Slashdot Mirror
Google Rolls Out Encrypted Web Search Option
KirinMercury writes "Google began offering an encrypted option for Web searchers on Friday and said it planned to roll it out for all of its services eventually. People who want to use the more secure search option can type 'https://www.google.com' into their browser, scrambling the connection so the words and phrases they search on, and the results that Google displays, will be protected from interception." Note that you need the 'www' for it to work. Dropping it redirects you to a non-ssl page. You might have read this on Saturday, but if you missed it, it's still worth knowing.
In ~/.mozilla/firefox/(profile id).default/search.json, find this:
{"template":"http://www.google.com/search","rels":[],"params":[{"name":"q","value":"{searchTerms}"}
Change it to this:
{"template":"https://www.google.com/search","rels":[],"params":[{"name":"q","value":"{searchTerms}"}
Restart browser
rooooar
http://search.slashdot.org/story/10/05/22/1218242/Google-Offers-Encrypted-Web-Search-Option?art_pos=1
Um, here: http://search.slashdot.org/story/10/05/22/1218242/Google-Offers-Encrypted-Web-Search-Option
That was like, three days ago.
Glad to see Google are living up to their motto
I reject your reality and substitute my own.
This will have an interesting impact on webmasters. If someone clicks through from a secure Google search to your webpage, the referral data is not given. That means that the person who runs the website will not only not see what the search term was they won't even see that it came from a Google search. I'm not sure how that will impact people. But if enough people use secure search, it may cause people to have to do a lot of guesswork about how much traffic they are getting from Google searches.
They didnt have an SSL cert before? Seems like more like an oversight being corrected than something newsworthy.
What this means, I believe, is that your web browsing might be immune to man-in-the-middle interception.
Interception by Google (and thus by anyone with the power to compel Google, IE USA, China, etc) will be the same as before. As well, you're still connecting TO Google, so you're still likely to be blocked from the site by the Great Firewall arrangements, even if your search terms themselves might be encrypted.
And not to forget that China has a tame certificate authority...
Slashdot began offering an dupe-free option for Web searchers on Friday (and then repeated the offer on Saturday) ... *facepalm*
How about we just rename the site to Reddit ... I mean, every other story, we already reddit.
So now google, and only google, will be scrutinizing and analyzing my search data.
Yay.
No. Google can and will log all your searches, just like they do now.
Airplane Photos, Airline News, Planespotting Guides
the info. Also you want to search with Javascript turned off. Otherwise every time you click on a search hit, Javascript on the result page tells Google which result you've clicked on, simultaneously with sending you to the target page.
Google will know which sites it returned to a given search user. If the sites that are selected by the user are using Google Analytics, then Google will also know which sites the user's clicked on. Perhaps they will make this information available to site owners via Analytics?
If you create a webmaster account with Google and register your site, Google will tell you how many people they send to you. They'll also give you a lot of other information like where in the list of search results was your website when it was clicked on.
This seems likely, which of course has the very desirable (for Google) effect of locking website owners into Google Analytics. Of course, if you're a website owner who wants to run some other stats package, this is very bad news.
from secure links in general. Of course the whole concept of a referer header is a privacy invasion in its own right--it's not the website's business what you got their url from--but it's a historical relic left over from a less evil age of the web, and people are unaware of it or have gotten used to it.
so why is it that if I go to https://www.google.co.uk/ig it gets redirected to http://www.google.co.uk/ig ?
presumably G will fix this soon? hello Google?
