Google is practicing social engineering by denigrating "non-secure" sites in search results, according to ars technica:
Sites that properly implement the transport layer security (TLS) protocol may be ranked higher in search results than those that transmit in plaintext, company officials said in a blog post published Wednesday. The move is designed to motivate sites to use HTTPS protections across a wider swath of pages rather than only on login pages or not at all. Sites that continue to deliver pages over unprotected HTTP could see their search ranking usurped by competitors that offer HTTPS.
So, as a genetically modified guinea pig I now have a "secure" version of this blog: https://tommoody.us. Bots, do your thing. Except, well, http://tommoody.us still exists and doesn't redirect anyone to the secure page(s).
It's like I now have a "secure" mirror site -- but it's a mix of http and https URLs.
For example, this post is "secure" (meaning the content is encrypted from the page to your browser and Malcolm in the Middle can't read along with you), but only because I manually changed the image URL of my "logo" to https in my Word Press theme editor. Whereas this post is not "fully secure" because it still has http in the image tag in the post.
Am bleakly curious how the googlebot is going to handle this -- will it index my site twice? Will the http version of the same site be demoted in search results? Guess I need to do some reading (now that I've already taken this step.) I'm sure the geniuses at Google won't make a mess of their altruistic behaviorism.
Update: Google wants you to treat the https site as a new site and redirect all your http URLs to it. That's more work than any mom and pop website that's built a smidgeon of web credibility should have to do just to be on the good side of Google's search bot. The political dimension of this is what's been predicted (and happening) for years -- the gradual downgrading of independent users in favor of larger corporate entities with full-time security staffs. One smug commenter on the ars technica post internalizes this as snobbish complaining about the http users stinking up his internet neighborhood: "I don't want you operating a fly-by-night dynamic web site with no security in the neighborhood my nephews do homework on." But what if a site doesn't use "dynamic" features such as online purchase forms? As I understand it, Google still plans to penalize it for not having https.
Update 2: With a bit of hassle and about an hour of down time I was able to redirect the http pages to the new https site, which you should now be seeing.