Google Offers Encrypted Web Search Option

alphadogg writes "People who want to shield their use of Google's Web search engine from network snoops now have the option of encrypting the session with SSL protection. In the case of Google search, SSL will protect the transmission of search queries entered by users and the search results returned by Google servers. Google began rolling out the encrypted version of its Web search engine on Friday. 'We think users will appreciate this new option for searching. It's a helpful addition to users' online privacy and security, and we'll continue to add encryption support for more search offerings,' wrote Evan Roseman, a Google software engineer, in an official blog post."

The real reason

The real reason is that internet hacking people have been figuring out how to monetize the traffic they sniff. This is merely Google reclaiming the market that is rightfully theirs.

Re:The real reason

[Jackie_Chan_Fan]

Exactly right. This is not about your privacy... Its about Google protecting their market from say Verizon who could be packet sniffing anything you search on Google, and then selling that data... which then competes with Google.

Google is simply protecting their business. It has nothing to do with user rights or privacy.

But it is a welcomed addition. Its certainly a good thing... but it is also more for Google, than for you.

Re:The real reason

[Z00L00K]

It's an enhancement that isn't a disadvantage for the user, so we should welcome it.

And if it also prevents man in the middle hacking of web pages it's a good thing.

Re:The real reason

[LordLimecat]

Why would this close down scroogle? And did you see the part in the summary where it says "optional"?

Re:The real reason

[MistrBlank]

Don't care if it is. I don't know why all of our internet traffic these days isn't encrypted. Good job Google for stepping up even on the simplest of things.

Re:The real reason

[FuckingNickName]

Why would this close down scroogle?

If you have a multi-billion dollar budget, then seeming to duplicate some of the features of a non-profit (not the important ones, mind) is a good way to reduce interest in the non-profit.

Not that Google's done anything else to bother Scroogle this month.

Re:The real reason

[FuckingNickName]

Agreed, we all know that in a free market economy

Where?

It's what we'd all do if given the chance.

Speak for yourself.

Re:The real reason

[FuckingNickName]

All useful sites offer complete SSL access, but I guess Google - as with IPv6 - gets to be congratulated when it makes a half hearted attempt to do what real technology pioneers have been doing for a good decade.

In other news, everything Apple's ever done is original.

Re:The real reason

[RJFerret]

Agreed, also now nobody else will know which words I need to look-up the spelling of, relieving my virtual embarrassment!

(Did you know there are two "r"s in "embarrassment"?)

Re:The real reason

Let's see. https://slashdot.org/. No, redirects to http://slashdot.org/. I suppose Slashdot isn't a useful site.

Re:The real reason

[Z00L00K]

That's why I use FireFox - it has a spell checker! :p

Re:The real reason

[gotpoetry]

A lot of corporations are amoral. If the law allows it and there will be no negative PR consequences, they do it. Google pretends to be moral because the good-will they get from their "Don't be evil!" directive has served them very well over the years.

Still, I don't get how providing an encrypted search is evidence of amorality? It isn't even immoral.

In other words, what are you talking about?

Re:The real reason

[mlts]

I see this also useful against Phorm, and other in-transit ad-insertion mechanisms.

All and all, the good guys benefit here. Google doesn't have ISPs modifying their ads in transit, replacing their ads with their own. The user gets search results that have not been tampered with (where a site for product "A" takes you to a different company, or associate IDs are replaced so different parties get credit for ad responses), and have potentially malicious ads thrown in. ISPs can't passively log the connection and sell the data (just like the parent said.)

Re:The real reason

[mlts]

It is apparent that you don't like Google. That's fine. However, that is beside the point. What is important is that the connection between the Google user and Google is only belonging to those two. A third party can slow down or block the SSL transaction, but unless they jack a root CA, compromise one of the endpoints, or break one of the encryption algorithms, they are not going to be seeing what is going on.

To reiterate: Regardless of opinions of Google, this is a good thing. A search query with Google is my business and Google's business. Not the ISP's, not Phorm's, not a MITM watching the traffic go by. I'm sure as time goes on, less scrupulous ISPs will be slavering over ad revenue from in-transit ads.

Re:The real reason

[FuckingNickName]

I once misspelled "harass" as "harrass". I fixed this by recalling that I should not "har-ass her-ass". This has both everything and nothing to do with embarrassment, so embarrassment works the other way.

Re:The real reason

[Spliffster]

i've just tested https://google.com/ ... the query parameter is sent as GET request and therefore unencrypted. What am I missing? Isn't the query and not the response the valuable part of google search ?

-S

Re:The real reason

[FuckingNickName]

It is apparent that you don't like Google. That's fine. However, that is beside the point.

"You just don't like me!!!" No; I don't like what Google's doing, and I've provided some reasons.

A search query with Google is my business and Google's business. Not the ISP's, not Phorm's, not a MITM watching the traffic go by.

No-one disagrees that it's Google's business from the PoV of delivering search results. But from the PoV of storage and datamining, it's as much Google's business as it is Phorm's.

(Hey, at least an former elected MP and senior civil servant are on Phorm's board, individuals whose careers have been advanced directly and indirectly by the prol^Wpeople rather than venture capitalists and advertisers. A pox on everyone!)

Re:The real reason

[FuckingNickName]

You had me until:

Slashdot is a first tier news site, where not just any incoherent sentence fragments are acceptable.

3/10. Maybe if Google didn't put Wikipedia at the top of all search results, you'd understand your fallacies.

Re:The real reason

[slack_prad]

If it were about Google reclaiming market, it would have been https://google.com/ only.. which isn't the case here.

Re:The real reason

[slack_prad]

You can pay for a slashdot subscription for https access...

Re:The real reason

[mlts]

SSL is TCP based, so it does take time for to create the connection and tear it down.

However, a game which uses UDP packets primarily could easily set up a session key via a DH exchange (using an existing mechanism like SSL, or having keys/certs built into the game itself so third party CAs are not an issue), and once this is set up, CPU overhead due to using a symmetric cipher like AES would be very low.

Re:The real reason

[growse]

Query strings are encrypted over SSL.

Re:The real reason

[g3k0]

But will analytics still work since referrers are turned off?

Re:The real reason

[Derek+Pomery]

Yahoo redirected https to http

Plenty of actual Google properties (gmail etc) use https, but offering it for something as massively high volume as search is rather unusual.

I think they are actually ahead of the pack on this.

Re:The real reason

But from the PoV of storage and datamining, it's as much Google's business as it is Phorm's.

Uhm, no it isn't. You went to google to do a search. You didn't go anywhere else. Therefore, it isn't anyone else's business. And if you don't want google to have your search data, you can opt out of that by not using them at all. Phorm isn't even in the equation, they are interlopers. Encrypting the traffic cuts those types out completely. That way you only have Google to worry about.

Re:The real reason

[steelfood]

Yeah, they didn't even put the playable Pac-Man and Ms. Pac-Man logo up on their SSL search page!

All sarcasm aside, all I have to say is that it's about time. I can understand that SSL connections may result in a great increase in the use of their computing resources, but they have so much computing resources, I'm surprised it's taken them this long to offer SSL, especially as only a small number of users will actually take advantage of it.

And, I can't help but wonder if this has something to do with the China debacle. In addition to the competition, now oppressive governments can't monitor your searches either.

Re:The real reason

[Bungie]

Sweet! I'm tried of all those hackers sniffing my slashdot posts. They can go to my profile page just like everyone else!

Re:The real reason

[FireFury03]

It's an enhancement that isn't a disadvantage for the user, so we should welcome it.

And if it also prevents man in the middle hacking of web pages it's a good thing.

Actually, this is going to be a big problem for me. I write software to protect school kids from getting to (accidentally or intentionally) dodgy content - this is anything from porn, to sites promoting violence/drugs/etc. Schools usually restrict HTTPS access to a few specific sites since HTTPS is basically unfilterable.

The problem here is that Google has grouped everything they do under a single domain. There is now no way I can allow HTTPS access to the various google apps (which is sensible since things like login details really should be sent encrypted) whilst forcing the web searches to be transmitted (and therefore filtered) in the clear.

Re:The real reason

[TheVelvetFlamebait]

Oh noes! A company wants you to exclusively use their products! And what dastardly scheme have they implemented to encourage you to do that? They're improving their product! That's right, they're improving their product, just so they can appear to be one of those mythical "good companies", who actually improve their products. How evil of them! I would much prefer if they just started openly screwing over the consumer. That way, everybody wins!

Re:The real reason

[yuhong]

I think Google is quite moral, but yea that is another topic that is besides the point.

Re:The real reason

[FuckingNickName]

I write software to protect school kids from getting to (accidentally or intentionally) dodgy content - this is anything from porn, to sites promoting violence/drugs/etc.

No. Kids don't have instinctive responses to particular web pages; but they do have an ability to soak up prejudices from adults who think that implied disgust and taking away of information are correct ways of providing education.

Adults such as yourself.

Kids need software to protect them from people like you.

Re:The real reason

[Jackie_Chan_Fan]

It works both ways, but it doesn't help the user financially... It helps google.

So its really for Google

Re:The real reason

[FireFury03]

No. Kids don't have instinctive responses to particular web pages

If you think this then you haven't dealt with many teenage kids.

adults who think that implied disgust and taking away of information are correct ways of providing education.

Who said anything about providing education?

I'm pretty anti-censorship and think that people should have access to whatever information they like. *However* I'm not crazy enough to believe that the very young are capable of dealing with all that information - they should only get access to some of it when they have matured to the point of being able to deal with it.

There are 3 things that kids need protecting against:
1. accidentally stumbling across content. Do you really want primary school kids accidentally stumbling across the likes of 2g1c? Plenty of adults find it quite traumatising, let alone kids who haven't been prepared through life experience.
2. intentionally finding content. Do you want kids to know how to set up their own drugs lab before they have the life experience to understand the consequences of drug use? Also, things like electronic bullying are real problems causing real harm.
3. distracting content. When kids are in lessons, they frequently do need access to the internet. But giving them access to the likes of facebook is really distracting (even employers have a problem with this, let alone schools!). There is a certain amount of policing that can be done by the teachers, but filtering systems help a lot.

Once they have the life experience to deal with this stuff then by all means, let them access it. If you, as a parent, disagree with this sort of censorship then you are well within your rights to allow your kids to access this content in their own time from home, but they certainly shouldn't be accessing it in school where they can inflict it on other kids, whose parents almost certainly disagree with you.

Re:The real reason

[Ltap]

Yet is it your right to restrict this information from them without them having any choice in the matter? You also talk about "distracting content" - when I was in high school, my random browsing taught me far more than any of the teachers did. Downloading games and movies at school gave me things to do that I otherwise could never have afforded to pay for. In fact, most kids will do the same. Just about every tech-literate high school kid now knows about proxies, and won't hesitate to use them. Then the proxies and anonymizers are blocked, and kids find new ones, etc. The only end result is either the schools giving up (which they won't, because the companies that sell web filters want to make money) or the school networks being completely locked down.

You talk about life experience. Seeing these things and doing these things are life experience. If kids are sheltered and protected from it, they only learn about it when they're older and have more room to screw up because of it.

Re:The real reason

[jesset77]

Sigh. You went to your ISP for transit. You didn't go anywhere else. You chose to have your data processed as in the T&Cs of your ISP contract. If you don't want Phorm to have your search data, you can opt out of that by not using your ISP at all.

Defending Google is defending the right of corporations to have arbitrary privacy policies "because you can go elsewhere if you don't like it", which is ultimately defending Phorm. You are battling against yourself.

Not even mentioning the USA/ISP Duopoly issue today, the other big difference is that Google's SSL move allows you to perform searches without your ISP eavesdropping or intervening and without switching ISPs. Now, I am fairly certain that if someone points out some feature which allowed us to perform Searches against Google's database with Google's envied algorithms but without Google being able to mine our data (so THEN the only people we have to "worry about" are the end-websites we are searching for) this would be hailed still farther as a victory and you would still be bitching about the sysadmins running the destination websites knowing that we've shown up.

