Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Offers Encrypted Web Search Option

Posted by Soulskill on from the helping-you-hide-your-pokemon-obsession dept.

alphadogg writes "People who want to shield their use of Google's Web search engine from network snoops now have the option of encrypting the session with SSL protection. In the case of Google search, SSL will protect the transmission of search queries entered by users and the search results returned by Google servers. Google began rolling out the encrypted version of its Web search engine on Friday. 'We think users will appreciate this new option for searching. It's a helpful addition to users' online privacy and security, and we'll continue to add encryption support for more search offerings,' wrote Evan Roseman, a Google software engineer, in an official blog post."

14 of 288 comments (clear)

  1. The real reason by Anonymous Coward · · Score: 5, Interesting

    The real reason is that internet hacking people have been figuring out how to monetize the traffic they sniff. This is merely Google reclaiming the market that is rightfully theirs.

    1. Re:The real reason by Jackie_Chan_Fan · · Score: 4, Interesting

      Exactly right. This is not about your privacy... Its about Google protecting their market from say Verizon who could be packet sniffing anything you search on Google, and then selling that data... which then competes with Google.

      Google is simply protecting their business. It has nothing to do with user rights or privacy.

      But it is a welcomed addition. Its certainly a good thing... but it is also more for Google, than for you.

    2. Re:The real reason by Z00L00K · · Score: 4, Insightful

      It's an enhancement that isn't a disadvantage for the user, so we should welcome it.

      And if it also prevents man in the middle hacking of web pages it's a good thing.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    3. Re:The real reason by mlts · · Score: 4, Insightful

      I see this also useful against Phorm, and other in-transit ad-insertion mechanisms.

      All and all, the good guys benefit here. Google doesn't have ISPs modifying their ads in transit, replacing their ads with their own. The user gets search results that have not been tampered with (where a site for product "A" takes you to a different company, or associate IDs are replaced so different parties get credit for ad responses), and have potentially malicious ads thrown in. ISPs can't passively log the connection and sell the data (just like the parent said.)

  2. Re:Security != privacy. by drinkypoo · · Score: 5, Insightful

    In other words, you still trade your privacy for the service provided by Google; the difference is the trade being less likely to be interrupted now.

    Google has never shown any tendency towards abuse of my private data. My government, on the other hand, has repeatedly demonstrated its willingness to break its own laws whenever it's convenient for any of their actual constituents, i.e. corporations. I'm much more worried about my government watching my search history than google doing it. Of course, they'll give that information to my government any old time, but that's not the same thing as having it continually logged where it can fire off triggers.

    No, I'm not doing anything that I feel my government would attack me for. But then, I'm not doing anything google would attack me for, either. Google continually stands in opposition to the corporations that I am concerned about. The enemy of my enemy may or may not be my friend, but odds are better than if he's my enemy's friend. Contrarily, much of what the U.S. government does makes it the enemy of any right-thinking citizen, where right-thinking is defined as "freedom-loving". (I may have a bias, but I certainly don't hide it.)

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Implications on China by dncsky1530 · · Score: 5, Insightful

    This could be an interesting development for Google's efforts in China. If the traffic between google and the client is encrypted then the firewall of China *shouldn't* be able to analyse the search results coming back. The only option for China might be to block Google SSL completely but that might be a bit too risky politically.

    1. Re:Implications on China by Nukenin · · Score: 4, Informative

      You search for some keywords over SSL and click on a non-https link in the result page. BAM, the Referer now points to the result page, which contains the keywords you just used in its URL.

      According to RFC2616 (HTTP/1.1) section 15.1.3 "Encoding Sensitive Information in URI's", "Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol."

  4. Re:Now I can Google my SSN and CC#!!! by hedwards · · Score: 4, Informative

    I know you're joking, but the way you do that is by googling the first 5 or 6 digits of your SSN, then manually comparing the last 4. The first 5 or 6 aren't unique and can be relatively easily guessed based upon the location and date of birth. Similar searches are great for finding CC#s that might be posted online.

  5. All HTTP traffic should be encrypted by swillden · · Score: 5, Insightful

    As a matter of course, we should use SSL on all connections. In some rare cases the computation may be too much of a burden, but in the vast majority of situations it's trivial and there's no reason not to do it.

    IMO, the only reason we don't do it more is because the way browsers handle self-signed certificates is broken.

