Google Enables SSL by Default for Search

This is a good thing.

Posted on October 21, 2011 at 6:23 AM • 29 Comments

Comments

regular_guyOctober 21, 2011 7:09 AM

@Andrea,

Just because the main page is using plain http doesn't mean that the data sent to the server isn't using SSL. Check out the page source and look at the URL the search button sends the form data to.

another_guyOctober 21, 2011 7:21 AM

@Andrea,

The article notes that this will be beginning in the next few weeks, not right away.

Muzaffar MahkamovOctober 21, 2011 8:08 AM

Given that the majority of users have a habit of clicking "Accept" or "OK" just "to get it working", enabling SSL solves the problem only partially.

Toby SpeightOctober 21, 2011 9:17 AM

Only for 'logged-in' users (i.e. those who have already given their souls to Google).

For the rest of us, there's still HTTPS-Everywhere, of course.

ArretaiOctober 21, 2011 10:18 AM

For the rest of us, there's still Scroogle (https://ssl.scroogle.org/). Oh Google, generous one, be praised for still suffering our puny, miserable Scroogle searches in the shiny temples and vaults of your data!

Dirk PraetOctober 21, 2011 10:40 AM

A good thing for the average layman, but most privacy & security aware folks were already using Scroogle, HTTPS Everywhere, Ghostery, No Script, Trashmail, Certificate Patrol and the like anyway.

NobodySpecialOctober 21, 2011 11:05 AM

@Dirk - but how many corporates do?

We do all the security stuff - truecrypted laptops, airgapped machines for certain projects etc.
But a log of all our google or patent office searches would tell a competitor an awful lot.

tedOctober 21, 2011 11:34 AM

Why would anyone be logged into Google when doing searches? Logout first or use a different browser for each.

Dirk PraetOctober 21, 2011 3:02 PM

@NobodySpecial

From experience: only those that have a serious business case in the form of legal or regulatory compliance, or those with a CSO skilled and diplomatic enough to make his voice heard and understood by the CTO and the rest of the board. In all other cases, the answer is
SELECT * FROM Companies WHERE clue > 0 ;
Rows returned: 0

Hello71October 21, 2011 4:26 PM

HTTPS-Everywhere (good add-on BTW...) says that because clicking on ads still sends the referer {sic} header, they will continue using encrypted.google.com.

DanielOctober 21, 2011 5:08 PM

Honestly I'm 10X more concerned about what Google is going to do with my searches now that it can tie them to a specific user account than what some wanna-be snooper might do. Google is not my friend and what Google does benefits Google first and foremost. A classic honey-pot technique, if you ask me.

BrianOctober 21, 2011 10:31 PM

I don't know that this is really a good thing. SSL only guarantees that you're connecting to someone with "Google" on their SSL certificate. Unfortunately, there are a lot of entities other than Google that could conceivably provide such a cert.

GaryOctober 21, 2011 10:52 PM

Doesn't Google send its search parameters via GET - i.e., in the URL itself - which does not get encrypted?

AndyOctober 22, 2011 12:23 AM

What is wrong about me knowing how people found my blog? I like to read their search terms.

MarkusOctober 22, 2011 6:09 AM

One aspect of moving search in https is now that web site owners do not know what search terms bring user on site.

Unless they run google analytics and then google know everything from your site.

For the user short term benefit is good, but google is getting more and more keyholder of information.

GabrielOctober 22, 2011 8:25 AM

@Markus: Exactly. SSL is a good idea, yet at the same time gives Google a tremendous amount of power and a monopoly of referrer data in the URL. It certainly works out in their favor. Of course, they already have this data, now, they have exclusive access to it. Sadly, even this pales in comparison to how much power Facebook has. I wonder how long until Mark Zuckerberg is the most powerful man in the planet? He has info on everyone, which he can sell for big favors and use as leverage on those in power. I also wonder if FB will begin to offer a search portal esp because they will get no referrer data from Google, which is still the first step when you want to find out about a "John Smith" you just met.

Brian MearnsOctober 22, 2011 5:25 PM

But if the redirect occurs from a non-secure connection, isn't it basically moot? The redirect could be subjected to a MITM and made to not redirect (which most users would not notice), or to redirect to a URL that looks like it's on google but is actually controlled by the attacker (e.g, using unicode characters or just long URLs).

Bruce ClementOctober 24, 2011 4:18 PM

I thought the referrer string was passed by the browser, not the server.

Given that URLs can contain potentially contain confidential information, if the browser fails to pass a referrer when going from https to http it's (in my mind) a good thing that they should do this.

If Google have separately taken action to suppress referrers except for their advertisers, I'd be annoyed.

AdamOctober 25, 2011 3:08 AM

I like this simply because it doesn't pollute web history with search terms. Or allow proxies to nose around your search history. But Google still knows I guess.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..