back to article Google turns on SSL encryption for search

Google has added SSL encryption to its primary search engine. Today, with a blog post, the company announced that netizens now have the option of establishing a secure https connection when searching google.com. To use the service, you must explicitly visit https://www.google.com (Notice the extra "s"). At time of writing, the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Cool, now the bad guys can't see my searches

    oh, wait, no, Google still know exactly what I searched for and are busy monetizing that data. Score!

  2. UBfusion
    Coffee/keyboard

    So what?

    Could somebody please explain what are the supposed advantages of SSL when using google search, beyond third parties being unable to sniff our requests? Will SSL e.g. prevent Google from recording my personal data/interests/vices or from providing my 'suspicious' queries to the powers that might request them?

    Escape, 'cause me thinks we can't.

    1. Anonymous Coward
      Big Brother

      Possible benefit?

      If I am using an incognito browser, through a proxy and am not logged in, will that be good enough to anonymise my dubious activities? Or is Big Brother still watching?

      1. Nuno
        Thumb Up

        China

        Don't forget the China's censorship. If they don't know what you are searching, they can't censor it...

        1. Anonymous Coward
          FAIL

          They can still censor

          Just block the whole site.

    2. dephormation.org.uk
      Terminator

      DPI

      Using encrypted SSL will prevent third party crooks like BT/Phorm profiling you on the basis of your communications with Google.

      You are then free to make your own choice about using Google or not, knowing that only you and your chosen search engine see your communications.

      Which is the way it ought to be.

      If UK ISPs can't be trusted with communications data, encryption is the inevitable result.

  3. Anonymous Coward
    Jobs Horns

    Good

    There are too many idiots out there who spectacularly misunderstand what the Web is and how it works, but sadly have made it to management and oversee security.

    For those who think simply using SSL somehow makes their website safe (not logins, merely using SSL for the home page and everything beyond before any login) this should be a good wakeup call into what any bot or hacker can still see. Then, they can be sacked and replaced by a competent manager who doesn't spend thousands on a new SSL website and demand his techies include Google ads, maps and other stuff that either looks good, makes money or is a lazy option to making their own.

  4. Eddie Johnson
    WTF?

    Uhhm...

    Why worry about your search being seen in transit when you know damn well the party at the other end will sell it to the highest bidder?

  5. Ian Ferguson
    Paris Hilton

    Maybe iGoogle will work properly now

    I hope they extend the SSL certificate to the iGoogle pages. On mine, I have a preview of my GMail inbox. The thing is, I've turned on SSL only in the GMail settings... and so the preview box is meant to never display my inbox.

    Sometimes it doesn't, and says I have to open GMail properly to view my inbox... but sometimes it does show my email. There doesn't seem to be a lot of logic in it, and it doesn't make me entirely trusting of GMail's SSL security.

    1. Coyote
      Thumb Up

      Gmail on iGoogle is SSL

      The requests made by the gMail widget on the igoogle page are https

      Load up Firebug in firefox and use the Net panel to verify the requests if you aren't sure. That's what I did

  6. Remy Redert

    re: So what

    Not only will it prevent third parties from seeing what you're searching. They won't be able to if you're searching something, downloading something over some encrypted connection or doing whatever else one could possibly do over an internet connection using encrypted traffic.

    The only two parties who know will be you and the side you're connecting with, Google in this case.

    For one, this would be a good way to kill DPI for good.

    1. UBfusion

      DPI?

      Which of the following wikipedia definitions of "DPI" do you mean?

      # Dhaka Polytechnic Institute

      # Death Pact International

      # Digital Program Insertion

      # Disabled Peoples' International

      # Disposable personal income

      # Dry powder inhaler

      # Dye penetrant inspection

      # Dadeh Pardazi Iran

      ?

      1. Anonymous Coward
        Anonymous Coward

        RE: DPI?

        I think he means...

        Don't Post Idiocy?

        See what i did there? Get with the programme.

      2. MinionZero
        Big Brother

        DPI as in Deep Packet Inspection

        Ok I will try. I'm probably wasting my time because UBfusion, you sound either closed minded or a troll, so either way unwilling to see and hear, but here goes I will try.

        UBfusion, on the hope you simply don't understand, I'm guessing you are not going to understand the full implications of DPI if you have never heard of it or tried to look up DPI before. So to put DPI into layman's terms, DPI is literally outright spying as in Big Brother spying on everyone's Internet connection and sadly it is increasingly already being used.

