May 02, 2006
As we mentioned last week, we've
added a new option for verifying site ownership.
This method requires that you place a specific
<meta> tag in the source code of
your home page. Many
features are available only to site owners
and we want as many webmasters as possible to have access. Most site owners who can't upload
files or specify names for files should be able to use this new method to verify. For instance,
if you use Blogger, you can
verify using this option.
To verify using the
<meta> tag, simply click the Verify link for your site,
choose Add a
meta tag as the verification option, and then copy the tag provided to the
<head> section of your home page.
This tag looks like this:
<meta name="verify-v1" content="unique-string">
You must place this
- On the home page of your site (sometimes called the index page or root page).
- In the source code for that page.
In the first
<head>section of the page, before the first
You can't place this tag inside of another tag in the head section.
For instance, this is correct:
<html> <head> <meta name="verify-v1" content="unique-string"> <title>Title</title> <style> <!-- style info here --> </style> </head> <body> <!-- body of the page here --> </body> </html>
meta tag inside the style section is incorrect:
<html> <head> <title>Title</title> <style> <meta name="verify-v1" content="unique-string"> </style> </head> <body> ...
meta tag inside the body section is incorrect:
<html> <head> <title>Title</title> </head> <body> <meta name="verify-v1" content="unique-string"> </body> </html>
meta tag on a page with no head section is incorrect:
<html> <meta name="verify-v1" content="unique-string"> ... </html>
Below are some questions you might have about verification.
I have a blog, and anyone can post comments. If they post this
meta tag in a comment, can they can
claim ownership of my site?
No. We look for this
meta tag in the home page of your site, only in the first section and before
the first. If your home page is editable (for instance, your site is a wiki-like site or a blog
with comments or has a guest book), someone can add this
meta tag to the editable section of your
page, but cannot claim that they own it.
So, how do you generate these cryptic tags anyway?
The unique string is generated by base-64 encoding the SHA256 hash of a string that is composed of the email address of the proposed owner of the site (for instance, email@example.com) and the domain name of the site (for instance, example.com).
From this unique string, can someone determine my email address or identity?
Short answer, no. Long answer, we use a hashing scheme to compute the contents of the
Hashes cannot be "decrypted" back into the message.
meta tag contents be cracked through a dictionary attack?
To reduce the risk of dictionary attacks, we use a random sequence of bytes (called salt) as a seed to the hash function. This makes dictionary attacks much more difficult.
Can someone determine if the same webmaster own multiple sites?
We use the domain name of your site (for instance, example.com ) to compute the unique string. Based on the contents of the tag, someone can determine if a webmaster owns different sites on the same domain, but not if the webmaster owns sites on different domains. For instance, someone can determine if the same webmaster owns https://www.example.com/ and https://subdomain.example.com/, but can't determine if the same webmaster owns https://www.example.com/ and https://www.google.com/.
What if my home page is not HTML content?
This method may not work for you. You must have a
<head> section in order to be
able to verify using this approach. Instead, try uploading a verification file to verify
ownership of your site.
I've added my tag, but Google Sitemaps says it couldn't find it. Why?
Make sure your tag is in the first
<head> section, and before the
<body> section. Also ensure that it's not within the
or other specialized tags. The easiest way to make sure that the placement is one we can recognize
is placing it right after your opening <head> tag, as follows:
<head> <meta name="verify-v1" content="unique-string">