    There's no reason for a browser to throw up nasty error dialogs when it encounters a self-signed certificate. Instead, browsers should silently accept such certificates and record the public key fingerprint. Browsers shouldn't turn on the lock icon when using a self-signed cert, or do anything else to make the user think they're browsing on a secure connection, because they're really not, but they should go ahead and encrypt the traffic.

    Not only would that provide some measure of security against eavesdropping, but it would also assist with detection of phishing attacks. Browsers could and should throw up nasty warnings/errors when connecting to a site whose certificate has inexplicably changed. This is similar to how SSH handles trust of server keys, a system that works very well in practice.

    Regarding this move by Google, I think it's great. I applauded their decision to make Gmail and Google Apps HTTPS-only, and providing the option for Google Search is great, too. Hopefully they'll eventually go to HTTPS-only for search as well. Their page volumes are such that they'll have to seriously consider the impact of the encryption overhead, but I think they'll get there.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    1. Re:All HTTP traffic should be encrypted by swillden · · Score: 4, Insightful

      Either you're trolling or you honestly have no idea why it's a good idea to throw up all sorts of errors on encountering a self-signed certificate.

      Clue: SSL is intended to guarantee that nobody can eavesdrop on your connection. As soon as you start to see anomalies in the certificate chain (such as a self-signed certificate), that guarantee cannot be upheld.

      Did you read my post? That's why the user shouldn't be given any indication that the connection is secured when a self-signed cert has been presented, because it's really not.

      Sites where sensitive data is managed should not used self-signed certs, so that the certificate chain can be verified, to defeat MITM attacks. But sites that would currently not use any encryption could increase their security by a non-negligible amount by using HTTPS and a self-signed cert -- but the way browsers handle self-signed certificates is stupid and broken.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    2. Re:All HTTP traffic should be encrypted by j-beda · · Score: 4, Informative

      How's the browser meant to know the difference?

      The browser is not meant to (and cannot) know the difference between sites using a self-signed-certificate and those that should use a "real" certificate. That is what the user is supposed to do. What the original poster was suggesting was that sites using a self-signed-certificate display the site AS IF no security was present. Thus when you visited "Chris's House of Fly Fishing Forums" with a self-signed-certificate, you would not be presented with an obtrusive "watch out! this might be phony!" notification, but you would also not be presented with lots of flashing padlocks and icons indicating your high security. Such a system would not penalize websites which used self-signed-certificates IN COMPARISON TO sites which use NO certificate at all. Users however would have some actual benefit in that their fly fishing discussions would be more well secured from third parties. If people use the same or similar account names and passwords on lots of websites, identity theft would be a bit harder than just sniffing their unencrypted web traffic if all of it was secured with self-signed-certificates.

      It does seem as though there would be some non-zero positive effects to more "regular" sites using encrypted sessions, and encouraging use of self-signed certificates in cases sign as these.

      For a real-world example: a cheap-ass lock discourages the good-for-nothing-neighbourhood-punk-kids from rummaging through the garden shed. There is little benefit to also putting up a big sign in the drawer where we keep the key saying "the lock on the shed is a piece of shit and provides no real security".

  6. Re:Now I can Google my SSN and CC#!!! by thijsh · · Score: 5, Informative

    Better yet google for the a range of 10000 numbers by adding two dots between the lower and upper number:
    Google: 123450000..123459999

    This way you can search for SSN, CC numbers etc.

  7. Re:Security != privacy. by Veramocor · · Score: 4, Informative

    Google clearly states this on their page. There is no such thing as 'free'.

    "few notes to remember: Google will still maintain search data to improve your search quality and to provide better service. Searching over SSL doesn't reduce the data sent to Google -- it only hides that data from third parties who seek it. And clicking on any of the web results, including Google universal search results for unsupported services like Google Images, could take you out of SSL mode. Our hope is that more websites and services will add support for SSL to help create a better and more consistent experience for you.

    We think users will appreciate this new option for searching. It's a helpful addition to users' online privacy and security, and we'll continue to add encryption support for more search offerings. To learn more about using the feature, refer to our help article on search over SSL."

    They make there money by monetizing your search and with ads. You are free not to use their service.

    --
    Veramocor
  8. Interesting side effect by mysidia · · Score: 4, Interesting

    Corporate IT will no longer be able to monitor Google search activity merely by intercepting port 80 traffic.

    They also cannot implement a webfilter that simply monitors port 80 traffic, and denies your ability to search, based on keyword.

    They can't block SSL either, since Google requires SSL for certain things (login to Google accounts, google webmaster tools, google checkout) that Enterprise users may require.