        Imagine DPI literally like the post office opening and reading every letter and parcel you send and receive, which would be an unthinkable, even criminal violation of privacy. Yet that is exactly what DPI is to an Internet connection. Its a blatantly outright violation of privacy.

        The reason its creeping in is because knowledge is as they say is power, so arrogant self centered powerful people want DPI so they can exploit everyone for their own gain. They wouldn't like us to spy on them, but as usual with these Narcissistic people, they fail to have empathy for everyone else.

        The reason I went to the trouble to write this is because, throughout history it has always been the frankly ignorant bystanders like you UBfusion, who are part of the problem. Because your kind let society get ever more messed up, because they fail to see what is happening until its too late. They fail to see the harm Narcissistic power hungry people do to society for their own gain. They fail to help stand against the harm until it gets so bad, its too late to stand against it all to stop what is happening, because by this time the Narcissists have grown so powerful, they are almost unstoppable.

        So you've never heard of DPI until now, ok now imagine how much more you are also failing to currently see that is also going on all the time in the relentless world push towards a literally Big Brother totalitarian level of spying, manipulation, exploitation and control. Its not just words, it is really happening, so wake up before its too late. Its happening simply because arrogant Narcissists with no empathy for anyone else are determined to remorselessly exploit and abuse technology for their own gain.

        So please try to learn what is happening, then you can help by telling other people who still doesn't see what is going on. Only that way will we all help wake up enough people to help stand against the growing nightmare we are all rapidly sliding into.

  7. Graham Marsden
    Thumb Down

    So nobody can snoop on my searches...

    ... oh, except for Google, of course...

    1. Adam Foxton
      FAIL

      Yes, but you choose to use Google.

      You click the Send button- you're the one sending them the information you're happy for them to see.

      If you don't like it, don't use Google. Use another search engine, or just don't use a search engine and type the URL into the address bar!

  8. Anonymous Coward
    FAIL

    What's the point?

    If they still pass in the search parameters in the URL (Get), what's the point? People can still see what you queried, if they made them "post" messages it might actually do something.

    1. dephormation.org.uk
      Boffin

      No they can't

      An SSL encrypted tunnel is established first.

      Then, and only then, is the host request and URL passed over it.

      SSL is a good thing.

    2. Jeff 11
      Paris Hilton

      RE: What's the point?

      "If they still pass in the search parameters in the URL (Get), what's the point? People can still see what you queried, if they made them "post" messages it might actually do something."

      That's not how SSL works. The query string isn't transmitted outside of the encrypted connection. And using POST requests isn't in any more secure from an interception point of view, it just means people can't gleam things from your address bar. And that's not even necessary when you have your query printed (twice) on the results page, is it?

  9. dephormation.org.uk
    Big Brother

    No Snooping

    Well that screws Phorm (and their evil siblings like Hitwise and Nebuad) over.

    Which makes it a slightly better world than it was yesterday.

    Roll on encryption. Because if the CPS and Police won't protect the privacy/security/integrity of UK communications, it is the way forward for communications in this country.

    That or walking down to the shops, buying a newspaper, paying cash, and visiting the village library from time to time... in a 1980s pre-internet retro kind of way.

    Which, if I'm honest, is starting to appeal to me a lot more than being spied on for the rest of my life.

  10. James Woods

    like a ketchup popcycle

    It doesn't get any stupider then this.

    Google, the company that said they were against holding your information for government mandated periods of time (and then went and held it for even longer times).

    Google, the company that brought us buzz. Forcing gmail users into social networking users without their consent or knowledge.

    I don't think anyone outside of googles top brass can even begin to understand the genius that exists in adwords and the methods google has of capturing data and then turning that harvested information into ad-worthy material.

    https://google.com = laughable.

    How about a pledge from google to completely isolate all of it's systems rather then tie everything they do together. Microsoft and other companies shave been sued for things like this. Why does google get a pass, don't tell me, I already know.

    1. Cameron Colley

      Erm, I fail to see the problem.

      If google are spying on my searches and/or recording them then they will see everything regardless of https.

      But, since https is an encrypted connection to them, my ISP's DPI/phorm/whatever won't see it.

      If you don't use google you're not loosing out because this is a change to something you don't use.

