Feeds

back to article Google adds default end-to-end encryption to search

Google is rolling out default end-to-end encryption to people who use the site to seek for images, news and general webpages, a change that will better protect search queries and results from eavesdroppers. The SSL, or secure sockets layer, service will be offered by default to users who are signed into their Google accounts, …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Fit me for a tinfoil hat

But I feel like searching while logged into my G account is quite a bit bigger privacy risk than some random sniffer catching my search terms at starbucks.

13
1
Anonymous Coward

Significant Milestone

This presumably means that the US gov have perfected trivial SSL eavesdropping, and will have their kit up and running in the next weeks.

May I be the first to welcome our... oh.. wait.. that already happened.

1
0
Black Helicopters

Why eavesdrop?

Why break in when you have a back door key?

1
0

When on google.co.uk ?

As the title says. If you put in https:// for google.co.uk, it just reverts to a normal http:// connection.

0
0
Facepalm

What will be interesting is whether the search terms still appear in Google Analytics from these

searches. Can't imagine they're going to drop that info if they can help it.

But if they do include the info, and no other analytics type package can see it (due to not being connected into big G's database) then doesn't that steer them into hot water over stifling analytics competition?

Actually pretty sure if it comes via SSL the referrer isn't sent, thus seriously breaking most analytics systems?

2
0
Anonymous Coward

so?

You think this is a problem? If I go to https://www.google.com and search for 'Trev 2' (for example) and I click on the link to your website, you'll get the connection, but you won't get a referral header. This is what the current HTML spec says is supposed to happen.

I think what you'll see is that sites will start sending search-engine specific urls, so where formerly you'd get this link in google:

www.somesite.com/page1/index.html

now you'll get

www.somesite.com/g/page1/index.html

Until google drops these sites from its index.

Alternately, Google could decide to add a variable to the url:

www.somesite.com/page1/index.html?secure-referral-header=www.google.com

although this could break things worse.

0
0
Anonymous Coward

Wait, let me get this straight.

This "security" feature means people must now buy ads from Google to know which search terms drove people to their sites?

Interesting.

5
0
Bronze badge

no

it means that you have to ask them yourself, instead of simply being able to parse your webserver logs.

besides, if all search engines implement https, you won't know if they found your site via google.com, bing.com or mypornsearch.com, so you'll have to buy from the equivalent of google adwords on from every search engine.

0
0
Anonymous Coward

Why the quotes?

Using SSL is not a "security" feature...it IS a security feature.

The beneficial side-effects for google and subsequent stuffing of website hosts and analytics packages do not detract from the increased security offered to end users.

1
1
Anonymous Coward

Security of what?

Your search terms? Why? The search result you then click on probably won't be https, so it'll be out there for any to see.

Bit pointless compared to the real baddies: malware pages that spam the search itself. Google should really be working on that, but that probably doesn't help to sell more ads. Actually many of those malware sites even run Google ads...

0
0
Anonymous Coward

Re: Security of what?

> Security of what? Your search terms?

Yes, well done! It means that no one can snoop on what I am searching.

> Why?

Because I don't want anyone snooping on my searches, I am not sure if I can be any more obvious...

> The search result you then click on probably won't be https, so it'll be out there for any to see.

Not Google's problem or responsibility. They are making THEIR service HTTPS which is a good thing for the users of their search.

Just because you don't give a damn doesn't mean others don't and Google has decided to cater to those people.

0
0
Silver badge

That's all very well...

...but it's Google I don't want to give information to.

4
0
Anonymous Coward

but it's Google I don't want to give information to

So use the Scroogle add on if you are using Firefox, (don't know if its available for other browsers).

1
0
Silver badge

I use IxQuick

No logging and has had SSL for ages.

0
0
Bronze badge
Happy

You can configure scroogle as the web search of choice for any browser, including, but not limited to, Opera, IE, Konqueror, Chrome, ...

It may not be as easy as installing a new add-on, but it is possible.

0
0
Anonymous Coward

So let me get this right

This is great!

So let me get this.

Don't sign in, random people can see my searches, but still be fairly "anon"

Sign in, Google know EXACTLY who I am and track everything I search for.

3
0
FAIL

Are the search terms not sent in the address bar unencrypted anyway? They do here: https://encrypted.google.com/

1
0
Bronze badge
Boffin

No.

Just because you see them in the address bar doesn't mean they go over the wire exactly like that.

http://en.wikipedia.org/wiki/HTTPS#Network_layers

Domain and source/dest IP addresses are the only things not encrypted in transit.

1
0
Bronze badge

wireless

Surely anyone using wireless hotspots who cares about their security would be signed up with a VPN service already? That way, all your traffic is encrypted rather than you having to pick and choose which sites you use based on them providing SSL or not.

I am pretty sure that the security angle is being used to justify this, but the motives, as pointed out by comments above, are more commercial.

0
0
Bronze badge
FAIL

most IT workers don't do this, I really can't see a starbucks hipster using VPN

Internet as a whole should have moved to HTTPS years ago.

0
1
Unhappy

Firefox

As previously commented, using Firefox (7.01) it removes the 'https://' and just shows google.co.uk If you use IE (8) then it doesn't. Anyone know a way round this?

0
0
Anonymous Coward

assuming you're wanting firefox to show the protocol, go to about:config and change browser.urlbar.trimURLs to false..

0
0
Anonymous Coward

Secure Scroogle

https://ssl.scroogle.org/

0
0
Bronze badge
FAIL

Hotmail

You haven't checked recently then, writer-of-article, because the Microsoft apps that communicate with the Hotmail servers were updated ages ago to work with SSL-enabled accounts.

2
0
This topic is closed for new posts.