In short: You can't get intel without someone knowing (or with enough work conceivably unraveling) you are seeking the intel. Google SSL reduces the number of people who know about what you are searching for. You don't have to search with Google and if for some reason you feel as though Phorm having your data makes it less of a travesty that Google also has your data (you said something about them having a monopoly on raping you?) then you can choose to use Google without the SSL. If you're really that concerned about Google having the data at all, then hit them through Tor. I know you'll bitch about the Tor Endpoints and their ISP's then having the ability to track or forge you, but oh! You can combine Tor with Google-SSL.

As Tor puts it that is still not "good enough for strong anonymity", but paired with sanitary browsing practices it's about the damned safest way on this planet to perform a search across the wild internet.

Now FNN, as much as you appear to be trying to say that Google providing SSL is either worse than before or no better, I would prefer to hear what your thoughts are on how to build a search engine that is in any way less compromising than Google (or Google-SSL, or Tor-Google-SSL) while being in any way practical to the end-user. I'll even give you "let's assume infinite funding to the project forever" as a head start, so that whatever organization provides the service is not financially forced into evil acts. :P Your only design constraint would be to somehow guarantee that no person other than the one initiating the search can ever know what was being searched for. Or, at least hew closer to this ideal than Google presently allows without sacrificing quality.

Re:The real reason

[jesset77]

This would only work if your browser doesn't send the referrer or you click on https links only. Otherwise ISPs can just parse the referrer header (or the referer header, good thing spell checking was invented).

As mentioned above, when you search with Google-SSL and click on a non-SSL result link, Google does not include your search terms in the HTTP referrer tag.

A previous poster claimed they sent a referrer tag of only "www.google.com/", but I just tested this in firefox with Live HTTP headers and confirmed that they sent no referrer tag at all, which matches what the RFC recommends. 8I

In a word, noice! :3

Re:The real reason

[jesset77]

Not that I have any ill will towards what scroogle is trying to do, but they were scraping Google results from an ancient hack designed to appease IE6 and bawled when Google stopped relying upon that hack. The bawling was quite loud too, as it was designed to make it seem as though Google was gagging them instead of changing a non-public-facing feature Scroogle was not contracted to exploit.

At the end of the day, Scroogle relies upon Google for it's existence and Google owes Scroogle no quarter. I am certain if Google really gave a damn about it, it would take them virtually no effort to alter their search service to be effectively "un-scroogleable" and even to do so in a non-obvious way. Hell, they keep spam out of my Gmail inbox with astounding profundity. :P

Yet they do not blackball Scroogle, and the reason they do not is A> Scroogle is too small for anyone to care and B> they whine alot, the bad PR from Scroogles "Brin ran over my dog by changing their UI" et al amounts to a slightly larger mole-hill than would be gained today by shutting Scroogle out.

At the end of the day the ultimately important point is: how in hell can I prove that Scroogle is not mining my data and selling it to insurance companies? If user data is valuable, then the data of users who demonstrate themselves to be paranoid must be juicier still, right?

Tor + Google + SSL + adblock + get the fuck off my lawn.

Re:The real reason

[jesset77]

All useful sites offer complete SSL access, but I guess Google - as with IPv6 - gets to be congratulated when it makes a half hearted attempt to do what real technology pioneers have been doing for a good decade.

In other news, everything Apple's ever done is original.

Google is an industry leader. TBH, I'm pretty sure that if they switched all Google searches to default SSL (or assuming all searchers were clever enough to opt for it), "Google Searches" probably represent a greater percentage of all internet traffic then every other HTTPS request on todays internet combined.

Put in that perspective, yes it's a big deal. It would be like if Electric Cars had been built as one-offs for a century (they have) and then Toyota up and decides that every model they sell 2012 and up will have a no-additional-cost option of being electric. In essence, bringing an innovation to bear in a large market is a more important step than hobby (your website) or niche (banking, medical, conspiracy periodical) adoption of an innovation.

In other news, I'd like to hear your take about how this attempt is half-hearted. I suspect your lone gripe is "Google is still mining your data". Thus, please differentiate how this is different from every SSL endpoint on the web. Sure there might be people who happen to not mine data from my visits to their sites, but the point is I cannot prevent them from doing so.

Or, if you believe a "full hearted" implementation of Google+SSL would somehow magically bind Google's hands and make it technically impossible for them (or anyone, anywhere) to log your data, then please lay out how this would be done as I'm fairly certain it violates the principals of basic causality. :3

Re:Security != privacy.

[drinkypoo]

In other words, you still trade your privacy for the service provided by Google; the difference is the trade being less likely to be interrupted now.

Google has never shown any tendency towards abuse of my private data. My government, on the other hand, has repeatedly demonstrated its willingness to break its own laws whenever it's convenient for any of their actual constituents, i.e. corporations. I'm much more worried about my government watching my search history than google doing it. Of course, they'll give that information to my government any old time, but that's not the same thing as having it continually logged where it can fire off triggers.

No, I'm not doing anything that I feel my government would attack me for. But then, I'm not doing anything google would attack me for, either. Google continually stands in opposition to the corporations that I am concerned about. The enemy of my enemy may or may not be my friend, but odds are better than if he's my enemy's friend. Contrarily, much of what the U.S. government does makes it the enemy of any right-thinking citizen, where right-thinking is defined as "freedom-loving". (I may have a bias, but I certainly don't hide it.)

Scroogle is better

[Antiocheian]

This isn't news. Scroogle has been doing this for years and besides security it also adds privacy.

Re:Scroogle is better

[XPeter]

Yes, but Scroogle has recently been shut down by Google, so this is their alternative.

Re:Scroogle is better

[Allnighte]

Wasn't Scroogle messed up by a Google change recently? And Scroogle said they'd never get it working again? I think it was a Slashdot article a few weeks back. Maybe this is why?

Re:Scroogle is better

Scroogle was never shut down by google. Google changed the layout of their results page, and scroogle had to update its scraping software in order to be able to read the new format.

here is the article where Scroogle claims they'll have to shut down forever, and here is scroogle, working fine.

One last note, for the truly paranoid: how do you know scroogle isn't a front, run by google?

Re:Scroogle is better

[James_Duncan8181]

Yes, but Scroogle has recently been shut down by Google, so this is their alternative.

http://www.scroogle.org/scrapen8.html - well, it certainly didn't take much research to work out that isn't true.

Re:Scroogle is better

[Antiocheian]

Scroogle has recently been shut down

All you had to do was type a small URI and try a search.

Re:Scroogle is better

[steelfood]

How do you know Scroogle isn't a front run by the CIA?

When online, trust no one, or trust everyone. There's not much room for what's in between.

Re:Scroogle is better

[shellbeach]

One last note, for the truly paranoid: how do you know scroogle isn't a front, run by google?

Well, Scroogle.org is owned by Daniel Brandt, the same person who runs http://www.google-watch.org/. If that's a front, then it's a freaking strange and un-self-serving front, and I would have to award Google the inaugural "Shoot Myself in the Foot Before Someone Else Does it for Me" prize ... :)

Re:Scroogle is better

[AHuxley]

Most CIA fronts are freaking strange as they need to attract and track people who are aware of maths, the history of the feds and public private partnerships ect.
The CIA has fronts for drugs, guns, transport, NCB parts, banking, hi tech, start ups ect.
Why not a front to question google too?
It would give them a heads up on any hints of a insider doing a "Room 641A" at google ;)

Re:Scroogle is better

[BikeHelmet]

Yes, but Scroogle has recently been shut down by Google, so this is their alternative.

They weren't "shut down" - the creators were too lazy to redirect their queries to another page.

Big difference.

After the beatdown they got for crying wolf in that last slashdot article, I'm surprised someone didn't know that.

Re:Who is this for?

[neumayr]

I agree it's a theater, making people feel more secure somehow.
But there are many opportunities for MitM attacks for Google queries, and making those harder does make sense.

Now I can Google my SSN and CC#!!!

[AmazinglySmooth]

I really wanted to know if any site are posting my SSN and CC#. Thanks you, Google.

Re:Now I can Google my SSN and CC#!!!

[hedwards]

I know you're joking, but the way you do that is by googling the first 5 or 6 digits of your SSN, then manually comparing the last 4. The first 5 or 6 aren't unique and can be relatively easily guessed based upon the location and date of birth. Similar searches are great for finding CC#s that might be posted online.

Re:Now I can Google my SSN and CC#!!!

[thijsh]

Better yet google for the a range of 10000 numbers by adding two dots between the lower and upper number:
Google: 123450000..123459999

This way you can search for SSN, CC numbers etc.

Re:Now I can Google my SSN and CC#!!!

[noidentity]

What's the error mean "Certificate is signed by an unknown authority?" Oh well, I'll search for my SSN and CC# anyway...

Re:Now I can Google my SSN and CC#!!!

[bmxeroh]

Interesting thought, so I gave it a try. Google didn't like it, and gave me an error message about automated traffic. I'm guessing it was just way to huge of a search range.

Re:Now I can Google my SSN and CC#!!!

[Kozz]

Better yet google for the a range of 10000 numbers by adding two dots between the lower and upper number:

Google: 123450000..123459999

This way you can search for SSN, CC numbers etc.

When I try that, all I get is a message from Google that accuses me of being a bot, and they won't process my request in order to protect their users.

Re:Now I can Google my SSN and CC#!!!

[DerekLyons]

I know you're joking, but the way you do that is by googling the first 5 or 6 digits of your SSN, then manually comparing the last 4. The first 5 or 6 aren't unique and can be relatively easily guessed based upon the location and date of birth.

That depends on how old you are - those of us born before the IRS started requiring SSNs for all dependents claimed on the tax forms often have SSNs acquired years after and miles away from where we were born. I didn't get an SSN until I was in the 8th grade, when we applied for one as part of a school project. (Nearly forty years on, I can't even remember what the project was.) My Navy recruiter included SSN application forms in the packet he gave me at our first interview, because back then unless you had an after school job teenagers didn't have an SSN.
 
My younger sister didn't get hers until she was applying for her first after school job (at age sixteen), five years later and in a different state from where I obtained mine.

Re:Now I can Google my SSN and CC#!!!

[caseih]

Doesn't seem to work. Google comes back and says "We're sorry... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now."

Re:Now I can Google my SSN and CC#!!!

[thegarbz]

Genuine question, why is it so important to keep your SSN secret? I mean it's just a number right? I mean you're not googling your name right? I understand that if you type in google "Joe Bloggs, 479001599, 05/09/80" then there's quite a significant amount of data that you're sending over the pipe, but if you just type in 479001599 how does google or infact anyone know to associate this result with your social security number when you may just be looking up the 8th factorial prime number?

I understand people's concern about privacy, but I think a lot of slashdot takes some things way to seriously. Same with credit card number, they are somewhat useless without a name and a date of birth attached.

Implications on China

[dncsky1530]

This could be an interesting development for Google's efforts in China. If the traffic between google and the client is encrypted then the firewall of China *shouldn't* be able to analyse the search results coming back. The only option for China might be to block Google SSL completely but that might be a bit too risky politically.

Re:Implications on China

[gzipped_tar]

It's meaningless. You search for some keywords over SSL and click on a non-https link in the result page. BAM, the Referer now points to the result page, which contains the keywords you just used in its URL.

Of course Referer is easily spoofed, but you get the idea: Google search is only one aspect of a person's online activities, and the secret hiding in it can be analysed using side channels.

Re:Implications on China

Turn the referer header off. In contrast to spoofing it, turning it off completely breaks very few web sites. In Firefox or Seamonkey: about:config -> network.http.sendRefererHeader=0.

Re:Implications on China

[roman_mir]

There is a fix for that, look at what Opera is doing, they are allowing you to browse in a mode, that first caches the pages on Opera side and then pre-processes them and sends them to the browser. This could also be used to surf all the found sites through an SSL encrypted connection.

Re:Implications on China

[gzipped_tar]

The government can still get quite clear a picture about your online activities from the DNS queries during your supposedly "safe" browsing sessions.

Re:Implications on China

[Nukenin]

You search for some keywords over SSL and click on a non-https link in the result page. BAM, the Referer now points to the result page, which contains the keywords you just used in its URL.

According to RFC2616 (HTTP/1.1) section 15.1.3 "Encoding Sensitive Information in URI's", "Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol."

Re:Implications on China

[roman_mir]

Google already provides DNS servers, why not encrypted ones?