DuckDuckGo has had an encrypted option for some time now. In addition, even on HTTP requests, the search engine itself goes through great lengths to make sure not to log any IP addresses or identifying information (meaning you're still sending Referral headers to requested pages, but the search engine itself has no log at all of what you've searched).
https://www.google.com/search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%s
Insert offensive troll-style sig here. Please mod or respond appropriately.
session id #4ddr-tg62-hh89
12:30 https initiated begin session
12:31 "divorce lawyer"
12:34 "divorce lawyer low cost"
12:34 "hitman hire"
12:36 "hitman low cost"
12:37 "assassination do-it-yourself"
12:40 "polonium-210 availability"
12:41 "legal anthrax"
12:41 "ricin suppliers"
12:42 "arsenic wholesale"
12:43 "legal mustard gas"
12:43 "cheap readily available poisons"
12:46 "antifreeze toxicity"
12:49 "brainstorming murder scenarios"
12:52 "how to run hose from exhaust to passenger compartment"
12:55 "wits end"
12:41 "chloroform wholesalers"
12:45 "shovel hacksaw garbage bags"
12:45 interrupt: preemptive googlebot legal log crawler has identified a high criminal behavior correlation index in session id #4ddr-tg62-hh89. log and ip address forwarded to google-inbox@fbi.gov
1:05 "stalling law enforcement"
1:06 "good indoor hiding places"
1:06 "proper handgun usage"
1:26 session timed out
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Wikipedia and TPB have SSL versions available as well:
English Wikipedia: https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page
The Pirate Bay: https://thepiratebay.org/
Still waiting on Slashdot to join the 21st century.
Thank you, Edward Snowden.
"Arguments from authority are worthless." —Carl Sagan
So I did some Googling (nonencrypted so maybe it can't be trusted), and found this page that tells you how to set up the SSL search as the default search in FF, Chrome, and IE. There was no mention of Opera, but then, I never really bothered with Opera so I am sure someone else can figure that one out. Also, apparently the "KB SSL Enforce extension" for Chrome sets up an automatic redirect for google.com to link to https://www.google.com./ I haven't tried this, however, since I don't use Chrome at work.
Have fun guys.
Motorcycles, Robots, Space Gossip and More!
Encrypted should be the default for every web site IMNSHO.
It doesn't work for images after trying a few different ways, ie: changing the address to https after an image search, or doing a true https search, to which you don't have the option of choose "images" as a search type. You *can* search videos, news and blogs with SSL but not images at this time. Wonder why?
Tequila: It's not just for breakfast anymore!
So, to combat this money-grubbing behemoth, we should use insecure HTTP transfers ..to Google searches....which allow those nonprofit engines such as Bing and Yahoo insight on our queries and open up fair competition.
K.
And turning off Javascript will help you how?
The links themselves are google links, regardless of whether JS is on or off, your click goes to something like:
http://www.google.com/url?sa=t&source=web&ct=res&cd=3&ved=0CBoQFjAC&url=http%3A%2F%2Fblah.blah.com%2Fbyu%2Findex.php%3Fp%3D15365%26more%3D1%26c%3D1%26tb%3D1%26pb%3D1&ei=2fn7S4mMEsGBlAem2fTBDw&usg=AFQjCNHWjfNi_UtFFF-vpxP0qcH9eQKvzg&sig2=pjkVdJt9EijRDfi3g7eMsA
And Google captures the bits they want then sends you to the page they showed you in the first place.
Retype the URL from orbit, it's the only way to be sure.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
The summary is quite clear that this story is a dupe. But this = /., so reading a summary is not required nor expected.
while preventing a untrusted hotspot provider from seeing my searches.
All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
Doesn't it mean that if a search for a medical condition at work my employers can't see it? That has value.
Wake me up when they enable a default option like in Gmail.
-- I was raised on the command line, bitch
How do we actually know that's the case? Have you ever audited their systems? Have you checked every line of their code? Have you ensured that the code you saw was actually the code powering their site?
The client creates the referrer header... it's a privacy invasion in the same way that it would be a privacy invasion to tell you that I have a spoon fetish then complain because you heard me tell you.
Of course, how you process that information can and will be regulated, and it is possible to store/use the information in a way that will violate my privacy. But it's not your fault that you heard it, and I can't blame you if you don't forget it providing you don't choose to write it down.
