Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Random Passwords in the Wild | Main | Friday Squid Blogging: Squid T-Shirt »
October 21, 2011
Google Enables SSL by Default for Search
Posted on October 21, 2011 at 6:23 AM • 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
But https:/google.com/ig gets still redirected to http:/google.com/ig
Posted by: Andreas at October 21, 2011 6:46 AM
@Andrea,
Just because the main page is using plain http doesn't mean that the data sent to the server isn't using SSL. Check out the page source and look at the URL the search button sends the form data to.
Posted by: regular_guy at October 21, 2011 7:09 AM
@Andrea,
The article notes that this will be beginning in the next few weeks, not right away.
Posted by: another_guy at October 21, 2011 7:21 AM
Given that the majority of users have a habit of clicking "Accept" or "OK" just "to get it working", enabling SSL solves the problem only partially.
Posted by: Muzaffar Mahkamov at October 21, 2011 8:08 AM
Google will still everything & use the search & results.
Posted by: Hsweeney at October 21, 2011 8:53 AM
Only for 'logged-in' users (i.e. those who have already given their souls to Google).
For the rest of us, there's still HTTPS-Everywhere, of course.
Posted by: Toby Speight at October 21, 2011 9:17 AM
Funny that this happens just as Amazon introduces a tablet that would give them access to all the unencrypted Google queries.
Posted by: David Leppik at October 21, 2011 9:36 AM
For the rest of us, there's still Scroogle (https://ssl.scroogle.org/). Oh Google, generous one, be praised for still suffering our puny, miserable Scroogle searches in the shiny temples and vaults of your data!
Posted by: Arretai at October 21, 2011 10:18 AM
@Toby Speight: "Only for 'logged-in' users"
For the rest of us, we can visit https://encrypted.google.com and/or https://www.google.com easily.
Posted by: Paeniteo at October 21, 2011 10:25 AM
A good thing for the average layman, but most privacy & security aware folks were already using Scroogle, HTTPS Everywhere, Ghostery, No Script, Trashmail, Certificate Patrol and the like anyway.
Posted by: Dirk Praet at October 21, 2011 10:40 AM
@Dirk - but how many corporates do?
We do all the security stuff - truecrypted laptops, airgapped machines for certain projects etc.
But a log of all our google or patent office searches would tell a competitor an awful lot.
Posted by: NobodySpecial at October 21, 2011 11:05 AM
Why would anyone be logged into Google when doing searches? Logout first or use a different browser for each.
Posted by: ted at October 21, 2011 11:34 AM
@Andrea
You can always use this:
https://encrypted.google.com/
Posted by: anon at October 21, 2011 12:32 PM
@NobodySpecial
From experience: only those that have a serious business case in the form of legal or regulatory compliance, or those with a CSO skilled and diplomatic enough to make his voice heard and understood by the CTO and the rest of the board. In all other cases, the answer is
SELECT * FROM Companies WHERE clue > 0 ;
Rows returned: 0
Posted by: Dirk Praet at October 21, 2011 3:02 PM
HTTPS-Everywhere (good add-on BTW...) says that because clicking on ads still sends the referer {sic} header, they will continue using encrypted.google.com.
Posted by: Hello71 at October 21, 2011 4:26 PM
Honestly I'm 10X more concerned about what Google is going to do with my searches now that it can tie them to a specific user account than what some wanna-be snooper might do. Google is not my friend and what Google does benefits Google first and foremost. A classic honey-pot technique, if you ask me.
Posted by: Daniel at October 21, 2011 5:08 PM
I don't know that this is really a good thing. SSL only guarantees that you're connecting to someone with "Google" on their SSL certificate. Unfortunately, there are a lot of entities other than Google that could conceivably provide such a cert.
Posted by: Brian at October 21, 2011 10:31 PM
Doesn't Google send its search parameters via GET - i.e., in the URL itself - which does not get encrypted?
Posted by: Gary at October 21, 2011 10:52 PM
What is wrong about me knowing how people found my blog? I like to read their search terms.
Posted by: Andy at October 22, 2011 12:23 AM
One aspect of moving search in https is now that web site owners do not know what search terms bring user on site.
Unless they run google analytics and then google know everything from your site.
For the user short term benefit is good, but google is getting more and more keyholder of information.
Posted by: Markus at October 22, 2011 6:09 AM
@Markus: Exactly. SSL is a good idea, yet at the same time gives Google a tremendous amount of power and a monopoly of referrer data in the URL. It certainly works out in their favor. Of course, they already have this data, now, they have exclusive access to it. Sadly, even this pales in comparison to how much power Facebook has. I wonder how long until Mark Zuckerberg is the most powerful man in the planet? He has info on everyone, which he can sell for big favors and use as leverage on those in power. I also wonder if FB will begin to offer a search portal esp because they will get no referrer data from Google, which is still the first step when you want to find out about a "John Smith" you just met.
Posted by: Gabriel at October 22, 2011 8:25 AM
But if the redirect occurs from a non-secure connection, isn't it basically moot? The redirect could be subjected to a MITM and made to not redirect (which most users would not notice), or to redirect to a URL that looks like it's on google but is actually controlled by the attacker (e.g, using unicode characters or just long URLs).
Posted by: Brian Mearns at October 22, 2011 5:25 PM
The SSL is good thing - not passing the keyword information is bad thing and giving those information AdWords users anyway is just pure hypocrisy.
Posted by: Uncle Demotivator at October 24, 2011 6:30 AM
I choose not to trust in Google... IMHO http://duckduckgo.com/ is better in many ways.
Posted by: uk visa at October 24, 2011 7:55 AM
I thought the referrer string was passed by the browser, not the server.
Given that URLs can contain potentially contain confidential information, if the browser fails to pass a referrer when going from https to http it's (in my mind) a good thing that they should do this.
If Google have separately taken action to suppress referrers except for their advertisers, I'd be annoyed.
Posted by: Bruce Clement at October 24, 2011 4:18 PM
I like this simply because it doesn't pollute web history with search terms. Or allow proxies to nose around your search history. But Google still knows I guess.
Posted by: Adam at October 25, 2011 3:08 AM
According to an entry on the HTTPS-Everywhere mailing list, the encrypted.google.com domain was intended to allow places such as schools to block access to encrypted searching (which could enable users to bypass content filters) while allowing access to other services available at the google.com domain.
As searche engines go, Ixquick now appears to automatically use HTTPS.
Posted by: Elegie at October 27, 2011 6:06 PM
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Blog Menu |
SearchBlog Home Page
Archives by Date2012 J F M A M
  |
| Latest Book |
more books by Bruce Schneier |
| Syndication |
|
Full Text Feed
Excerpts Feed |
| Translations |
|
German
Italian |
| Crypto-Gram Newsletter |
|
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more |
Comments