Google will begin crawling HTTPS equivalents of HTTP Web site pages, even when they do not have links to them from any page. When two URLs from the same domain appear to have the identical content but are served over different protocol schemes, Google typically chooses to index the HTTPS URL based on a variety of conditions.
Those conditions begin with whether the page contains insecure dependencies or doesn't redirect users to or through an insecure HTTP page, and also involve whether it has a link reading a rel="canonical" to the HTTP page or the server has a valid TLS certificate.
Google last year began to give a "slight ranking boost" in search engine query results to sites with secure HTTPS URLs compared with those indexing with HTTP, even if they don’t have links pointing to them. The secure pages index by default, according to the Mountain View, California company.
Gmail, Google search, and YouTube have had secure connections for a while. Google believes that browsing the Web should be a private experience between the user and the Web site, and must not be subject to eavesdropping, man-in-the-middle attacks, or data modification.
In August 2014, Google began using HTTPS as a ranking signal. At Google I/O that same year the company called for "HTTPS everywhere," which means all communications running over the Web should be secure by default, from music play lists to the articles read on publisher sites.
Consumers and marketers may know that HTTPS encrypted sites are important for banking, but they may not know unencrypted sites leak data.
During a session at I/O, Ilya Gigorik, Google developer on the Chrome team, told attendees that "while it seems like individually the metadata gathered from unencrypted sites is benign, but when you put it all together it reveals a lot about intent and can even compromise privacy."