At SMX West last week, Gary Illyes from Google said on the How to Secure Your Site for Google’s HTTPS Algorithm that about half-a-percent (0.5%) of the security certificates on the web are broken certificates and he is experimenting with trying to address the problem in the Google search results.
Gary said he is working on an internal experiment to flag sites that have these broken security certificates. This way a searcher is warned, in some fashion, prior to clicking on a HTTPS web page that really isn’t secure for one reason or another. Often, an HTTPS web page will be invalid because the page references an image URL that is not secure, or third-party content or widgets that are not secure. It is unclear how “broken” a secure page has to be for Google to issue this warning. As Gary said, this is only something he is experimenting with internally and he is not sure if the experiment will see the light of day in the live Google search results.
Gary also said in the session that they are working on possibly boosting the ranking of secure login pages even more than they do with the normal HTTPS ranking boost. This ranking boost on login pages may help ensure copycat sites don’t rank for those login pages, somewhat like a phishing preventive measure.
Google does take web security seriously and will continue to adapt their HTTPS algorithm and efforts going forward.