Re:Implications on China

[IamTheRealMike]

If you read the FAQ it says the referer header is being stripped. Not sure how, but apparently it is.

Re:Implications on China

[gzipped_tar]

Wow, I didn't know that. Thank you.

Still, the concern addressed in my original holds, I think. You are not suddenly safer or freer on the Internet just because the communication between you and ONE SINGLE WEBSITE has been encrypted, even if the website is one of the top search engines.

Re:Implications on China

[RJFerret]

Actually, from the Google information on their SSL search, "As another layer of privacy, SSL search turns off a browser's referrers. Web browsers typically turn off referrers when going from HTTPS to HTTP mode to provide extra privacy. By clicking on a search result that takes you to an HTTP site, you could disable any customizations that the website provides based on the referrer information."

Re:Implications on China

[Penguin]

The most common way is to use a meta refresh "header". When redirected this way browsers don't include the referer header.

Some forum software use such a feature when making URLs clickable.

Other methods include javascript tricks.

The actual output from Google when searching for slashdot is this and clicking the link is the following, which is primary javascript with fallback to the html meta header:

<script>var a=parent,b=parent.google,c=location;
if(a!=window&&b){if(b.r){b.r=0;a.location.href="http://slashdot.org/";c.replace("about:blank");}}else{c.replace("http://slashdot.org/");};
</script><noscript><META http-equiv="refresh" content="0;URL='http://slashdot.org/'"></noscript>

Re:Implications on China

[An+anonymous+Frank]

It may not be perfect or up to date but you could access the cache page (via SSL) and still get to access (reference) material.

Re:Implications on China

[cynyr]

They mention that most good browsers, don't use HTTP_referrer for SSL sites.

What can I expect from search over SSL?

Here's how searching over SSL is different from regular Google search:

• SSL encrypts the communication channel between Google and a searcher's computer. When search traffic is encrypted, it can't be read by third parties trying to access the connection between a searcher's computer and Google's servers. Note that the SSL protocol does have some limitations — more details are below.
• As another layer of privacy, SSL search turns off a browser's referrers . Web browsers typically turn off referrers when going from HTTPS to HTTP mode to provide extra privacy. By clicking on a search result that takes you to an HTTP site, you could disable any customizations that the website provides based on the referrer information.
• At this time, search over SSL is supported only on Google web search. We will continue to work to support other products like Images and Maps. All features that are not supported have been removed from the left panel and the row of links at the top. You'll continue to see integrated results like images and maps, and clicking those results will take you out of encrypted search mode.
• Your Google experience using SSL search might be slighly slower than you're used to because your computer needs to first establish a secure connection with Google.

Note that SSL search does not reduce the data that Google receives and logs when you search, or change the listing of these terms in your Web History.

So you need to make sure your browser disables http_referrer for SSL sites, and otherwise behaves well.

Re:Implications on China

[asserted]

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

RFC2616, 15.1.3

all browsers follow this.

Re:Implications on China

[Hikaru79]

There's not really such a thing as "risky politically" in China.

Re:Implications on China

[yuhong]

As a side note, can you add the fact that you work for Google in your user page? Thank you.

Re:Who is this for?

[gzipped_tar]

SSL adds protection to both ends of the communication. This may look like a circus from the user's perspective; but for Google themselves, it's better self-defense.

Very funny

[blai]

I'd rather let someone else know what I'm searching something than let Google know that it is me searching it.

and in other news...

[Thad+Zurich]

...thousands of employers begin blocking port 443 to Google ...

Re:and in other news...

[grmoc]

In this case you need to put a root cert on the school's computers, and do a MITM for SSL.
SSL doesn't mean no MITM. It means no *unauthorized* MITM...

Re:Who is this for?

[euyis]

At least it's nice for Google users in China like me. The government has been actively disrupting Google's service in mainland China since they moved to Hong Kong, restting your connection if certain words/characters (yes characters!) are detected. An encrypted connection surely makes using Google in China less painful.

Chrome/Firefox address bar still not SSL tho.

[Jackie_Chan_Fan]

Most people today probably enter search through their address bars...

That doesnt appear to go through SSL... yet at least.

Re:Chrome/Firefox address bar still not SSL tho.

[Kilrah_il]

Actually, you can find instructions on setting Google SSL as your search engine here: http://googlesystem.blogspot.com/2010/05/google-secure-search.html
Have fun!

Re:Chrome/Firefox address bar still not SSL tho.

[General+Wesc]

In Chromium (and similar in Chrome): Options: Basics: Default Search: Manage.

Re:Chrome/Firefox address bar still not SSL tho.

[suffe]

Sadly, it removes the suggestion feature in the address bar. At least for those of us that use it.

Re:Chrome/Firefox address bar still not SSL tho.

[SiriusStarr]

If you want to change the default address bar search in firefox without using a keyword search, go to about:config and search for "keyword.URL". Change the entry to "https://www.google.com/search?..." from "http://www.google.com/search?..." This will make the default search behavior in the address bar use SSL (confirmed with wireshark).

Re:Security != privacy.

[BhaKi]

My government, on the other hand, has repeatedly demonstrated its willingness to break its own laws whenever it's convenient for any of their actual constituents, i.e. corporations.

You do realize that Google is a corporation too, don't you?

All HTTP traffic should be encrypted

[swillden]

As a matter of course, we should use SSL on all connections. In some rare cases the computation may be too much of a burden, but in the vast majority of situations it's trivial and there's no reason not to do it.

IMO, the only reason we don't do it more is because the way browsers handle self-signed certificates is broken.

There's no reason for a browser to throw up nasty error dialogs when it encounters a self-signed certificate. Instead, browsers should silently accept such certificates and record the public key fingerprint. Browsers shouldn't turn on the lock icon when using a self-signed cert, or do anything else to make the user think they're browsing on a secure connection, because they're really not, but they should go ahead and encrypt the traffic.

Not only would that provide some measure of security against eavesdropping, but it would also assist with detection of phishing attacks. Browsers could and should throw up nasty warnings/errors when connecting to a site whose certificate has inexplicably changed. This is similar to how SSH handles trust of server keys, a system that works very well in practice.

Regarding this move by Google, I think it's great. I applauded their decision to make Gmail and Google Apps HTTPS-only, and providing the option for Google Search is great, too. Hopefully they'll eventually go to HTTPS-only for search as well. Their page volumes are such that they'll have to seriously consider the impact of the encryption overhead, but I think they'll get there.

Re:All HTTP traffic should be encrypted

[jimicus]

IMO, the only reason we don't do it more is because the way browsers handle self-signed certificates is broken.

There's no reason for a browser to throw up nasty error dialogs when it encounters a self-signed certificate. Instead, browsers should silently accept such certificates and record the public key fingerprint. Browsers shouldn't turn on the lock icon when using a self-signed cert, or do anything else to make the user think they're browsing on a secure connection, because they're really not, but they should go ahead and encrypt the traffic

Either you're trolling or you honestly have no idea why it's a good idea to throw up all sorts of errors on encountering a self-signed certificate.

Clue: SSL is intended to guarantee that nobody can eavesdrop on your connection. As soon as you start to see anomalies in the certificate chain (such as a self-signed certificate), that guarantee cannot be upheld. In fact, there was a bug filed against Firefox a while back now when it did flash up such an error and it transpired that the connection was being eavesdropped.

Re:All HTTP traffic should be encrypted

[swillden]

Either you're trolling or you honestly have no idea why it's a good idea to throw up all sorts of errors on encountering a self-signed certificate.

Clue: SSL is intended to guarantee that nobody can eavesdrop on your connection. As soon as you start to see anomalies in the certificate chain (such as a self-signed certificate), that guarantee cannot be upheld.

Did you read my post? That's why the user shouldn't be given any indication that the connection is secured when a self-signed cert has been presented, because it's really not.

Sites where sensitive data is managed should not used self-signed certs, so that the certificate chain can be verified, to defeat MITM attacks. But sites that would currently not use any encryption could increase their security by a non-negligible amount by using HTTPS and a self-signed cert -- but the way browsers handle self-signed certificates is stupid and broken.

Re:All HTTP traffic should be encrypted

[jimicus]

How's the browser meant to know the difference?

Re:All HTTP traffic should be encrypted

[swillden]

How's the browser meant to know the difference?

The difference between what and what?

Re:All HTTP traffic should be encrypted

[cpghost]

Parent poster probably meant to show an open lock for plaintext HTTP, a partially closed lock for self-certified certs that can't be tracked up to a trusted CA, and a closed lock for an unbroken chain of certs. This idea isn't so bad, IMHO.

Re:All HTTP traffic should be encrypted

[MrWim]

Many websites are hosted at a single IP address. For SSL to work I believe you need 1 website=1 IP Address. I suppose IPv6 could solve this but people could then still eavesdrop on what websites you are visiting, albeit not the pages on that website. IPv6 could solve the don't have enough IP addresses problem and IPv6 would also bring IPSEC, which AFAIU will allow all IP traffic to be trivially encrypted.

Re:All HTTP traffic should be encrypted

[jellyfrog]

What?

Of course the browser doesn't know the difference between a site that uses signed certificates that is being MITM'd and one that uses a self-signed certificate. That's why neither of these should be advertised as being "secure". Because they're not. And when you go to https://my.bank/ and notice that the lock isn't there because someone's doing a MITM with a self-signed cert you should realise "whoa, hey, this isn't a secure connection" and proceed to not give your bank details to whoever is at the other end.

On the other hand, when you go to https://porn.site/ and it uses a self-signed certificate, well no, it's not secure. Maybe someone is doing a MITM attack. But at least some random person with a passive network sniffer can't see everything you're watching, and furthermore no-one even with an active MITM attack can affect your connection once it's been established.

Re:All HTTP traffic should be encrypted

[j-beda]

How's the browser meant to know the difference?

The browser is not meant to (and cannot) know the difference between sites using a self-signed-certificate and those that should use a "real" certificate. That is what the user is supposed to do. What the original poster was suggesting was that sites using a self-signed-certificate display the site AS IF no security was present. Thus when you visited "Chris's House of Fly Fishing Forums" with a self-signed-certificate, you would not be presented with an obtrusive "watch out! this might be phony!" notification, but you would also not be presented with lots of flashing padlocks and icons indicating your high security. Such a system would not penalize websites which used self-signed-certificates IN COMPARISON TO sites which use NO certificate at all. Users however would have some actual benefit in that their fly fishing discussions would be more well secured from third parties. If people use the same or similar account names and passwords on lots of websites, identity theft would be a bit harder than just sniffing their unencrypted web traffic if all of it was secured with self-signed-certificates.

It does seem as though there would be some non-zero positive effects to more "regular" sites using encrypted sessions, and encouraging use of self-signed certificates in cases sign as these.

For a real-world example: a cheap-ass lock discourages the good-for-nothing-neighbourhood-punk-kids from rummaging through the garden shed. There is little benefit to also putting up a big sign in the drawer where we keep the key saying "the lock on the shed is a piece of shit and provides no real security".

Re:All HTTP traffic should be encrypted

[jimicus]

Which is well and good, but remember most people don't really have the inclination to learn how the security works - they just want to know it's there. Such a suggestion means that you're essentially introducing a new level of security: "sort-of secure, fine if you're not doing anything important".

IMV, this is introducing confusion. For most practical purposes, "refuse a self-signed certificate" is perfectly good advice and eliminates much of the confusion. If you're a company and you don't want to go out and buy certificates for every little server, you can set up your own CA and install the root certificate for that CA into the browser.

Re:All HTTP traffic should be encrypted

[noidentity]

There's no reason for a browser to throw up nasty error dialogs when it encounters a self-signed certificate. Instead, browsers should silently accept such certificates and record the public key fingerprint. Browsers shouldn't turn on the lock icon when using a self-signed cert, or do anything else to make the user think they're browsing on a secure connection, because they're really not, but they should go ahead and encrypt the traffic.

I'm with you as long as they also do NOT display https, just http. But then, how do you do that without breaking the protocols? Either you have to try https for all http URLs, or hide the s, or something messy.