The original blog posting from google explained that it would take time to roll this out to all services, explicitly mentioning that Image searches were still not supported. At the time video and news were not supported either, though it appears they are now.
You have to be careful to type the https:/// and the www or you don't get SSL. I think it should be the opposite: Google shoud detect if you can handle SSL and use it if you can and not if you can't.
Currently hooked on AMP
https://ssl.scroogle.org/
Absolutely! Let's make it a fair playing field!
I'm more concerned that this is even being touted as something important. You are giving away information every time you search. You are not securing your privacy by searching encrypted, you are just giving Google an edge.
Seriously, how many people do you think are doing man in the middle attacks to find what you are searching for on Google? This is nothing important or major that you are searching encrypted vs. unencrypted.
not sure if anyone noticed, but the search results from the http and the https site are different. a google search for "test" yields 822,000,000 results. a https google search for "test" yields 756,000,000. this is frequently different, regardless of the search term...
ill stick with whatever yields the most results for the time being...and pump it through an anonymous proxy :P
I fail to see how this provides any search privacy at all. Any network administrator can see the search phrase in the URL: https://www.google.com/search?hl=en&source=hp&q=printer&aq=f&aqi=&aql=&oq=&gs_rfai= And then, you would see the very next URL the user selected ie: http://en.wikipedia.org/wiki/Printer_(computing) Sure, the search RESULTS might be encrypted... but ugh, cant administrators still see what you searched for and ultimately where you went?
Let's make like a bird... and get the flock outta here.
Because then schoolchildren could imagesearch porn without being blocked by filters?
Great tip and much easier to do! Thanks!
An easier solutions is to just install the add to search bar plugin. Details on this plugin and how to get the old google layout back can be found on my website here: how to get rid of the new Google sidebar. You may also want to go to about:config and change http:/// to https:/// under keyword.URL
Get a web developer
I study done a few months ago showed how one can easily deduce searches by looking at the size of the AJAX requests. http://www.schneier.com/blog/archives/2010/03/side-channel_at.html Yes, https should have been available a long time ago, and still isn't available for www.google.com.hk.
Tools -> Options
Basics Tab -> Manage button for default search
Add Button ->
Name: SSLGoogle (or whatever you want)
Keyword: sslGoogle (or whatever you want)
Url: https://www.google.com/search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%s
Maybe. If you have administrative control of your desktop.
Otherwise, securing the connection between your desktop and Google won't prevent the employer from finding out everything you do using the computer that they control.
It'd be nice if they could also enable SSL for those of us who use the Google Personalized page (aka iGoogle) at http://www.google.com/ig
I only post comments when someone on the internet is wrong.
will it not only be encrypted from snoopers & sniffers, will it be encrypted from google itself?
Politics is Treachery, Religion is Brainwashing
You needn't sacrifice either security or privacy--you can keep both with a third option (at least for firefox users): http://cs.nyu.edu/trackmenot/
" TrackMeNot, now compatible with Firefox 3.6, is a lightweight browser extension that helps protect web searchers from surveillance and data-profiling by search engines. It does so not by means of concealment or encryption (i.e. covering one's tracks), but instead, paradoxically, by the opposite strategy: noise and obfuscation. With TrackMeNot, actual web searches, lost in a cloud of false leads, are essentially hidden in plain view. User-installed TrackMeNot works with the Firefox Browser and popular search engines (AOL, Yahoo!, Google, and Bing) and requires no 3rd-party servers or services."
You're point is well made. (Not to go off topic, but I use my own laptop for precisely that reason (we had to come to an agreement of course). If that weren't an option, I would load a live Ubuntu CD, do my business, reboot when done.)
DevilsWorkShop.org has some succinct instructions on how to set this as the default search type in the "Big Three" browsers of IE, FF, and Chrome.
http://devilsworkshop.org/how-to-use-google-ssl-search-as-default-search-engine-in-chrome-firefox-and-internet-explorer/
I have no affiliation with them.
