Comments
regular_guy • October 21, 2011 7:09 AM
@Andrea,
Just because the main page is using plain http doesn’t mean that the data sent to the server isn’t using SSL. Check out the page source and look at the URL the search button sends the form data to.
another_guy • October 21, 2011 7:21 AM
@Andrea,
The article notes that this will be beginning in the next few weeks, not right away.
Dan • October 21, 2011 7:23 AM
SEO wonks are upset: no more keywords in Referer header.
Muzaffar Mahkamov • October 21, 2011 8:08 AM
Given that the majority of users have a habit of clicking “Accept” or “OK” just “to get it working”, enabling SSL solves the problem only partially.
Hsweeney • October 21, 2011 8:53 AM
Google will still everything & use the search & results.
Toby Speight • October 21, 2011 9:17 AM
Only for ‘logged-in’ users (i.e. those who have already given their souls to Google).
For the rest of us, there’s still HTTPS-Everywhere, of course.
David Leppik • October 21, 2011 9:36 AM
Funny that this happens just as Amazon introduces a tablet that would give them access to all the unencrypted Google queries.
Arretai • October 21, 2011 10:18 AM
For the rest of us, there’s still Scroogle (https://ssl.scroogle.org/). Oh Google, generous one, be praised for still suffering our puny, miserable Scroogle searches in the shiny temples and vaults of your data!
Paeniteo • October 21, 2011 10:25 AM
@Toby Speight: “Only for ‘logged-in’ users”
For the rest of us, we can visit https://encrypted.google.com and/or https://www.google.com easily.
Dirk Praet • October 21, 2011 10:40 AM
A good thing for the average layman, but most privacy & security aware folks were already using Scroogle, HTTPS Everywhere, Ghostery, No Script, Trashmail, Certificate Patrol and the like anyway.
NobodySpecial • October 21, 2011 11:05 AM
@Dirk – but how many corporates do?
We do all the security stuff – truecrypted laptops, airgapped machines for certain projects etc.
But a log of all our google or patent office searches would tell a competitor an awful lot.
ted • October 21, 2011 11:34 AM
Why would anyone be logged into Google when doing searches? Logout first or use a different browser for each.
Dirk Praet • October 21, 2011 3:02 PM
@NobodySpecial
From experience: only those that have a serious business case in the form of legal or regulatory compliance, or those with a CSO skilled and diplomatic enough to make his voice heard and understood by the CTO and the rest of the board. In all other cases, the answer is
SELECT * FROM Companies WHERE clue > 0 ;
Rows returned: 0
Hello71 • October 21, 2011 4:26 PM
HTTPS-Everywhere (good add-on BTW…) says that because clicking on ads still sends the referer {sic} header, they will continue using encrypted.google.com.
Daniel • October 21, 2011 5:08 PM
Honestly I’m 10X more concerned about what Google is going to do with my searches now that it can tie them to a specific user account than what some wanna-be snooper might do. Google is not my friend and what Google does benefits Google first and foremost. A classic honey-pot technique, if you ask me.
Brian • October 21, 2011 10:31 PM
I don’t know that this is really a good thing. SSL only guarantees that you’re connecting to someone with “Google” on their SSL certificate. Unfortunately, there are a lot of entities other than Google that could conceivably provide such a cert.
Gary • October 21, 2011 10:52 PM
Doesn’t Google send its search parameters via GET – i.e., in the URL itself – which does not get encrypted?
Andy • October 22, 2011 12:23 AM
What is wrong about me knowing how people found my blog? I like to read their search terms.
Markus • October 22, 2011 6:09 AM
One aspect of moving search in https is now that web site owners do not know what search terms bring user on site.
Unless they run google analytics and then google know everything from your site.
For the user short term benefit is good, but google is getting more and more keyholder of information.
Gabriel • October 22, 2011 8:25 AM
@Markus: Exactly. SSL is a good idea, yet at the same time gives Google a tremendous amount of power and a monopoly of referrer data in the URL. It certainly works out in their favor. Of course, they already have this data, now, they have exclusive access to it. Sadly, even this pales in comparison to how much power Facebook has. I wonder how long until Mark Zuckerberg is the most powerful man in the planet? He has info on everyone, which he can sell for big favors and use as leverage on those in power. I also wonder if FB will begin to offer a search portal esp because they will get no referrer data from Google, which is still the first step when you want to find out about a “John Smith” you just met.
Brian Mearns • October 22, 2011 5:25 PM
But if the redirect occurs from a non-secure connection, isn’t it basically moot? The redirect could be subjected to a MITM and made to not redirect (which most users would not notice), or to redirect to a URL that looks like it’s on google but is actually controlled by the attacker (e.g, using unicode characters or just long URLs).
Uncle Demotivator • October 24, 2011 6:30 AM
The SSL is good thing – not passing the keyword information is bad thing and giving those information AdWords users anyway is just pure hypocrisy.
uk visa • October 24, 2011 7:55 AM
I choose not to trust in Google… IMHO http://duckduckgo.com/ is better in many ways.
Bruce Clement • October 24, 2011 4:18 PM
I thought the referrer string was passed by the browser, not the server.
Given that URLs can contain potentially contain confidential information, if the browser fails to pass a referrer when going from https to http it’s (in my mind) a good thing that they should do this.
If Google have separately taken action to suppress referrers except for their advertisers, I’d be annoyed.
Adam • October 25, 2011 3:08 AM
I like this simply because it doesn’t pollute web history with search terms. Or allow proxies to nose around your search history. But Google still knows I guess.
Elegie • October 27, 2011 6:06 PM
According to an entry on the HTTPS-Everywhere mailing list, the encrypted.google.com domain was intended to allow places such as schools to block access to encrypted searching (which could enable users to bypass content filters) while allowing access to other services available at the google.com domain.
As searche engines go, Ixquick now appears to automatically use HTTPS.
I don’t know that this is really a good thing. SSL only guarantees that you’re connecting to someone with “Google” on their SSL certificate. SSl provide communication security over a computer network.
There are several companies which provide seo service but outreachxpert I am working with is one of the best I found outreachxpert provide content outreach services <a href="https://www.outreachxpert.com/content-writing/"
,guest posting service<a href="https://www.outreachxpert.com/guest-posting-services/",manual link building service <a href="https://www.outreachxpert.com/link-building-services/" and etc..
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Andreas • October 21, 2011 6:46 AM
But https:/google.com/ig gets still redirected to http:/google.com/ig