Re:All HTTP traffic should be encrypted

[zQuo]

That is so brilliant, and seems like an excellent idea! Allow secure connections to any website; the user just treats them as normal websites! Small websites can support secure private https without paying expensive fees to a Certificate Authority for a fully verified signed certificate... It's so much safer than totally unsecure browsing, simple and easy to implement; helps make other Internet infrastructure problems like DNS cache poisoning attacks evident very quickly. It's a wonder that it's not implemented like this now in browsers. When encountering self-signed certs, the connection is actually *more* secure than totally unsecure http, so the browser doesn't really need to throw a warning message to the user (as they do now), just omit the lock symbol.

One very minor drawback: the url text string no longer shows the security level on it's own. Just checking for the https and the domain name used to be sufficient to trust the connection. This is partially a user education problem, most users look for the lock symbol anyways, if they check at all. Alternatively, the url can somehow have an optional different protocol name, like http+ for self-signed certificates.

It seems like such a great idea; the only people who may suffer are the CA's who make money signing certificates. They actually might make more money under this scheme as https becomes more widespread. Can we start implementing this in Firefox? It can start as an enhancement to the browser showing the trust and history behind a website's certificate.

Re:All HTTP traffic should be encrypted

[bodan]

From the user’s point of view, the suggestion wasn’t to add a new level of security. The suggestion was that a SSL connection with a self-signed certificate should be presented to the user _exactly_ the same as a normal HTTP connection. Which makes sense, as the user still doesn’t have any sort of guarantee about who they’re connected to.

Again: for the user, there’s secure (which means properly certified SSL, and a lock, and whatever other visual indicators), or insecure (anything else; no lock, no other visual indication).

The advantages of this are two-fold:
* the data is encrypted; you still can intercept it, but you need to work much harder; with HTTP you can just passively listen with Wireshark
* the browser can detect when the self-signed certificate changes, and only _then_ make a fuss. Someone who starts to intercept your traffic (that is, they didn’t do it from the beginning) will be severely inconvenienced when intercepting sites you’ve already visited before they started intercepting

It’s doesn’t make everything perfectly safe, but it certainly increases safety.

Re:All HTTP traffic should be encrypted

[thijsh]

There is a legitimate use for self signed certificates by adding transport encryption (works fine for SSH) for small sites that can't shell out the cash for the certificates. The only thing not present is verification, but that's already available in all 'qualities' (the cheapest certs. can be bought by anyone anyway, so for every site except the top 1000 this verification can also be very misleading). That is why users should be educated about the difference in encryption and verification (I'm pretty sure people can manage this distinction if the browser does, unlike the current misleading messages).

The browser could display this in the following address bar colors and add a layman's description:
- Green = Encrypted and verified = You need at least green for your bank etc. (P.S. there should also be levels of green, like green with two gold stars or whatever)
- Yellow = Encrypted = To keep your personal stuff personal during transmission
- Red = Either a wrong/spoofed certificate (or a known green site that is now yellow) = Danger!
- Grey = Regular HTTP = No fancy security of any kind

It doesn't surprise me that Internet Explorer isn't the first to implement something 'revolutionary' as three simple fucking address bar colors, but Firefox also fails to perform any self-signed certificate handling that doesn't pretend like you're at risk of accidentally signing a contract with the devil... You're supposed to support the little guys, and right now this bullshit is the only thing standing in the way of transport encryption for the masses. Mozilla, you disappoint me!

Re:All HTTP traffic should be encrypted

[Stray7Xi]

Either you're trolling or you honestly have no idea why it's a good idea to throw up all sorts of errors on encountering a self-signed certificate.

Clue: SSL is intended to guarantee that nobody can eavesdrop on your connection. As soon as you start to see anomalies in the certificate chain (such as a self-signed certificate), that guarantee cannot be upheld. In fact, there was a bug filed against Firefox a while back now when it did flash up such an error and it transpired that the connection was being eavesdropped.

Yet you're using slashdot without encryption. Treating self-signed certificated as worse then HTTP traffic is broken. Self-signed does provide some protection that HTTP doesn't. Namely it no longer can be passively eavesdropped, it requires MITM. Now go look at how many CA's are in your browser, that's how many organizations you're giving permission to pretend to be whoever they want. There is no silver bullet in security. So you should take the 50% solution over the 0% solution. Yet right now we're telling webservers don't bother with 50% until you can get to 90%.

SSH gets by without any CA, you have no idea if it's not some MITM the first time you connect to host. I guess we should all go back to using telnet.

Re:All HTTP traffic should be encrypted

[Piranhaa]

There are sites that allow you to get free SIGNED SSL certificates. I got a StartCom Certificate a number of months back, and people no longer get browser errors on my site. Sure, it's a little bit of a hassle, but in the long term it's worth it.

Re:All HTTP traffic should be encrypted

[mlts]

What I'd like to see are Web browsers accepting self signed SSL certs, but not show a green lock icon. Instead some other mechanism should be used to show the site is using SSL, but there is no trust of the site's key, as opposed to a key that is signed by a CA in the trusted keys.

Even now, it is still harder to do an active MITM with ssl than just sit by and sniff packets.

Only issue with this: Part of SSL's security is assuring that www.foo.com is actually that site, and not a site which is getting connections via a subverted DNS or other means. Self-signed SSL certs do not provide this protection.

Re:All HTTP traffic should be encrypted

[DragonWriter]

There's no reason for a browser to throw up nasty error dialogs when it encounters a self-signed certificate.

Yes, there is. The entire point of signing certificates is that they provide a chain of certification back to something you have chosen to trust (the CA model has problems in really providing this, too, but that's the theory.) A certificate provided in-band that isn't signed by a trusted entity from whom you have received a certificate by reliable means out-of-band with the immediate communication doesn't provide authentication, and encryption without authentication is meaningless.

You ought to be able to import trusted-but-unsigned certificates yourself, but the UI or it really needs to not encourage them being first transferred with a page that they are being used to sign. The only way such certs are useful is if they are exchanged out-of-band through a trusted channel (face-to-face, for instance) that allows the relying user to verify identity without relying on a trusted third party.

Re:All HTTP traffic should be encrypted

[lmfr]

So, no error when the user connects to https://google.com/, https://mybank.com/ etc., that have self signed certificates? How is the browser supposed to guess when the connection needs a correctly signed certificate or not?

Re:All HTTP traffic should be encrypted

[swillden]

Certainly, if the browser receives a self-signed certificate from a formerly-secure site, it should complain loudly. Also, browsers should make the secured status of sites very obvious, and sites with self-signed certs are not secure.

Re:All HTTP traffic should be encrypted

[swillden]

A certificate provided in-band that isn't signed by a trusted entity from whom you have received a certificate by reliable means out-of-band with the immediate communication doesn't provide authentication, and encryption without authentication is meaningless.

"Meaningless" is too strong. Certainly a site with a self-signed certificate provides no assurance of security, which is why browsers should not present such sites as secure. But that doesn't make the encryption entirely useless. Opportunistic encryption is very valuable at protecting against casual snooping. Also, server key history has been proven by SSH to be a very useful -- if weaker -- mechanism for deterring MITM attacks.

Honestly, having received the same certificate from my bank every day for a year gives me more confidence that it's the correct key than a signature from Verisign.

Re:All HTTP traffic should be encrypted

[swillden]

There are sites that allow you to get free SIGNED SSL certificates. I got a StartCom Certificate a number of months back, and people no longer get browser errors on my site. Sure, it's a little bit of a hassle, but in the long term it's worth it.

Unfortunately, the easier it is to obtain a signed certificate, the less value such validation offers.

Re:All HTTP traffic should be encrypted

[steelfood]

I think a lot of people look at the "https" to determine whether the site is secure or not. Handling self-signed certs in this manner would inconvenience many of these people at best and confuse them at worst.

However, I agree with OP that how browsers currently handle self-sign certs is bad. They treat self-sign certs as indicative of a MITM attack with the giant stop screen. And it does discourage small sites from using SSL, even when it's advantageous for one or both parties to use it.

What they should do is remove the secure lock symbol, and bring up a small warning by the URL, like when Firefox blocks a pop-up automatically. Actually, I think there should be a pop-up stating the issuing authority for all SSL connections. Even if an authority is on my trusted list, I'd rather not have some government (or untrustworthy corporate) authority weasel onto the trusted list and thereby be able to eavesdrop on my connection at their convenience.

Re:All HTTP traffic should be encrypted

[jellyfrog]

What the hell's wrong with displaying "https"? Anyone attentive enough to know "https" means secure/ssl is attentive enough to notice the lack of a massive flashing lock icon and then non-bright-green colored address bar.

Re:All HTTP traffic should be encrypted

[noidentity]

The problem is that many people have been taught that https means it's a secure connection to whatever the URL suggests, not merely a secure connection to someone, not necessarily what the URL suggests. The reason people were taught to look for https is that it's in a more standard location than the lock icon; some browsers used to put the lock in the lower-left corner of the window, others at the top by the status bar or even in the window title bar.

Re:All HTTP traffic should be encrypted

[something_wicked_thi]

The real problem with allowing self-signed certs is that it means that https doesn't mean you're secure anymore.

Yes, technical users might be able to use them safely, but I wouldn't trust myself to be that attentive. Consider if I clear all my local browser state, or if I'm using a new computer and I go to my bank's web site. I've entered https so I think I'm safe. Do you think I'm going to notice the lack of a lock in the browser window? What about sites like facebook where I don't even see https, even though it's authenticated over https? For situations like these, the only warning you get that something is up is the self-signed cert problem.

Of course, with facebook, a mitm attack could remove all ssl and nobody would know, which is why it's a bad idea not to put your login page on ssl. However, for most users, simply seeing or typing https means "I'm secure." Allowing self-signed certs breaks that.

Re:All HTTP traffic should be encrypted

[swillden]

So, basically, your argument boils down to the idea that you're more likely to notice the 's' in the address bar than the lock in the status bar? I think most users -- especially non-technical users who are unlikely to realize the 's' means anything at all! -- are more likely to notice the lock.

In any case, this problem can be solved by making the browser's indicator of a secure site more prominent. Someone suggested turning the whole address bar green, which would be a good way to do it.

Re:All HTTP traffic should be encrypted

[Piranhaa]

How so?

If there are only a handful of allowed signing registries, it's still better than not. Assuming they don't give out the private signing keys. It's not easy to get into the Authoritative Certificate servers in the big browsers...

Re:All HTTP traffic should be encrypted

[swillden]

How so?

If there are only a handful of allowed signing registries, it's still better than not. Assuming they don't give out the private signing keys. It's not easy to get into the Authoritative Certificate servers in the big browsers...

First, there aren't only a handful of allowed signers. There are dozens. Check the "Authorities" in your browser. The copy of Firefox I'm using right now has 82. I added maybe 10 of those.

Second, it's even worse if some of them are free. Why? Because obviously doing thorough vetting of applicants can't be done for free. It takes time and effort on someone's part, and for the security of the system we want it to be a substantial amount of time and effort. That means that certificates SHOULD cost hundreds of dollars. The fact that a cert costs hundreds of dollars doesn't guarantee that the issuer is doing that level of work, but a free cert is pretty much guaranteed not to provide that level of due diligence.

In addition, the cost itself provides a barrier for certain types of malicious use. Some forms of phishing get shut down fast enough that the phisher can only be sure to make a couple grand at most before being stopped. If the phisher has to shell out $500 even to set up the attacks, that seriously cuts into his profit margin.

A security system is only as strong as the weakest link. And the more authorities there are, the greater the odds that one of them will be easily exploitable. And competition among them drives the price down (to zero, apparently), with a corresponding reduction in due diligence.

This isn't to say the system is fatally flawed. Indeed, it seems to work relatively well, so far. But to keep it working well we should be pushing for fewer authorities, with higher standards and more thorough vetting of applicants. This is why allowing self-signed certs to have some utility is such a good idea. It allows all of the sites that can't justify the cost or satisfy the requirements of a proper authority-signed cert to have a modicum of security, which removes most of the motivation to drive CA cost, and therefore due diligence, to zero.

Because if the latter happens in a significant way, the whole system becomes worthless.

