Comments

regular_guy October 21, 2011 7:09 AM

@Andrea,

Just because the main page is using plain http doesn’t mean that the data sent to the server isn’t using SSL. Check out the page source and look at the URL the search button sends the form data to.

another_guy October 21, 2011 7:21 AM

@Andrea,

The article notes that this will be beginning in the next few weeks, not right away.

Muzaffar Mahkamov October 21, 2011 8:08 AM

Given that the majority of users have a habit of clicking “Accept” or “OK” just “to get it working”, enabling SSL solves the problem only partially.

Toby Speight October 21, 2011 9:17 AM

Only for ‘logged-in’ users (i.e. those who have already given their souls to Google).

For the rest of us, there’s still HTTPS-Everywhere, of course.

Dirk Praet October 21, 2011 10:40 AM

A good thing for the average layman, but most privacy & security aware folks were already using Scroogle, HTTPS Everywhere, Ghostery, No Script, Trashmail, Certificate Patrol and the like anyway.

NobodySpecial October 21, 2011 11:05 AM

@Dirk – but how many corporates do?

We do all the security stuff – truecrypted laptops, airgapped machines for certain projects etc.
But a log of all our google or patent office searches would tell a competitor an awful lot.

ted October 21, 2011 11:34 AM

Why would anyone be logged into Google when doing searches? Logout first or use a different browser for each.

Dirk Praet October 21, 2011 3:02 PM

@NobodySpecial

From experience: only those that have a serious business case in the form of legal or regulatory compliance, or those with a CSO skilled and diplomatic enough to make his voice heard and understood by the CTO and the rest of the board. In all other cases, the answer is
SELECT * FROM Companies WHERE clue > 0 ;
Rows returned: 0

Hello71 October 21, 2011 4:26 PM

HTTPS-Everywhere (good add-on BTW…) says that because clicking on ads still sends the referer {sic} header, they will continue using encrypted.google.com.

Daniel October 21, 2011 5:08 PM

Honestly I’m 10X more concerned about what Google is going to do with my searches now that it can tie them to a specific user account than what some wanna-be snooper might do. Google is not my friend and what Google does benefits Google first and foremost. A classic honey-pot technique, if you ask me.

Brian October 21, 2011 10:31 PM

I don’t know that this is really a good thing. SSL only guarantees that you’re connecting to someone with “Google” on their SSL certificate. Unfortunately, there are a lot of entities other than Google that could conceivably provide such a cert.

Gary October 21, 2011 10:52 PM

Doesn’t Google send its search parameters via GET – i.e., in the URL itself – which does not get encrypted?

Markus October 22, 2011 6:09 AM

One aspect of moving search in https is now that web site owners do not know what search terms bring user on site.

Unless they run google analytics and then google know everything from your site.

For the user short term benefit is good, but google is getting more and more keyholder of information.

Gabriel October 22, 2011 8:25 AM

@Markus: Exactly. SSL is a good idea, yet at the same time gives Google a tremendous amount of power and a monopoly of referrer data in the URL. It certainly works out in their favor. Of course, they already have this data, now, they have exclusive access to it. Sadly, even this pales in comparison to how much power Facebook has. I wonder how long until Mark Zuckerberg is the most powerful man in the planet? He has info on everyone, which he can sell for big favors and use as leverage on those in power. I also wonder if FB will begin to offer a search portal esp because they will get no referrer data from Google, which is still the first step when you want to find out about a “John Smith” you just met.

Brian Mearns October 22, 2011 5:25 PM

But if the redirect occurs from a non-secure connection, isn’t it basically moot? The redirect could be subjected to a MITM and made to not redirect (which most users would not notice), or to redirect to a URL that looks like it’s on google but is actually controlled by the attacker (e.g, using unicode characters or just long URLs).

Bruce Clement October 24, 2011 4:18 PM

I thought the referrer string was passed by the browser, not the server.

Given that URLs can contain potentially contain confidential information, if the browser fails to pass a referrer when going from https to http it’s (in my mind) a good thing that they should do this.

If Google have separately taken action to suppress referrers except for their advertisers, I’d be annoyed.

Adam October 25, 2011 3:08 AM

I like this simply because it doesn’t pollute web history with search terms. Or allow proxies to nose around your search history. But Google still knows I guess.

Noah June 29, 2019 4:52 AM

I don’t know that this is really a good thing. SSL only guarantees that you’re connecting to someone with “Google” on their SSL certificate. SSl provide communication security over a computer network.
There are several companies which provide seo service but outreachxpert I am working with is one of the best I found outreachxpert provide content outreach services <a href="https://www.outreachxpert.com/content-writing/&quot;
,guest posting service<a href="https://www.outreachxpert.com/guest-posting-services/&quot;,manual link building service <a href="https://www.outreachxpert.com/link-building-services/&quot; and etc..

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.