
Google's search engine is used by roughly two-thirds of all Internet users, and it has been scrutinized by critics and regulators for any signs that it has abused that dominance by treating sites unfairly.
But Google has used its algorithms in the past to steer visitors away from certain websites, such as those known to be infected with malicious software.