Re:All HTTP traffic should be encrypted

[Piranhaa]

It's still not a 5 minute procedure to get a free signed certificate. You need to confirm the information on the domain, and it also requires a legitimate email address to receive email. This is for a BASIC level certificate anyways. The ssl bar in FireFox3 only shows a blue domain name (the bar would be green and have the full company name: "Paypal Inc. (US)" if it was the highest level, but that costs money).

For my site, the domain in blue is good enough for me. Not receiving any Invalid Certificate popups when I switch between computers is great. All of these certificate signers are still technically regulated, so if one's signing key gets out into the wild, the browsers will simply remove it.

I don't see how disabling the "browser puking" on self-signed certs is better than this either. There is somewhat of a paper trail via this method, as apposed to anybody being able to sign their own certs. Allowing ALL self signed certs would be much, much worse.

Re:All HTTP traffic should be encrypted

[swillden]

For my site, the domain in blue is good enough for me. Not receiving any Invalid Certificate popups when I switch between computers is great. All of these certificate signers are still technically regulated, so if one's signing key gets out into the wild, the browsers will simply remove it.

I'm a professional computer security consultant who's been a software engineer for 20 years... and I had no idea what the difference between blue and green in the browser address bar was. I see color in the address bar, and I see the lock icon in the status bar... I assume that I'm talking to a secured sight who's been vetted to some degree.

Obviously, my assumption is even less warranted than I had thought. So you have to have a "legitimate e-mail address" and you have to conform the information on the domain -- which can be a random PO box. Whoop-te-doo. That level of verification would make it hard for me to get a cert in the name of, say, Bank of America, but if I cared to work at it for a bit I could almost certainly get a cert in a small organization's name.

Your example just proves how badly broken the SSL security model already is -- and it has been driven to this low, low level precisely because guys like you have a need for cheap/free certificates because you can't financially justify a proper certificate and and you can't use self-signed, but want some degree of security.

I don't see how disabling the "browser puking" on self-signed certs is better than this either.

Then you need to re-read my previous post. I explained it very clearly.

Keep in mind that UNLIKE the situation with your site, with a silently-accepted self-signed cert there would be no browser clues (other than the little 10-point lowercase 's' in the address bar, which only the tech-savvy would have any knowledge of) to fool the user into thinking that any verification has been done.

Re:All HTTP traffic should be encrypted

[jimicus]

This is broadly speaking exactly what browsers did do a couple of years ago. The padlock icon was typically shown slightly differently to demonstrate that there was something odd going on, and there may have been a dialog box thrown up saying "This page may be insecure. Click OK to continue or cancel to leave the site".

Many people just take the phrase "this site is secure" on a web page at face value, or they look for the padlock in the wrong place (like in the web page), or they take for granted they're on a secure site (well, the link their bank sent them in email wouldn't have been to an insecure site, would it?). The purpose of the big red "THIS MAY NOT BE SAFE" page is to tackle precisely this problem - to put up a big, singing, dancing warning that you just can't ignore or click OK to in a Pavlovian manner.

Re:All HTTP traffic should be encrypted

[bodan]

I might just agree with this purpose, but... why then isn’t the big red “THIS MAY NOT BE SAFE” warning shown on all HTTP pages? No matter what, they are not in any way safer than HTTPS page with a self-signed certificate.

I actually think the best solution would be to have a yellow “this may not be safe, be careful” band at the top of all pages except perfectly-validated HTTPS, including HTTP. Let it turn to green on secure connections, and red when something more suspicious than a simple HTTP connection is used. This will force people to learn that most of the Internet is unsafe—now they don’t even think about it most of the time.

Re:All HTTP traffic should be encrypted

[jimicus]

Within a fortnight they'd get used to the red bar and wouldn't think twice about it.

Re:All HTTP traffic should be encrypted

[bodan]

They’ll get used to the yellow bar. Which might make the red one more obvious.

I specified red only for suspicious pages, which shouldn’t be quite that common. Though perhaps the current “scare-screen” would work even better.

Anyway, my point was that we need a method for knowledgeable users to differentiate between “safe” HTTPS (certified by a trusted authority) and “no-worse-than-HTTP” HTTPS (self-signed).

Lusers don’t need that, but don’t need a big scary warning either for self-signed pages: as long as they’re not told it’s “safe”, they’ll treat it just like HTTP.

Re:Security != privacy.

[WrongSizeGlass]

Thank you captain obvious. Any more insightful commentary for us?

Odd != Even?
The whole in my donut is still missing?
Time + Materials != the portmanteau 'Timaterials'?

Localization?

So I just tried https://www.google.co.uk/ and it redirects to unencrypted http://www.google.se/ (.se because that's where ipredator connections show-up as, I guess)

Re:Localization?

[broken_chaos]

I tried to use the Google SSL, but it kept (at random times) redirecting me from https://www.google.com/ (even directly through a browser search query) to the frontpage of Google Canada (my location). The inconsistency as to whether it'll redirect or provide results makes it worthless to me.

Re:Who is this for?

[lordmatrix]

Just so you know, they use 128-bit RC4 encryption, which is considered insecure. Today AES-256 is standard.

Re:Security != privacy.

[drinkypoo]

My government, on the other hand, has repeatedly demonstrated its willingness to break its own laws whenever it's convenient for any of their actual constituents, i.e. corporations.
[...]
No, I'm not doing anything that I feel my government would attack me for. But then, I'm not doing anything google would attack me for, either. Google continually stands in opposition to the corporations that I am concerned about. The enemy of my enemy may or may not be my friend, but odds are better than if he's my enemy's friend.

You do realize that Google is a corporation too, don't you?

You just failed your CTBS reading comprehension test. Back to elementary school with you! (If you are in elementary school now, I apologize. I do not want to be ageist.)

I got a glimpse of this early yesterday

[sootman]

After typing in www.google.com to play some Pac-Man yesterday I was saddened to see the regular logo instead of the game but then I noticed I was at https://www.google.com/. At first I thought all requests to http://.../ were being redirected to https://.../ but after a couple reloads I was back at http://.../ and Pac-Man, and even when I typed in https://.../ it redirected me back to http://./

My question now is, how long until the built-in browser search box in Safari uses this? (I'm sure the one in Firefox can handle this already, or will soon.) Another question: why not use https all the time? I know it's a bit more CPU to encrypt things, which is unnoticeable on modern clients, but how much of a strain is it on servers? Also, are there any popular clients out that don't support it? Is there any reason not to go all https all the time?

protects your privacy from everyone but google

[bcrowell]

This protects your privacy from everyone but google. Having someone sniff your packets is theoretically possible, but extremely unlikely in reality. On the other hand, you are absolutely guaranteed that google will harvest and store the information from your searches in order to show you ads that they think you'll be interested in. This is why I habitally use the search engine clusty.com for web searches. Clusty's search results usually seem to be about the same quality as google's, and clusty has a better privacy policy.

Re:protects your privacy from everyone but google

[cynyr]

my ISP could be doing so very very easily, and their upstream, and so on and so on.

IP tracking

[nurb432]

But google still knows what you did.

Re:IP tracking

[Yvanhoe]

and if neither terrorist-turorial.org or wetpussies.com offer SSL connections, this is quite useless.

Re:IP tracking

[srjh]

As will the government if they're interested enough. This is certainly a step forward that will help for MITM attacks, but I don't think the government really needs to perform MITM attacks.

"Hey Google, give us your information, or else."
"Here you go."

We know it happens because it's something Google openly admits.

Re:Security != privacy.

[nurb432]

No, I'm not doing anything that I feel my government would attack me for.

Today perhaps. The rules can change tomorrow.

Adjusting search boxes

[teslatug]

Does anyone know how to adjust Firefox's search bar to use the SSL version of Google?

Re:Adjusting search boxes

[CronoCloud]

https://addons.mozilla.org/en-US/firefox/addon/161901/

think logically

[yyxx]

In other words, you still trade your privacy for the service provided by Google; the difference is the trade being less likely to be interrupted now.

Privacy isn't an all or nothing proposition. I don't "trade in" my privacy, I disclose information selectively. When I search on a search engine, necessarily that search engine know what I searched for. Google has defined retention policies, and there is no reason to believe that they don't comply with them.

However, there are other aspects of privacy I don't have control over. There's a good chance my ISP is sniffing my packets and my government is digging through them to find whatever the political hangup of the day is, and there's a good chance that what ever they are doing, they are doing incompetently.

Now, I'd like to be able to do web searches without having to second guess whether those searches (innocuous and legal as they are) trigger some stupid keyword alert in some badly written network surveillance system. Hence, I like my connections to my search engine to be encrypted.

What Google does with those searches isn't much of a concern for me: there are no known instances of Google doing data mining on behalf of governments (all they do is respond to specific requests), and all they want to do is show me ads.

So, an encrypted connection to Google protects my privacy in exactly the way I want it to: it keeps the people who have no business looking at my web searches from looking at my web searches. Simple, eh?

Re:think logically

[Nakor+BlueRider]

Agreed wholeheartedly. There are things that I want to keep private; those things do not go on the Internet. There are things I don't mind companies knowing. eBay knows my name and address and for a while I had a credit card on file with them (I still do with PayPal). Similarly, I don't particularly mind Google knowing what I search for... any more than I mind the local bakery knowing what goods I like. Nobody complains about a bakery keeping track of sales (Hmm, the elderly seem to like xxx while kids like yyy. Let's sell xxx on Sunday afternoons, and yyy weekday after school hours!) but Google keeping track of search records (People who search xxx often are looking for yyy. Let's use yyy ads on sites that match xxx keywords.) is seen as evil. (And yes, I'm aware that's an oversimplification, but I think the point still rings true.)

I guess you can call it selling my privacy if you want, but I don't know that it's really my privacy if it isn't something I particularly wanted or needed to keep private in the first place.

Re:think logically

[Bungie]

There's a good chance my ISP is sniffing my packets and my government is digging through them to find whatever the political hangup of the day is, and there's a good chance that what ever they are doing, they are doing incompetently.

Yeah, because we all know that a government intelligence agency would have the shittiest resources available when it comes to packet sniffing. It's all been luck that the FBI's been finding these terrorist plots that were coordinated over e-mail and IM.

whether those searches (innocuous and legal as they are) trigger some stupid keyword alert in some badly written network surveillance system.

Do you really think intelligence agencies use the shittiest tools and waste their time and resources whenever "bomb" passes over the wire? Or perhaps they have a very efficient system which can process all of this information easily and hone in on real targets.

I know the government always puts on the keystone cops appearance (especially with CSIS here in Canada), but lets not underestimate them and congradulate ourselves thinking that an SSL wrapped Google search will be their undoing. It's not like they can't see a log of every other site you open from Google's results, which I'm sure they could use to piece together your search (if they cared at all).

Re:think logically

[yyxx]

Do you really think intelligence agencies use the shittiest tools and waste their time and resources whenever "bomb" passes over the wire? Or perhaps they have a very efficient system which can process all of this information easily and hone in on real targets.

There is no such tool, no matter how much money you spend. Nobody knows how to write it.

Look at the size of the no-fly list; that alone shows you that text and data mining isn't working.

but lets not underestimate them and congradulate ourselves thinking that an SSL wrapped Google search will be their undoing. It's not like they can't see a log of every other site you open from Google's results, which I'm sure they could use to piece together your search (if they cared at all).

Google SSL isn't a total answer, but it is one small step towards making routine, warrantless recording of Internet communications harder for people who have no business recording such data.

Re:Who is this for?

[Alwin+Henseler]

I doubt it's meant to prevent a government from breaking into a specific connection, or things like that. If your government wanted to do that, they might also break into your computer remotely & install a keylogger. Governments have resources to pull that kind of crap.

It's more likely meant to prevent large scale snooping on Google traffic, for marketing or other (political?) purposes. And for that purpose, any encryption is strong enough when it makes breaking into connections expensive enough (as in: not worth the effort). I'd guess the bright folks over at Google have determined RC4 128-bit good enough for that purpose.

Mocking DuckDuck Go

[Simon+(S2)]

Looks like google is just mocking DuckDuckGo.
But the use of SSL on google does not offer you privacy: google still knows who you are and what you searched for.

Re:Who is this for?

[yyxx]

(given google's questionable record on privacy issues)?

Really? Like what?

moved to other search engines

Like which one? Bing? What reason do I have to trust them any more than Google?