Can we get SSL for images.google.com, so I can surf postage-stamp preview porn while at work?
I want to delete my account but Slashdot doesn't allow it.
Use a live CD?
Peter predicted that you would "deliberately forget" creation 2000 years ago...
So yea, our searches are protected from everyone except the people who are already the ones most interested in mining your data.
Great. Google is getting into the security theater game.
I hate printers.
instructions for chrome & firefox:
firefox
chrome
The Admin and the Engineer
Since most people don't know about the referer header, I don't think your analogy is correct. It would be more like if I taped a note on your back that says "I have a spoon fetish". The note is easy for you to find and remove (or alter) if you really want to.. but most people wouldn't even think to look there.
Good. That's the point.
You want to know about the people who visit your site? Ask them to sign a visitor's book. Just because having background information on web visitors makes companies' lives easier doesn't mean that people don't have the right to surf anonymously.
You are welcome on my lawn.
That's bogus. How many people know that their "client" is sending information about them to the sites they visit? How many people know what a "referrer header" even is?
You use the metaphor that information sent via a referrer header is like a conversation overheard. If that's the case, then I have the right to whisper when I talk so you can't "overhear" me.
You are welcome on my lawn.
Seriously, how many people do you think are doing man in the middle attacks to find what you are searching for on Google? This is nothing important or major that you are searching encrypted vs. unencrypted.
Not necessarily "attacks" but a lot of parties could be interested:
- ISP(s) tracking and storing data
- hotspot provider tracking, storing, reselling data
- dictatorship tracking "suspicious" searches by citizens and foreigners
- employer tracking
Just because you are giving the data to Google, doesn't mean you need to give it to everybody else as well. It can be important.
Without SSL, no one needs to do a man-in-the-middle attack to see what you're searching on, they just need to sit at your ISP (or some upstream ISP between you and Google) and watch your traffic go by. I wouldn't be at all surprised to find that some large ISP (and I mean you, Comcast) is doing just that and reselling the data, but not telling anyone.
But really, I doubt that's happening much, the real benefit of SSL is that the website you're visiting no longer gets the referer data so they can't see what search teams led you there. While I'm sure that JoesPharmacy.com finds it very valuable to know that I searched on "herpes+cure" to reach their site, I really don't think it's any of their business. Worse, if I search for "I+think+i+have+breast+cancer" and end up at an insurance company's website, they can use that as a flag to refuse to sell a policy to me.
I don't feel that it's any of Google's business either, but it's their service and letting them see my searches is part of my "payment" to them. And, I can clear my cookies and they won't have any idea who I am, while if I make a purchase at JoesPharmacy.com, they'll know exactly who I am and what search terms I used to get there.
People also abuse this information and they will be screwed as well. I for one like that I have the option to prevent those few that would like to abuse it no data.
Google seems to be a bit picky on supported ciphers. At the moment, they only allow the following:
AES256-SHA, DES-CBC3-SHA, AES128-SHA, RC4-SHA, RC4-MD5
Tested using the online tool.
As far as i figured it out, the test only includes OpenSSL ciphers. So there could still be a few more...
You should look at the page source of a results page sometime. Right now the targets are to https://www.google.com/ with the rest of the URL encoded to tell google where to redirect you to. The HTTP/1.1 200 OK reply sets a cookie and then the HTML has a JS and meta refresh to send yo on your way to where you expect to go to. To get the referer to indicate it was from google, all they need to do for most browsers is have the targets still be to http://www.google.com/ instead if the real target is http instead of https. All this incidentally seems kind of pointless to me BTW, since now other parties cannot see your google searches, but they can still see the sites that you do visit from the results.
What I was trying to get at is that "the concept of" the referrer header is not a privacy violation... you are on tenuous thought crime ground if you target the ability to perceive information. A privacy violation occurs only when you store or distribute information in some inappropriate manner.
Consider it an extension of the traditional (and sadly superseded) US principle of wireless that you're allowed to hear any information which appears on the airwaves but you're not necessarily allowed to act freely upon it.