      If you do use google you win because you already give your data to google, and now it's only google not google+Eve.

  11. Big-nosed Pengie
    FAIL

    Two words:

    Scroogle.

    Whoops - that's only one.

  12. Anonymous Coward
    Thumb Down

    Too bad its RC4 128 bit

    Just like their browser Chrome - http://burgerminds.wordpress.com/2009/12/22/google-chrome-security-fail-ssl-ciphers/ , their site only allows 128 bit RC4 encryption (think WEP). Tested with Firefox 3.6.3 on Win7. For anyone with the means (and access), it would be but trivial to middle-man that connection...

  13. Steven Knox
    Boffin

    Not to mention....

    Besides the encryption of the data, there's also the identification part of SSL. So you know if you go to https://www.google.com (and you bother to check out the certificate), you are actually getting data from one of:

    a. Google,

    b. someone who managed to defraud one of the cert providers to provide them with a google.com certificate, or

    c. someone who managed to exploit one of the few known and quite difficult exploits for SSL or some exploit unknown to the white hat community.

    which is a smaller group of people than "either Google or anyone who's managed to compromise your PC, or your browser, or your DNS records to send you to a fraudulent 'http://www.google.com' page."

    So you do get a slightly greater assurance that you're actually submitting your search info to Google to be mined, rather than to someone else to be mined...

  14. Daniel Brandt

    Another advantage

    Another advantage of SSL for search is that the search results page with its links come back via SSL. If you click on a link to some non-SSL page (over 99 percent of all the links will be non-SSL), then when you arrive at that page you will arrive with your referrer stripped. The webmaster on that site won't know that you came from Google, and won't know what search terms you used to get there. He won't even know if you used a search engine (you could have just keyed in the URL in your address bar, which would also cause no referrer). Also, most bots that steal stuff all day long do so without a referrer, which makes you even more obscure.

    Sometimes your search terms can be revealing, and it is best to keep these out of the logs of the pages you click on. Remember, these logs always have your IP address. Why give them your search terms too?

    The stripped referrer when going from a SSL page to a non-SSL page is part of the SSL specification, which all browsers must follow.

    1. Anonymous Coward
      Headmaster

      Slight correction

      As with all 'standards', a more accurate version of "part of the SSL specification, which all browsers must follow" would be "part of the SSL specification, which all browsers *should* follow". No point even testing this, there's always some differences in how browsers work, although here they probably do strip it.

  15. Anonymous Coward
    Anonymous Coward

    bout time

    all you losers bitching about how pointless this is are just butthurt that you didn't think of it yourself.

    of course Google will still have your data, stopping them from getting your data was never the fucking point of encrypting the connection TO THEM. That's like saying that sending your mail in an envelope is pointless because the recipient will only open it anyway. Are your nuts numb or do you just have 2 left testicles?

    SSL helps prevent third parties from snooping on your searches, be that the government, the retards at your ISP, some fat "war driver" sitting outside your house with a laptop, any site that would be interested in what you searched to reach them (e.g. every site ever), creepy voyeurs on your own network, your boss etc.

    So put down the monster munch and get with the fucking program.

    1. Anonymous Coward
      Go

      RE: bout time

      Jesus Christ! Thanks for posting that, it's almost like half the people reading these articles are doing so simply because they think it makes them look cool or something.

    2. Anonymous Coward
      Joke

      Re: testicles...

      Are your nuts numb or do you just have 2 left testicles?

      No - I bought an iPad, ergo I have no testicles at all.

  16. Kevin McMurtrie Silver badge
    Big Brother

    Blocks referrer

    I searched for my own site while watching the server logs. With plain http, a click produced my full Google query in my logs through the 'Referer' header. Https scoping blocked the referrer data, so this does have some value. Malware sites won't be able to create customized fake pages and it will prevent a dozen web sites knowing that you searched for "rapid corpse disposal."

    It's good news for Google too. It makes their collected data very exclusive, and Google is all about making money from data.

    1. Gilbo
      Thumb Up

      Pint

      You, sir, have hit upon the one thing that has seemingly crept up and bitten Google on the arse without the great majority of people realising how all these dynamically created spam pages are hitting the top 10 search results. Google is feeding our search parameters to other websites to process and feedback as they wish.

