Spotting Insecure Websites Requires More Than Google's Red X
For example, there are many sites where a company's home page is just a plain HTTP page, but when you go to any ecommerce page to purchase something, then the pages switch to HTTPS. On those pages any personal or financial information exchanged should be secure and encrypted, assuming the site doesn’t have any other security lapses. It’s the other security lapses that are the concern. Just because the link between your computer and the other website is encrypted doesn’t prevent data loss or compromise caused by poor practices, security breaches or larcenous employees. Unfortunately, just because your data gets to the other site securely, there are still a lot of ways it can be compromised. Currently many sites, including major ecommerce sites, continue to use HTTP for access and only shift to encryption when it comes time to use your financial information. A good example of this practice is apple.com, which does not use SSL encryption until you get to the checkout page. Yet there’s nothing insecure about Apple or its website, but apparently according to the new policy, Google would demote Apple in any search rankings. On the other hand, I could create a site such as https://www.imabadguy.com (this is not a real site) and it would get the green padlock from Google, which would enhance its search ranking on the assumption that it's delivering enhanced security. Yet I could load the home page to all sorts of links to evil malware, viruses, phishing sites and the like, and still get better search rankings.What is of potentially greater concern is if browser makers start trying more aggressively to enforce a requirement for SSL. Perhaps instead of a red X appearing next to the address bar, might we not see an alert that actually blocks access to such sites without affirmative permission? Imagine what might happen if you had to deal with a dialog box asking if you were sure you wanted to continue to an insecure site when all you were doing was trying to look at your cousin’s cat videos. While information on the nature of your connection to any website is useful, that information is already there. It’s not clear that an additional layer of enforcement is necessarily a good thing.
Fortunately, there’s more to security than encrypted websites. Google also keeps track of sites that contain malware as do many security software suites. I’ve noticed repeatedly that my security software will alert me if I try to browse to a page containing potential malware.