This data provided by Google is trended on a logarithmic scale. It's not an exact number. While it's still useful, it's not as useful as many webmasters want.
Good thing they can video search without being blocked by filters...
Continuing the offtopicness...if you worked at my employer, you wouldn't be able to get on the network with your own laptop -- you'd plug into the network and end up on a guest vlan that gives you access to some printers and an intranet site. You'll end up on a captive portal if you try to get to the internet. Without a password to get to the internet, you won't be searching for anything.
The best way to ensure private searching at work is to have your own 3G data card. Private from your employer that is, not private from whoever supplies you the data card.
I'm a little ignorant in these matters but what does this do exactly? I understand the ssl helps encrypts the packets of data being sent between you and google but say if you're a webmaster / service provider / some guy in between the Ethernet port and the outside world can you intercept the URL? I mean if I go to https://www.google.com and search for "security" the url is https://www.google.com/#hl=en&source=hp&q=security&...
A centralized search provider cannot help but have complete information about searches coming from a given IP. Even if we use a P2P search, the peers we end up using can profile us. To increase privacy, one could generate more searches. It is trivial to write a shell script to wget a bogus google search every minute or so, pick a few words at random out of the result and use them for the next request.
But at least your ISP won't.
Yes, it's sarcasm. Deal with it!
The SSL service only seems to work with https://www.google.com/ attempting https://www.google.co.uk/ or .de .it .com.au etc lands you back at http://www.google.whatever/
There can still be a privacy violation without violating any laws. Look at Facebook -- they are under fire for a number of privacy violations even though they did not (or at least haven't been proven to) violate any laws.
I'm sure that many people would be quite surprised (and would think that it's invading their privacy) if you told them that every time they visit a website by clicking on a link at a search engine, than that site knows exactly what search terms they used to get there. Those same people will probably also be surprised to learn that search engines can track every time you click on a link. And through ad networks and analytics links, they can track you throughout the web.
So please don't dismiss privacy concerns just because they don't violate some outdated "principle of wireless".
This is great! Now only Google know where we are going.
Or replacing or modifying the search results...
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
Too bad the google cached links are not also ssl. That would have been a nice encrypted path into actual content.
In FF, right click on the search textfield and select "Add a Keyword for this search". Then just type this keyword in URLbar followed by the search term. Works with lot of search engines without any plugin.
Incidentally, the referer data will be there if the destination page also uses https.
Hmm, I tried in my SeaMonkey (SM) v2.0.4 but it didn't work. I changed all Google to have https part an restarted SM. What else did I miss?
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
You could disable send referrer (network.http.sendRefererHeader). I use PrefBar extension in Mozilla's SeaMonkey v2.0.4. However, some Web sites hate the no send referrers. :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I am sick and tired of you spoon fetish weirdos taking over every slashdot thread. Please stop. Fork you!
Just tested this, I must say I am appalled, the info shown by Firefox at the bottom of the window said the link went where it said it did, I copied the link location into a text editor and it looked very much like the link above.
How is google fooling FF into thinking the link is different than it is, isn't this info supposed to prevent phishing? If google can fool it, I know the good phishers can.
Example: https://www.google.com/search?hl=en&q=wx+python
Hover over the first link - http://www.wxpython.org/
right click, copy link location - https://www.google.com/url?sa=t&source=web&ct=res&cd=1&ved=0CBwQFjAA&url=http%3A%2F%2Fwww.wxpython.org%2F&ei=YBH8S_a1PJPyM4D5wJIK&usg=AFQjCNFKYcj8ovNYb2HBljtxQ2Nfsbea7Q&sig2=at36UXzrMSDJxN3FbcPZ4A
That seems very... phishy.
A logical next step would be to set https as the default when in Incognito mode in Chrome, or Private Browsing in Firefox.