      I only noticed this about a month ago when I hit a page that had absolutely no relevance whatsoever to my search but specifically stated "you came here looking for <search criteria>".

      You'd think that a search "intelligence" such as Google wouldn't need to rely on third parties providing the relevant pages, wouldn't you?

      If SSL gets rid of that then I'm all for it.

      1. alex dekker 1

        Referrer:

        > Google is feeding our search parameters to other websites to process and

        > feedback as they wish.

        I think you will find that your browser is passing the Referrer: header on to the web server that hosts the site whose link you click on.

        1. Wallyb132
          FAIL

          RE:Referrer

          I think you misunderstood his point, he's not talking about pages he clicks on from google search results, he's talking about links showing up in the results themselves, as though he did click on the link to that page.

          I've noticed that happening too, its become increasingly annoying when i'm trying to find something specific and i continuously get links to pages that are completely irrelevant to what i'm looking for and in the process alter my search terms to what that pages "THINKS" i'm looking for.

          For example, the other day i was searching for "low profile AM2 heat sink", one of the links that was returned was for amazon.com, when i clicked the link it took me to an amazon search page with "Intel CPU cooler" pre-entered in the search box and a list of results for that search term, which had absolutely nothing to do with what i was looking for...

  17. Anonymous Coward
    Anonymous Coward

    firefow

    Ok, how to make firefox use the https google instead of htt goole by default ?

  18. Anonymous Coward
    Anonymous Coward

    Two words: #2

    -=[*]=-

    Scroogle.

    Whoops - that's only one.

    -=[*]=-

    Startpage

    Now we have two words.

    https://startpage.com

    ^ Note the extra "s"

  19. Anonymous Coward
    Anonymous Coward

    Phorm ..

    ... and its like could perhaps be a little confused by this?

  20. UBfusion
    Coffee/keyboard

    Resistance is futile

    Symantec acquired Verisign's SSL... Is this just a coincidence?

    Furiously pressing Escape does not work anymore, figuratively AND literally in my Firefox 3.6.3.

    Can't be a coincidence...

  21. Anonymous Coward
    Stop

    @Too bad its RC4 128 bit

    WRONG. RC4 is not the reason for the weakness of WEP. Rather, it is the way WEP sets up the session key.

    http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy#Flaws

    RC4 as used in SSL is safe, because it properly creates a new session key each time a SSL connection is being created.

    Whether government intel can't break RC4, I don't know. But the same can be said about AES and 3DES.

  22. heyrick Silver badge

    This is good.

    My Orange internet contract update email states, in tiny letters at the bottom:

    Par l'acceptation de cette offre, vous autorisez France Télécom à utiliser les données relatives à votre trafic afin de pouvoir vous proposer les produits ou services de France Télécom pouvant répondre à vos besoins, et ce pour une durée de douze (12) mois à compter de leur émission. Vous pouvez vous opposer à cette utilisation à tout moment en contactant le Service client à l'adresse mentionnée ci-dessus.

    I have contacted Orange, twice, to oppose this traffic monitoring, and both times I have been pointed to my settings/options to activate the "liste rouge". NO, people, making my Internet phone number unlisted and placing myself on a don't-cold-call list is NOT disabling traffic monitoring. Are they specifically trained in how to miss the point? In each email the above paragraph was quoted, so while my French might be lacking, it would be bloody obvious what I was referring to. Indeed, in my second email I said I did not *want* any products or services beyond faster internet (I am on 1 megabit due to remote location), a Livebox that fully works (instructions say you can plug in USB devices for NAS capabilities, reality says otherwise), and lower cost (~30-50 euros a month is the norm for an unbundled-line service). WTF do they think they can sell to somebody whose Internet time is spent, mostly, between Veoh for obscure fansub animé and El Reg? At least World+Kitten is fully aware of Google's data-sucking activities, given Orange's (deliberate?) attempt to deflect my opposition request two times, what are their *real* intentions? At least now some of my data will be hidden from my own ISP. It's simpler than buying into a VPN service.

    [bootnote: Google may be able to, through profiling, make fairly accurate guesses as to who I am and where I live. All to attempt to throw advertising at me that is mostly blocked. :-) My ISP, on the other hand, already has my exact location, a copy of my identity papers, brief information about my employment, and my bank information. Makes you wonder, doesn't it?]