I can't help but question who this feature is for.

Pretty much anybody. Right now, your ISP and your government likely are scanning your unencrypted web communications for keywords and prohibited content. Even if you don't do anything wrong, you may trigger those systems, with potentially unpleasant consequences. An SSL connection makes that harder for them.

And it's a matter of principle: my web searches are nobody's business other than my own and my search engine's.

SSL will only protect against man-in-the-middle attacks;

SSL protects against eavesdropping.

It doesn't.

[SanityInAnarchy]

Unless I'm missing something, this is only for the search itself. As soon as you actually click on of those results, you're at the mercy of whatever server you're connecting to -- and probably no longer encrypted.

Re:It doesn't.

[Z00L00K]

It would be very interesting to see how you think that Google would resolve that problem. But of course - they could at least have provided a padlock icon or something for every link that is referring to a page using HTTPS.

But at least - now it's not that easy to snoop on the net what a certain person searches for. "Ice Cream Bomb" or "Nuclear Bomb"?

Re:It doesn't.

[FuckingNickName]

Tell me that you believe Google doesn't offer security agencies black-box connectivity to its storage / routers.

Re:It doesn't.

[Z00L00K]

That depends on which agency - and for which country.

Re:It doesn't.

[mprindle]

Nope... the results are also running through the secure site.

Give it a shot and see.

Re:It doesn't.

[BrokenHalo]

It would be very interesting to see how you think that Google would resolve that problem.

It's very generous of Google to provide this facility, but also a useful distraction from the fact that Google itself is datamining your search activity. Know thine frenemy.

Re:It doesn't.

[andymadigan]

And I'm sure they don't prevent the query from leaking in the REFERER header, which would be trivial for them to do if they would take the time.

Re:It doesn't.

[asserted]

actually, your browser will do this for you anyway:

RFC 2616, 15.1.3:
Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

Re:It doesn't.

[icebike]

It would be very interesting to see how you think that Google would resolve that problem.

Maybe the little Cashed link would be of help?

Re:It doesn't.

[icebike]

It would be very interesting to see how you think that Google would resolve that problem.

It's very generous of Google to provide this facility, but also a useful distraction from the fact that Google itself is datamining your search activity. Know thine frenemy.

But you knew that when you logged onto the google page.

You didn't know about the Chinese government datamining google searches.

Don't like Google Datamining? Find another search engine that doesn't.

Re:It doesn't.

[Z00L00K]

I assume you mean cached link because if you mean cashed link then you may have a new business idea.

But cached data isn't always nice, and what if the cached data is malicious and you trust the Google signing? That can cause new "interesting" security problems.

Re:It doesn't.

[JohnBailey]

Tell me that you believe Google has a choice... And how exactly is Google different to a bank or a shopping site, or an insurance company or a doctor, or a phone company, or a credit card company.. Some of which have far more sensitive information in their files than your Google porn search. If a server is running in a geographic area that is within the jurisdiction of a government agency, that agency is able to demand (not request) any and all information they feel is necessary. In stable regions,this is covered by a court order or search warrant, in less stable areas, a bunch of police or soldiers turning up and demanding the information. Pretty much the same internationally. I vaguely remember reading a story or two about a few service providers objecting to this, and basically, being told to shut the fuck up and hand over the data. On the other hand.. If you have any proof that Google goes out of it's way to comply, and offers the authorities any information beyond what they are legally bound to do, please post it.

Re:It doesn't.

[FuckingNickName]

1. No, the combined data of all my Google searches (assuming I use non-anonymised Google) is far more sensitive than my insurance company, doctor and phone company records - I use a search engine to find out about insurance, medical and most other issues, so you can obtain a far more complete picture of my life thereby;

2. No, security services don't use a court order or search warrant when they install black boxes: that's the whole point;

3. Google hasn't raised a public fuss repeatedly at the requests of the US security agencies, which means it complies - just how many times has Google announced that it objects to NSA data-gathering, for example?;

4. It doesn't matter how many other smaller institutions comply on request, just that it's dangerous to allow one organisation to collect so much data in a way which be so easily processed.

Re:It doesn't.

[JohnBailey]

1. No, the combined data of all my Google searches (assuming I use non-anonymised Google) is far more sensitive than my insurance company, doctor and phone company records - I use a search engine to find out about insurance, medical and most other issues, so you can obtain a far more complete picture of my life thereby;

Ahh.. So if you are searching for cancer information and you are about to reapply for insurance, that is more likely to get you turned down.. Riight.. And doctors only hold trivial unimportant information on you, instead of the precise personal information that Google has.. A doctor may have recorded somewhere that you had an STD, but searching with Google PROVES it.

2. No, security services don't use a court order or search warrant when they install black boxes: that's the whole point;

And the likelihood of you getting interrogated by secret services is minuscule. Getting "noticed"by the police on the other hand, perhaps for attending a political demonstration or similar is far more likely. As is being accused of something, and later being watched without your knowledge, which includes phone records, internet search records etc..

3. Google hasn't raised a public fuss repeatedly at the requests of the US security agencies, which means it complies - just how many times has Google announced that it objects to NSA data-gathering, for example?;

Are you implying they have a choice? What exactly should they do? Barricade themselves in their offices to protect your porn history? NOBODY refuses secret services when they request information. And currently, they quite possibly do so under a non disclosure system, so can not even mention it. In the UK, even local government officials can use various anti terror powers to investigate trivial things. And have done quite a bit.

4. It doesn't matter how many other smaller institutions comply on request, just that it's dangerous to allow one organisation to collect so much data in a way which be so easily processed.

And you think that the police or any other official agency doesn't have the resources to do a search through all records for all information? Or that a quick call to your phone provider will unearth your ISP, which has far more complete records on not only what you search, but can intercept your email.. Do you honestly delude yourself into thinking that a search for Home made explosives recipes is more incriminating that associating with someone who is already being watched? Pratt..

Re:It doesn't.

[FuckingNickName]

So if you are searching for cancer information and you are about to reapply for insurance, that is more likely to get you turned down.

Insurance is a game in statistics. If the insurance companies had their way, they would absolutely use your searches to help in determining your risk. I can say with great confidence that, given a week's worth of searches by searches by 10,000 people who have just discovered they have cancer and 10,000 people who have no cancer, you could have a good go at predicting which of a further 10,000 searchers have recently diagnosed cancer. (If you didn't, Google wouldn't have any money, as their targeted advertising wouldn't be of any interest to sponsors.)

And doctors only hold trivial unimportant information on you

Strawman. The argument is that Google holds more important information about you (if you make great use of Google), not that no-one else does.

A doctor may have recorded somewhere that you had an STD, but searching with Google PROVES it.

I'm not sure why you're happier that Google hold convincing probabilities about you rather than concrete medical history.

And the likelihood of you getting interrogated by secret services is minuscule.

You're correct: you're never going to be interrogated by, say, the NSA. It's their job to watch you and refer you or your activities to someone else if necessary. It's then easy to dig up a good reason for a warrant. What was your point?

Getting "noticed"by the police on the other hand, perhaps for attending a political demonstration or similar is far more likely. As is being accused of something, and later being watched without your knowledge, which includes phone records, internet search records etc.

What has this got to do with whether the connection between you and Google is encrypted? I think you may be making an assumption which you haven't made explicit. Try again.

Are you implying they have a choice?

I'm not implying that they always have a choice. Nor am I implying that they never have a choice. You appear to be battling your personal windmill.

What exactly should they do?

What do people with a few billion dollars usually do when they want laws changed? They already know how to lobby.

Barricade themselves in their offices to protect your porn history?

Yes, yes, privacy advocates are only worried about their porn history...

NOBODY refuses secret services when they request information.

Bullcrap. You read too many spy novels - they're not superpower organisations who off you when you stand up to them. It's not uncommon for civil servants and businesses to be approached by other than the regular police for information, in my experience, but it's more often than not on a voluntary (no matter how it's worded) basis. If they put a gun to everyone's head they'd be exposed quickly and stop getting what they want. A corporation may be conservative and single-minded, but individuals are usually more emotional and idealistic, and you can't just bully everyone.

In the UK, even local government officials can use various anti terror powers to investigate trivial things. And have done quite a bit.

If they'd done it "quite a bit" and it actually worked, you wouldn't know about it.

And you think that the police or any other official agency doesn't have the resources to do a search through all records for all information?

Of course they don't have the resources to examine every single distributed aspect of every individual's life. But they do have the resources to examine what every identified individual does with Google.

Or that a quick call to your phone provider will unearth your ISP, which has far

Re:It doesn't.

[jesset77]

SHOULD. It is a recommendation; not a requirement. I just checked FF 3.6.4 & it does send the referrer but only the https://www.google.com/ part. it did not send the query itself. Some might not like that but I think that it is a good balance. It at least informs the target what website linked to it. For the paranoids there is https://addons.mozilla.org/en-US/firefox/addon/953/

Whether Google blanks the referrer completely or just blanks out the search portion (which is what my largest concern would be) it's still a TWO FOLD win, actually! :D

Imagine you're a site owner and rely on keyword analysis. You want that referer data, and suddenly more and more people who use Google SSL aren't giving you the data on what they searched for.

What do you do?

Implement SSL on your site as well! :D Then the referer data comes to you cleanly, and still remains out of the hands of eavesdroppers.

If Google ends up pressuring a greater adoption of SSL for standard web surfing across SEO-conscious websites, then I would call this a significant win. Yes, I realize Google is still raeping my data. But that has not gotten demonstrably worse by this change while many many other benefits appear to be cropping up. xD

Re:It doesn't.

[BigDXLT]

1. You're an idiot.
Counterpoint: No, you're an idiot.
Counter-counterpoint: No, you're an idiot.
ad nauseam

Re:It doesn't.

You SHOULD look up the definition of SHOULD NOT in RFC language.

Re:It doesn't.

[IBBoard]

Imagine you're a site owner and rely on keyword analysis. You want that referer data, and suddenly more and more people who use Google SSL aren't giving you the data on what they searched for.

What do you do?

Implement SSL on your site as well! :D Then the referer data comes to you cleanly, and still remains out of the hands of eavesdroppers.

Damnit, I bet that the certificate authorities are rubbing their hands in glee. I don't know how many of my visitors will use Google with SSL, but a dozen sites on one machine would require a dozen certificates and a dozen IP addresses (or using non-standard ports, which would freak some people out and wouldn't work on some corporate networks).

Actually, now that I think about it, maybe Google have a plan. Maybe they want to get people using more IPv4 addresses so that they can support SSL on their sites, which would decrease the remaining amount even faster, which would force the introduction of IPv6 more quickly. We can but hope :D

Not that I actually read my stats all that much, just the occasional browse to see if anything interesting is happening in referral patterns or new phrases.

it's not that simple

[yyxx]

Self-signed certificates still protect pretty well against eavesdropping (i.e., passive attacks). They don't protect against MITM attacks. But whether a certificate is self-signed is really irrelevant; even officially signed certificates are not secure against MITM attacks, since certificate authorities can forge them. The organizations likely to be able to pull off a MITM attack on my SSL connections usually can also generate certificates. In different words, there is no reason for me to trust certificate authorities; they do not have my interests at heart.

SSL needs a web of trust and mechanisms like ssh. And with a web of trust, whether something is self-signed or not doesn't matter.

As for Firefox, a simple dialog box should be sufficient; the current multi-step process is idiotic. It makes using legitimate self-signed certificates unnecessarily hard and gives people an excessive level of trust in certificates signed by a CA.

Re:it's not that simple

[Onymous+Coward]

Web of trust-like mechanism for SSL: Perspectives.

A web demo is available.

Not really a web-of-trust. More like a history-of-key, which also works well.

Check that fingerprint... especially at WORK

[yup2000]

but be sure to write down google's ssl fingerprint... and check it every now and then yourself. You never know when your place of work decides to start intercepting https! Mine did recently until I pointed out issues with HIPAA compliance in conjunction with our limited personal use policy! They (work) installed their own certificate on everyone's computers (but they didn't do Firefox which is why i noticed)... and then they modified the proxy servers to start taking a peek before re-encrypting and sending it along :(

Re:Security != privacy.