The principle is outdated in the same way that the Constitution is outdated: if you don't understand your country, you are condemned to reinvent it poorly.
Everything you said about tracking and people's surprise may be true, but it's nothing in the technology itself which is inherently a violation of privacy: the violation is in the particular processing and storage of data consciously (or occasionally recklessly) performed by various corporations.
You can, if you want, pretend that a social problem is technological and speak against certain forms of technology... this is the road you might want to go down if you are representing the mpaa. Or you could speak against the abuse of technology. Similarly, you can condemn/attach punishment to merely hearing the wrong information ("someone might tell you, but then I'd have to xyz you..."), or you can limit your condemnation to someone who chooses to use information in a particular way. One paves the way for data protection legislation, and the other heralds a police state.
It is appropriate to note that European Union Data Protection law is mostly based on what you can and cannot store, process and disseminate, not what you can and cannot hear.
I would imagine that it's because when you click on an image after doing an image search, it shows you the image in a top frame with actual result page in a bottom frame. Most web browsers will whine about showing mixed content like that (since the top frame will still be secure, but the bottom frame won't), and Google probably hasn't had the time to rejigger the way image search works yet.
They could still make the first page ssl, the one without the frames, which is directly on the www.google.com domain, not a sub-domain. They do the same with news, the results themselves are ssl, but the links on that page are not. There is no technical limitations to doing this, it appears they just haven't gotten around it ot.
Tequila: It's not just for breakfast anymore!
How, exactly, do you expect google to improve their results if they don't know which links people are clicking on?
Stop! Dremel time!
It's 1996?
I think it is generally considered acceptable to keep agregate statistics (ie. 125,435 people clicked on this link) but not so good to keep individual statistics (ip ___.___.___.___ clicked on this link, then that one, then this other one)
And keeping the former does not require keeping the later. The first example lets you improve your searches based on how many people like different links, the second one lets you track how a specific person uses the internet. one of these things I object to, the other one I'm ok with.
Hi.
Thank you for posting this, I forgot how to log into my bank on Netscape. But it doesn't work. I tried your link to my bank account, and got some weird thing on my screen instead. I even rebooted and defragged and it still doesn't work.
How do I log into my bank on Netscape?
Kid-proof tablet..
Big deal, Google still knows... use a blocker such as https://www.snoopblocker.com/ instead. They don't keep logs and google won't know who you are!
> But at least your ISP won't.
Mine doesn't log any data above the PPP / LCP layer.
Why are you using an ISP you don't trust?
Of course, this doesn't mean that they have to retain the information or store it in a personally identifiable form. I've recently started using DuckDuckGo, which manages to have an even more silly name than Google and a much better privacy policy. It also has a much nicer user interface (especially after Google's recent changes). I haven't done an objective comparison of its search results to Google's, but so far (I've been using it for about three weeks) the only times it hasn't given me a helpful result, Google hasn't either.
I am TheRaven on Soylent News
Of course, this doesn't help if you are doing some processing with the search results. For example, a few sites that I've visited over the last year have done some scripting magic to automatically highlight the words in the text that were search terms. One put a helpful header saying that I probably wanted to be on a different page, based on my search terms. I'm not sure what the correct solution is here. The search engine that I use also uses SSL (and even sends you to the SSL version of Wikipedia by default for quick info), so it also hides this info. In the general case, you don't want it passed to sites, but maybe some kind of X-SEARCH-TERMS header could be added to a the HTTP request containing the contents of the search box, for all page views made while there's text in that box.
I am TheRaven on Soylent News
And that's terrible.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
It also only works for google.com - or at least, going to https://www.google.co.uk/ redirects you to http://www.google.co.uk./
It's official. Most of you are morons.
Google will know which sites it returned to a given search user. If the sites that are selected by the user are using Google Analytics, then Google will also know which sites the user's clicked on. Perhaps they will make this information available to site owners via Analytics?
That actually sounds like a potential future antitrust violation.
SWM seeks new sig for a brief fling