- From: Ryan Sleevi <rsleevi@chromium.org>
- Date: Mon, 29 Dec 2014 14:05:11 -0800
- To: Chris Palmer <palmer@google.com>
- Cc: Brian Smith <brian@briansmith.org>, Chris Bentzel <cbentzel@chromium.org>, Monica Chew <mmc@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Mon, Dec 29, 2014 at 12:59 PM, 'Chris Palmer' via Security-dev <security-dev@chromium.org> wrote: > On Fri, Dec 26, 2014 at 8:12 PM, Brian Smith <brian@briansmith.org> wrote: >> It would also be useful to consider search metrics. When I search for >> "RFC 5246" with Google Search or Yahoo! Search, the top result is >> http://tools.ietf.org/html/rfc5246. But, >> HTTPS://tools.ietf.org/html/rfc5246 has the exact-same content. How >> often does this happen? What can be done to make search engines >> consider the HTTPS:// variant the canonical, default, choice? (Note: >> RFC 5246 is the TLS 1.2 specification.) > > Yeah, that's a bug we need to fix. I think we gradually are? I have > pinged the relevant people. There are a variety of signals, at a variety of quality levels, that can be used to infer that the scheme is irrelevant. I think some of it will require heuristics / improvements in the search and indexing side (and, as Chris said, I know that people at Google are looking at such signals). Of the things that apply now, what sites can be doing is: 1) Ensuring HTTP redirects to HTTPS 2) Use canonical URLs - see https://support.google.com/webmasters/answer/139066?hl=en 3) Use HSTS, when available. These three things - especially the first two - are signals that most search engines are already taking into consideration. But all of them require some degree of a site signalling the intent, which is understandably a problem of scale. We're also working to evangelize this better.
Received on Monday, 29 December 2014 22:05:38 UTC