[Veramocor]

Google clearly states this on their page. There is no such thing as 'free'.

"few notes to remember: Google will still maintain search data to improve your search quality and to provide better service. Searching over SSL doesn't reduce the data sent to Google -- it only hides that data from third parties who seek it. And clicking on any of the web results, including Google universal search results for unsupported services like Google Images, could take you out of SSL mode. Our hope is that more websites and services will add support for SSL to help create a better and more consistent experience for you.

We think users will appreciate this new option for searching. It's a helpful addition to users' online privacy and security, and we'll continue to add encryption support for more search offerings. To learn more about using the feature, refer to our help article on search over SSL."

They make there money by monetizing your search and with ads. You are free not to use their service.

Re:Security != privacy.

[shakuni]

Google definitely uses my data in ways that I don't explicitly authorize them to (arguably it is embedded in one of those terms of service that i sign but I am not talking technicality here but perception of trust) and definitely creates suspicion on total transparency image that is often spread in this forum. I have posted my experience below.

http://diagonalslash.blogspot.com/2010/05/google-is-messing-with-my-profile-data.html

Re:Security != privacy.

[fustakrakich]

Google has never shown any tendency towards abuse of my private data...Of course, they'll give that information to my government any old time, but that's not the same thing as having it continually logged where it can fire off triggers.

How do you know it's not being done automatically now? You don't.. My advice is simply to trust no one. The internet is a party line, any anybody can hear what you're doing. And government and corporation are the same. That's the way the majority wants it. The cool thing is that you can vote in a different government if you like. You don't have to vote for your spoon fed candidates if you don't want to. That means the problem is your friends and neighbors, not the government itself. It takes a bit more effort to drive a corporation into bankruptcy. Wall Street has turned that into a game of whack-a-mole.

why not iGoogle SSL too?

[oddTodd123]

This doesn't work with iGoogle yet. Boo.

Also, I'd rather they make encrypted search an account setting or a cookie setting instead of requiring you to go to a separate URL.

Re:why not iGoogle SSL too?

[izomiac]

You can sorta get iGoogle via SSL via NoScript, but it doesn't work for everything (still a mixed page at best, a broken one at worst). I still can't really see the point of not working on this... obviously encrypting the gadgets that display my e-mail, calendar, and to-do list is as or more important than my web queries.

Re:Who is this for?

[fustakrakich]

They won't reset it if they detect an encrypted connection? Because I sure would if I was the blue meanie in charge...

The feature we really need

[dawilcox]

I've been waiting for google to provide a button on their search page "Don't connect this search with my IP address". It's not the me vs my peer privacy that I care about the most, it's the me vs google privacy that scares me.

Re:The feature we really need

[izomiac]

Well, Google happens to be under a lot of scrutiny and has a minimal history of privacy abuses, and seems to be aware of what is, and isn't appropriate. The same cannot be said for that shady looking guy with the laptop in the coffee shop. Heck, I'm not even sure if my ISP is more or less trustworthy than that. I just assume anything sent unencrypted over the air or outside my apartment is being sniffed.

Re:The feature we really need

[david614]

While i generally agree, the recent fiasco over collection of wifi networks information while doing the google mapping activity seems like a huge gaffe.

IXQUICK

https://ixquick.com

Encrypted search.
They do not record your IP address
you can access search result pages via their proxy service too.

Re:IXQUICK

[cpghost]

They do not record your IP address

Or so they claim...

Good

[Gonoff]

This will stop nosey people in the middle sniffing my searches.

Is there a way of doing an "advanced search" that only brings up HTTPS results - apart from putting that as a part of the search string?

Close... but what about auto-suggests

[poind3xt3r]

While Googles searches are secure, it would appear autosuggests? I use FF's search bar and set the search engine to use SSL. Forcing the autosuggest url to https redirects back to http which means anyone sniffing for suggestqueries.google.com can still find out my queries

Xbox Live is encrypted

[tepples]

[Encryption] would just be down right unforgivable for internet games in terms of ping/lab.

Gaming over Xbox Live Gold is an arguable counterexample to your assertion.

Google's We're sorry page

[tepples]

I tried it, but all I got was

We're sorry...

... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now.

I had to wait a couple minutes, log in using my Google account, and then search for various antispyware-related keywords before Google would let me run a query like this again.

Re:Google's We're sorry page

[thijsh]

I guess Google has some measures in place to prevent people from abusing this now (a while back you could still search this way). But still, when you specify either a really small range or a really big range you'll get the results. They probably filter this query because it appears as a distributed botnet doing an SSN/CC/other search...

Re:Google's We're sorry page

[Jah-Wren+Ryel]

So, the question is, can yahoo or bing be used to the same kind of search?

Re:Google's We're sorry page

[Demonantis]

Tried it on bing and got this webpage about fourth down. I am slightly not sure how to interpret that.

Re:Who is this for?

[EricJ2190]

128-bit RC4 as used in SSL/TLS is not necessarily insecure. I know of no situation where the crypto has been directly broken in practice. Certain RC4-based systems, like WEP, have been broken in part due to flaws in RC4 but also from poor implementation. RC4 as used in HTTPS is still quite secure, even though AES is preferred. RC4 HTTPS seems completely acceptable for protecting most user's Google search terms. It has been successfully used to protect far more sensitive information.

Re:Who is this for?

[bodan]

It only needs to be good enough to make wide-scale interception expensive, and it needs to be as fast as possible. Remember Google has a lot of traffic, and SSH is not free in terms of bandwidth and processor usage, not even after the initial handshake.

I tried to raise awareness about this 6 months ago

[ttsiod]

I was clearly right, but unfortunately, someone at Slashdot closed the thread I tried to open about this, 6 months ago: http://slashdot.org/submission/1094437/Why-isnt-Google-allowing-searches-over-HTTPS

Band-aid over the gaping wound?

[Mathinker]

There's no reason for a browser to throw up nasty error dialogs when it encounters a self-signed certificate. Instead, browsers should silently accept such certificates and record the public key fingerprint. Browsers shouldn't turn on the lock icon when using a self-signed cert, or do anything else to make the user think they're browsing on a secure connection, because they're really not, but they should go ahead and encrypt the traffic.

Security, like everything else, isn't binary, so browsers classifying connections into two classes, "secure" and "insecure" is itself, in some ways, idiocy. We saw this in action recently, when Chinese dissidents were lobbying Mozilla to not trust a certain CA they believe is controlled by the Chinese government.

Your new definition of "secure connection" is still not secure from any adversary who controls or has otherwise subverted an organization trusted to issue certificates. For example, Google itself (I recently noticed, because I've started using Certificate Patrol, that Google juggled some of the certificates it uses for GMail and Google Docs --- perhaps it was because of this new feature --- but all the certificates in question were issued by a CA that Google has set up).

I do understand that Ordinary Joe isn't able to understand all this, and in that context, your suggestion isn't all that bad. I wonder if corporations will start to become so competitive that they will be tempted to abuse their cert-issuing powers to MITM. A possible scenario with less risk to such a corporation would be to use a criminal third party which they have allowed to subvert their CA's security. OTOH, the minute that a corporation would do such a thing, the criminals would have power to MITM any secure browser connection --- one wonders if this would deter such tomfoolery. Actually, one has to wonder whether organized crime hasn't already subverted some CA somewhere, no?

Re:Band-aid over the gaping wound?

[swillden]

Security, like everything else, isn't binary, so browsers classifying connections into two classes, "secure" and "insecure" is itself, in some ways, idiocy.

Absolutely true.

Your new definition of "secure connection" is still not secure from any adversary who controls or has otherwise subverted an organization trusted to issue certificates.

Not my definition, really. It's the one we've been using for about 15 years now for web security. Not a very good one, but it has proven effective most of the time.

I wonder if corporations will start to become so competitive that they will be tempted to abuse their cert-issuing powers to MITM. A possible scenario with less risk to such a corporation would be to use a criminal third party which they have allowed to subvert their CA's security.

An even more likely scenario, I think, is an employee of a CA subverting the security for criminal gain.

Actually, one has to wonder whether organized crime hasn't already subverted some CA somewhere, no?

Indeed. And it's flat guaranteed that various governments have done it.

No one should place too much trust in the certificate issuance systems. In practice, though, they seem to be good enough to keep my on-line banking password from being abused, and I wouldn't want to undermine that system. Not until we come up with something better.

Re:I tried to raise awareness about this 6 months

[conspiracy2718]

Bloody hell, this guy is right - a Slashdot coverup!

Our Slashdot overlords are killing threads that may make Google look bad? :-)

and?

[circletimessquare]

look, i'm all for privacy, but too many expect the impossible

even if google publicly announced it was keeping no logs, this wouldn't be good enough for some people. you'd complain about something, anything. because you want to complain, not because you have anything useful to say

some people's standards are too insane

look: if you go to the store, and buy a can of coke, someone knows you went and bought a can of coke. deal wtih it, that's life: you leak personal info all the time in disjointed ways. there is some exposure you get just for living, your privacy is inherently compromised just by the facts of life, and you just need to be comfortable with it, because a more flexible approach results in benefits, such as being able to use a search engine. yes, you expose your thoughts. yes, you get links to what you want to think about it. its a tradeoff, and its a fundamental one you are not going to get around. so just accept it

look: google's ssl search is WONDERFUL, AMAZING. so celebrate, and be thankful

but no, instead you find something to still complain about, which makes you just another impossible to satisfy whiner, not useful or insightful about anything

realism and practicality trumps naive idealism, on every issue

Wrong

[Mathinker]

> This protects your privacy from everyone but google.

Wrong. This only protects your privacy from adversaries who cannot afford to subvert CA's. That doesn't include most governments or even most large corporations, and probably doesn't even include organized crime.

Interesting side effect

[mysidia]

Corporate IT will no longer be able to monitor Google search activity merely by intercepting port 80 traffic.

They also cannot implement a webfilter that simply monitors port 80 traffic, and denies your ability to search, based on keyword.

They can't block SSL either, since Google requires SSL for certain things (login to Google accounts, google webmaster tools, google checkout) that Enterprise users may require.

Re:Interesting side effect

[IBBoard]

The simple solution there, since they are corporate computers, is for them to put their own root certificate on each machine and make their firewall/filter machine perform a "MITM" on all connections then re-encrypt with a new root-signed certificate. Since the client has a root that it trusts then it won't show an error and since it gets decrypted at the firewall/filter then it can be read. It works and it probably isn't all that expensive, in the grand scheme of things.

Re:Interesting side effect

[mysidia]

Yes, that will work, but it has a few problems:

• It is not simple. Most proxy servers/firewalls are not capable of this 'MITM', and it would be a highly specialized solution (I would guess that it is elaborate enough that some organization will eventually patent the basic technology to perform the MITM).
• The CPU requirements to deconstruct and reconstruct SSL sessions are not insignificant. This would have to be some monster of a firewall or filter (as in 3ghz quad-core+ equipment normally used for servers/workstations, or hardware crypto, in any case, an expense, and requiring lots more electricity than a simple firewall) in order to avoid introducing latency that would hurt the entire enterprise.
• It is actually compromising security of SSL. This represents a substantial security risk, and if the Enterprise actually has a security policy designed to ensure protection of Enterprise data, a MITM of this nature is probably a violation of security policy in and of itself.

  The "new root-signed cert" becomes a point of attack, any intruder who can compromise that endpoint, now has full access to all the Enterprise's encrypted SSL transmissions, banking, etc.

Re:Interesting side effect

[IBBoard]

The CPU requirements to deconstruct and reconstruct SSL sessions are not insignificant. This would have to be some monster of a firewall or filter in order to avoid introducing latency that would hurt the entire enterprise.

Really? All it is doing on top of the normal scanning is initiating two SSL sessions - one between itself and the client with a "fake" certificate and one between it and the server that the user made the request to. I've not looked into the detail, but if a webserver can handle huge numbers of SSL connections then I wouldn't have expected a firewall/filter to struggle much either.

It is actually compromising security of SSL. This represents a substantial security risk, and if the Enterprise actually has a security policy designed to ensure protection of Enterprise data, a MITM of this nature is probably a violation of security policy in and of itself.