  23. Stuart Castle Silver badge

    re: About time

    "all you losers bitching about how pointless this is are just butthurt that you didn't think of it yourself.

    of course Google will still have your data, stopping them from getting your data was never the fucking point of encrypting the connection TO THEM. That's like saying that sending your mail in an envelope is pointless because the recipient will only open it anyway. Are your nuts numb or do you just have 2 left testicles?

    SSL helps prevent third parties from snooping on your searches, be that the government, the retards at your ISP, some fat "war driver" sitting outside your house with a laptop, any site that would be interested in what you searched to reach them (e.g. every site ever), creepy voyeurs on your own network, your boss etc."

    Actually, I did think of the idea years ago. I dismissed it. Why? Simple. It will offer little, if any, boost to security.

    Why do I say this? That is also simple. While it will protect your search terms, if your connection is being monitored, as soon as you click on a link on your search results. what you have clicked is visible to those monitoring your connection.

    The timing of this announcement is rather suspect. Google announced it the same day the announced they had "accidentally" copied WiFi data. They probably thought they needed something to reduce the bad publicity. This solution, while expensive, was probably the easiest to implement.

    I know Dephormation from other forums, and, TBH, am surprised he thinks any differently to me about this.

    1. Anonymous Coward
      Anonymous Coward

      RE: re: About time

      "you have clicked is visible to those monitoring your connection."

      You assume that the link being clicked is not to another SSL site. This could be the start of the whole internet switching to SSL which is an event that I would welcome.

      BTW, the button "Reply to this post", that's right... the one under every comment. Have you clicked it? You won't beleive what it does.

    2. dephormation.org.uk
      Happy

      I don't

      "I know Dephormation from other forums, and, TBH, am surprised he thinks any differently to me about this".

      I think we agree completely. :o)

      This will do much more to protect Google's commercial interests than anyone's privacy, because so much else is presently currently unencrypted.

      More generally... the web develoeprs need to learn that encryption for all internet communication is essential, because ISPs and Governments simply cannot be trusted to respect and protect the confidentiality of our personal and commercial communications data.

    3. Ole Juul

      Time saver

      "Actually, I did think of the idea years ago. I dismissed it. Why? Simple. It will offer little, if any, boost to security."

      And I guess you think that the purpose is to boost security? Very funny. Blocking referrer data is where this is at. I am looking forward to not having my time wasted by fake pages customized with my search terms.

  24. Mike Flugennock
    Grenade

    Big damn deal...

    ...Google is still holding the keys. How goddamn' stupid do they think I am.

    I'm sticking with scroogle.org, thanks very much.

  25. rcdicky
    Happy

    Seems OK to me...

    Just had a go and the speed seems fine FWIW - No difference to the usual.

    Whether it provides a major or minor boost to security, it's still a boost aint it? Can't really be a bad thing I wouldn't have thought...

    Oh, and "Are your nuts numb or do you just have 2 left testicles?" - Way to brighten my morning, ta mate :D

  26. Renato
    Thumb Down

    SSL Strength

    It is interesting to know both Google and my *bank* use RC4-128 and VeriSign certificates to secure their communications while my own server use a self generated certificate and AES-256.

    1. Steven Knox
      Joke

      No surprise there...

      They're more concerned about security: http://www.theregister.co.uk/2009/08/03/new_crypto_attack/

      (Seriously, in the work I've done, I've noticed that clients and servers tend to select the LOWEST common security setting available, which is OK for compatibility, but sucks for actual security...)

  27. Flybert

    it will be additional data for your consumer profile

    if you are semi-geeky enough to use https , perhaps Google will serve different ads to you

    combined with your other searches ... *better* targeting .. simple ploy ..

    that is all ...

  28. Anonymous Coward
    Happy

    Better ads????

    If they were smart, they'd detect noscript and adblock....and not send any scripts or ads...

  29. Jamie Kitson

    Good News

    Glad because this means their street view cars won't be able to eavesdrop on your search traffic.

  30. Matt Piechota
    Alert

    Search Redirection

    Also should handle this:

    http://www.dslreports.com/faq/16534

    Mgmt Summary: ISP hijacks all search traffic to Google and sends it to their ad-ridden Yahoo-based search page. You have to opt-out on a web page (may just be a cookie or something equally stupid) in order to stop it. This happens even if you don't use the ISP DNS servers.

This topic is closed for new posts.

Other stories you might like