5

Just out of curiosity, I'm wondering whether search engines attempt to validate certificates and what is their trust store. Do they accept everything regardless of certificate's trust/validity or do they only take into account pages fetched over a trusted connection with a proper certificate from a reputable CA?

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • Do you mean when crawling? – techraf Jul 22 '16 at 02:05
  • 3
    Which search engines? I'd presume that most public search engine probably would either skip pages from untrusted roots or rank them down significantly. The reason being self signed or private CA are generally used by APIs and private sites, which is not really of interest to consumers of public search engines. But that's just my presumption. – Lie Ryan Jul 22 '16 at 02:06
  • @techraf exactly. – André Borie Jul 22 '16 at 02:31
  • @LieRyan most public ones. Yeah I'd assume that as well but it would be nice to have a definitive answer (possibly referencing official communication from the search engine's developers, or from someone who tested it themselves by setting up sites with untrusted/revoked certs). – André Borie Jul 22 '16 at 02:33
  • 5
    That makes an easy answer: at least Google doesn't. It crawled my self-signed certificate-configured website and included in the the search results. If on the other hand the question was about ranking, there is probably no one to answer. – techraf Jul 22 '16 at 02:34
  • 2
    @techraf I believe users of Google Webmasters are warned about misconfigured/self-signed certs ([see here](https://webmasters.googleblog.com/2011/12/tips-for-hosting-providers-and.html)). Also, it is a [ranking signal](https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html) at Google. – Jedi Jul 22 '16 at 04:05
  • @Jedi Curious I read them, but which passages from those articles do you think are relevant and to what? It's no secret Google is promoting HTTPS and proper website configuration. – techraf Jul 22 '16 at 04:20
  • 2
    @techraf from the first link `Google tries to alert webmasters of this issue by sending a message via Webmaster Tools.`, so they do care about cert config. From the second link `we’re starting to use HTTPS as a ranking signal...` which kinda addresses your question: `If on the other hand the question was about ranking, there is probably no one to answer`. As of 2014, Google used it as a lightweight signal with plans to rely on it more significantly in the future. – Jedi Jul 22 '16 at 04:23
  • But of course Google treats the fact of providing HTTPS as a ranking factor, it's been published, but how does it relate to this question and my comment? – techraf Jul 22 '16 at 04:30
  • @AndréBorie Another guess for Google - they are a CA themselves. I don't know if you can get a Google-signed certificate for your website, but if it turned out they differentiate among CAs, they would need to include their own somewhere (and likely at the top). And that would be a cause for suspicion. Given they already are under fire I don't think they would add another factor to be used against themselves. By common sense they should be using the root CAs for Chrome/Android. – techraf Jul 22 '16 at 04:43
  • @techraf Chrome (on Windows and Mac, though not on Linux) doesn't use its own certificate store - it uses your computer's built-in store. – Moshe Katz Jul 26 '16 at 18:15
  • @MosheKatz Okaaay, and why exactly did you write this? – techraf Jul 26 '16 at 23:57
  • @techraf Quote from you just above: "by common sense they should be using the root CAs for Chrome/Android." I was just pointing out that Chrome doesn't necessarily have its own list of root CAs. – Moshe Katz Jul 26 '16 at 23:59
  • @MosheKatz How does it relate to what I wrote? – techraf Jul 27 '16 at 00:05
  • @techraf You made the (unsubstantiated) suggestion that because Google already maintains a list of trusted roots for one project (or two projects) that list should be used for all of their products. All I noted was that since some Google products use a different list so there's not necessarily any reason to assume a connection. – Moshe Katz Jul 27 '16 at 00:22
  • I did not make any suggestion, quote: "another guess for Google". From Merriam-Webster: "guess: to form an opinion or give an answer about something when you do not know much or anything about it". If you wanted to write "you guessed not", why not write it clearly? – techraf Jul 27 '16 at 00:29

1 Answers1

1

An invalid certificate wouldn't stop search engine crawlers from indexing the dat from any website. However the Certificate configuration will have a significant impact on the ranking of the website in search results.

hax
  • 3,851
  • 1
  • 16
  • 34
  • 2
    Do you have a citation for this, or is it merely something that you believe to be true? – user Nov 26 '16 at 19:15
  • https://blog.teknicks.com/self-signed-ssl-certificate-wont-work-googles-https-ranking-signal – hax Nov 27 '16 at 17:24