It depends on your point of view. To the person using the SSL then the security is compromised in terms of their confidentiality, but in terms of the corporate network then the unmanaged SSL itself is a security risk as it can be used by employees to leak data without it being monitored. It depends on how the company handles its data and how "high risk" the data is.

The "new root-signed cert" becomes a point of attack, any intruder who can compromise that endpoint, now has full access to all the Enterprise's encrypted SSL transmissions, banking, etc.

I'm not sure how that would work. If all of the communication from the filter/firewall to the client is within the corporate LAN then having the certificate is useless without remaining within the LAN. Besides, as I understand it then you'd only be able to sign things as the actual HTTPS encryption or similar would use its own symmetric key that was created at the time.

Also, I'd expect that you only do the MITM for external transactions over the Internet to general HTTPS sites. If you have some specific systems that have known and constrained interfaces that are regularly used for corporate functions then I'd expect them to have a waiver and be allowed to connect as normal.

Re:Interesting side effect

[mysidia]

I've not looked into the detail, but if a webserver can handle huge numbers of SSL connections then I wouldn't have expected a firewall/filter to struggle much either.

This is dependant on cipher. Right now https://www.google.com/ is using RC4 128 bit. One of the cheapest (CPU wise) and least secure ciphers.

A firewall creating fake SSL connections with clients would not have the same luxuries, if it encrypted with a RC4 cipher, it would be creating a security risk, since the RC4 cipher is unacceptable for other applications, such as online banking which should use 3DES, AES256 or better.

Also, for webservers, the latency introduced isn't so bad, since they only need to decrypt once for each bit, and encrypt once for each bit.

A firewall in between would be adding significant latency, due to the double-sided nature of the sessions.

Another dirty secret you may be unaware of is webservers actually cannot handle massive numbers of SSL sessions. Typically the SSL sessions would get load balanced over many web servers at the TCP connection level, OR more common... the web farm has SSL frontend servers (probably with crypto hardware) to terminate the SSL sessions, and forward to the actual webservers over plain HTTP through a backend network.

It's not practical at all for a common firewall to handle 100 simultaneous SSL interceptions. Of course firewalls could be designed with hardware crypto to allow it, just like Firewalls are designed with hardware crypto to handle VPN sessions, but the cost is not zero or a small number.

I'm not sure how that would work. If all of the communication from the filter/firewall to the client is within the corporate LAN then having the certificate is useless without remaining within the LAN.

The attack scenario is you have an insider attack originating from the local LAN, and they were able to quietly obtain the private key for the SSL Certificate used by the firewall.

This is sufficient to MITM all SSL sessions they can see, and discover the session keys for all the SSL sessions without brute force.

This also hides information from applications that they might need in order to make a good security decision.

For example, if the firewall constructs a fake SSL session, the information about the effective encryption has been hidden... they can no longer verify that the session is encrypted end to end using a cipher strong enough for the information they are about to send.

They can also no longer verify the remote end's certificate.

Or else, the Firewall could impose a policy which will disrupt effective web access.

Many websites use self-signed certificates, or have expired certificates.

A decision needs to be made based on how the site will be used whether to proceed or not despite the error.. A Firewall quietly hiding errors will result in an insecure situation, since the user proceeds to a site under false pretense of security.

A Firewall producing spurious errors in result of self-signed certificates or expired certs, will result in user complaints. And a demand from vendors that they simply 'OK' the cert warning.

Re:Interesting side effect

[IBBoard]

This also hides information from applications that they might need in order to make a good security decision.

For example, if the firewall constructs a fake SSL session, the information about the effective encryption has been hidden... they can no longer verify that the session is encrypted end to end using a cipher strong enough for the information they are about to send.

I think that if you're in an environment where they're MITM-ing your HTTPS sessions for corporate security and other reasons then you're probably also in an environment where you're not allowed unapproved network apps. If you do want a new network-aware app then you'd need to get it fully tested and approved for use, which would generally include checking its behaviour with the MITM system. Luckily, the developer network isn't tied down with such limitation on HTTPS, but we're not allowed SSH out and other filters kill SVN over HTTP (they don't like any HTTP requests other than POST and GET).

A decision needs to be made based on how the site will be used whether to proceed or not despite the error.. A Firewall quietly hiding errors will result in an insecure situation, since the user proceeds to a site under false pretense of security.

A Firewall producing spurious errors in result of self-signed certificates or expired certs, will result in user complaints. And a demand from vendors that they simply 'OK' the cert warning.

That's not my experience. I've had SSL sites not work, almost certainly because they weren't using a recognised certificate and so the filter rejected them. You don't get a choice in the matter - corporate security set up the firewall and you live with it. If there's something important to work then it is normally set up with a normal certificate from a standard root and is intercepted by the filter. If you visit anything that fails but is for work then they'll add it to the whitelist, but anything else almost certainly won't get actioned.

You guys love google now...

[WSOGMM]

and you'll probably still love them when the overthrow the US government. :)

Re:Security != privacy.

[DragonWriter]

It means MITM attacks are more unlikely, but your data is still in Google's hand.

Well, yeah, the queries you actively send to Google are in Google's hands.

The privacy benefit is directly linked to the security benefit, in that people other than the one to whom you are choosing to give your data to provide you with a service don't have quite as easy access to it in transit.

Privacy doesn't mean no one has your information, it means that only the people you choose to give your information to have it.

Update your Firefox search bar

[b1ng0]

To take advantage of the change in your Firefox search bar on Linux, edit the ~/.mozilla/firefox/xxxxxx.default/search.json file and change all URL references to Google to "https" where xxxxxx is the random string created by Firefox. I assume it's similar for other operating systems.

While this is a step i nthe right direction, I believe only the results of your search are encrypted, not the search string itself. Perhaps Google should make the search a POST and not a GET. That should solve the problem of your search string appearing in the URL.

Re:Who is this for?

[cynyr]

depends, if I trust google with my data, and not my ISP or their upstream or the upstreams upstream and up and up.

Firefox search bar with ssl?

[zipherx]

I tried googling for a plugin to the search bar but to no avail. Do anyone know away to fix that?

Re:Firefox search bar with ssl?

[chazchaz101]

http://mycroft.mozdev.org/search-engines.html?name=google+https

The Mycroft Project provides plugins for almost every site out there.

It's easier with Petname

[Pseudonymus+Bosch]

Petname helps verifying that the SSL certificate is the same you found earlier.

Re:Who is this for?

[xOneca]

Who is this for?

Yeah! There's no Pac-Man in SSL'd google.com!

Beta??

[Aeiri]

They add SSL to their existing service and think it requires a "beta" tag? Really?

It's not about the results.

[SanityInAnarchy]

It's about what you do with them.

Yes, I realize the Google page showing you a list of results is secure. However, the instant you actually click on one of those results -- say, Slashdot -- you're probably not on SSL anymore (most of the Internet isn't), and your Referer header will tell anyone listening exactly what search terms you used to get there.

Re:Privacy? Really? User Verification?

[icebike]

SSL is extremely transient.

Interesting you should say that...

[Burz]

And if it also prevents man in the middle hacking of web pages it's a good thing.

There has been some debate as to whether HTTPS should become the default for web sites. It would prevent all kinds of misdeeds, from sniffing and MITM on free Wifi networks to ISPs sniffing or "enhancing" the pages we view by injecting code. In the case of ISPs it allows them to eventually out-compete the independent sites we like.

But with a ubiquitous jumping-off point like Google serving up search results in HTTPS, it may influence other and varied websites to offer the same kind of connection.

Google's decision could have some positive knock-on effects... Or with Symantec buying Verisign, maybe not!

Re:Who is this for?

[Haeleth]

RC4 is known to have weaknesses if used incorrectly. That is not the same as being "insecure".

RC4 is vulnerable to snooping in the same sense that airplanes are vulnerable to terrorists. In theory something bad can happen if someone malicious gets very lucky and a large number of people fail to do their jobs properly, but in practice it's really not something that should be keeping you awake at night.

I expect the reason Google prefers RC4 over AES is that RC4 is considerably cheaper.

A good step, but not good enough

[supersat]

At last week's Oakland conference (a.k.a. the IEEE Symposium on Security and Privacy), a team of researchers from MSR demonstrated that the auto-complete features of many web sites (including Google search) reveal individual keystrokes based on the size of the returned auto-complete lists. They demonstrated this over WPA2, but I have no reason to believe it wouldn't work over HTTPS.

Separately, it was also pointed out that the root certificates for Google's HTTPS site use MD2 and 1024-bit RSA keys.

Re:A good step, but not good enough

[asserted]

> root certificates for Google's HTTPS site

there is no such thing as a "root certificate for site". there is a "certificate", issued to a certain "subject" for a certain "canonical [site] name".

> 1024-bit RSA keys.

this is true.

> Google's HTTPS site use MD2

this is not. you can test it yourself:

$ openssl s_client -connect www.google.com:443 /dev/null | openssl x509 -text ...
                        Public Key Algorithm: rsaEncryption
                        RSA Public Key: (1024 bit) ...
        Signature Algorithm: sha1WithRSAEncryption

Re:Who is this for?

[Bungie]

I'm sure Google doesn't want to use the more resource intensive AES-256 encryption for search page instead of the much faster RC4 algorithm. s sufficient enough. It's considered insecure because there are a few implementation exploits for it (like WEP) but the algorithm itself is sound. I'm sure it would take long enough to crack the 3.4 * 10E38 possible key combinations.

Re:Who is this for?

[AHuxley]

Why wait for someone to show up for the need for gov sneak and peek.
Just get your Certificate Authorities to mix and match some local magic and ssl becomes plaintext.

Install your own search proxy

[beniz]

Several OSS let you install your own websearch proxy, like http://www.googlesharing.com/ and http://www.seeks-project.info/ Add SSL to it and you get your own scroogle. Alternatively you can also use that by others such as friends, building up a network of trusted websearch proxies.

How to add SSL Google in Chrome

[wye43]

1. Options->Basics->Default Search->Manage
2. Click Add
3. Fill in some Name/Keyword (doesn't matter, just make it unique/descriptive)
4. Set URL field to: https://www.google.com/search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%s
5. Click Ok
6. Optional: Click "Make Default" button

Enjoy!

Re:GoogleCachingProxy

[True+Vox]

This COULD be the last search they ever see from you.

I made myself an opensearch file for SSL Google

[Protoslo]

As others have pointed out, there is no encrypted autocomplete, so I decided to make a separate Google search entry without it. Oddly enough Google SSL was redirecting to non-SSL (for me, at least) between about 11AM-12:30PM EST. Since it is back now, however, you may find this xml useful; you might find it a lot more useful if I just put in a link, but alas my domain is my real name...

You might also have to convert the image to ico again (or just choose your own). If you copy [opensearch.xml] into some local xml file, and then link to it with [addsearch.html] (replacing the path, obviously), it is very easy to add to Firefox (or IE, I guess) without mucking around with json files. An option to add it will appear at the bottom of the provider dropdown menu.

[addsearch.html]
<html><head>
<link rel="search" type="application/opensearchdescription+xml" href="[opensearch.xml]" title="Google SSL"/>
</head></html>

[opensearch.xml]
<OpenSearchDescription xmlns="http://www.opensearch.org/Specifications/OpenSearch/1.1">
        <ShortName>Google SSL</ShortName>
        <LongName>Google SSL Web Search</LongName>
        <Description>Search Google using SSL Encryption (no suggestions)</Description>
        <Url type="text/html" method="GET" template="https://www.google.com/search?q={searchTerms}&amp;ie=utf-8&amp;oe=utf-8&amp;aq=t" />
        <Image height="16" width="16" type="image/png">http://img189.imageshack.us/img189/827/lockicon.png</Image>

        <Language>en-us</Language>
        <Language>*</Language>
        <InputEncoding>UTF-8</InputEncoding>
        <OutputEncoding>UTF-8</OutputEncoding>
</OpenSearchDescription>

The house with only a front wall, and a big lock

[Hurricane78]

But no other walls or roof.

That’s exactly what this is.

It’s like Facebook encrypting the http connection.

When it reaches the server, it is still sold off to everyone who pays money.

Or you could go to another search engine

[AthleteMusicianNerd]

that is, until they lose your trust too.