Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Rolls Out Encrypted Web Search Option

Posted by CmdrTaco on from the step-in-the-right-direction dept.

KirinMercury writes "Google began offering an encrypted option for Web searchers on Friday and said it planned to roll it out for all of its services eventually. People who want to use the more secure search option can type 'https://www.google.com' into their browser, scrambling the connection so the words and phrases they search on, and the results that Google displays, will be protected from interception." Note that you need the 'www' for it to work. Dropping it redirects you to a non-ssl page. You might have read this on Saturday, but if you missed it, it's still worth knowing.

43 of 176 comments (clear)

  1. Change it in the Firefox search box: by Evro · · Score: 5, Informative

    In ~/.mozilla/firefox/(profile id).default/search.json, find this:

    {"template":"http://www.google.com/search","rels":[],"params":[{"name":"q","value":"{searchTerms}"}

    Change it to this:

    {"template":"https://www.google.com/search","rels":[],"params":[{"name":"q","value":"{searchTerms}"}

    Restart browser

    --
    rooooar
    1. Re:Change it in the Firefox search box: by MoonBuggy · · Score: 5, Informative

      You can also edit the "keyword.URL" option in about:config to change the default address bar behaviour.

    2. Re:Change it in the Firefox search box: by surveyork · · Score: 2, Informative

      That works for the location bar. For the search bar you can add a Mycroft search plug-in: http://mycroft.mozdev.org/search-engines.html?name=google+ssl and demote/delete the built-in google search plug-in. I guess this is the non-hacker / lazy-ass method :).

      --
      2019 is going to be the year of Linux on the desktop.
  2. This will have interesting results for webmasters by JoshuaZ · · Score: 5, Interesting

    This will have an interesting impact on webmasters. If someone clicks through from a secure Google search to your webpage, the referral data is not given. That means that the person who runs the website will not only not see what the search term was they won't even see that it came from a Google search. I'm not sure how that will impact people. But if enough people use secure search, it may cause people to have to do a lot of guesswork about how much traffic they are getting from Google searches.

  3. MitM only? by sabt-pestnu · · Score: 3, Interesting

    What this means, I believe, is that your web browsing might be immune to man-in-the-middle interception.

    Interception by Google (and thus by anyone with the power to compel Google, IE USA, China, etc) will be the same as before. As well, you're still connecting TO Google, so you're still likely to be blocked from the site by the Great Firewall arrangements, even if your search terms themselves might be encrypted.

    And not to forget that China has a tame certificate authority...

    1. Re:MitM only? by quantumplacet · · Score: 2, Insightful

      It's a bit of a stretch to say Google is "intercepting" the traffic since they are in fact the intended recipient.

    2. Re:MitM only? by Itninja · · Score: 3, Funny

      ...immune to man-in-the-middle interception

      That's adorable

      --
      I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
    3. Re:MitM only? by MoonBuggy · · Score: 4, Insightful

      Yes, but they need to subpoena them, which is a lot more work than automated monitoring.

      More to the point, though, I said the more of the web goes SSL, my point being that something like the great firewall of China would be much harder to implement if most sites are on secure connections, thus only endpoints are known. Dissident news pages could be replicated across 'legitimate' domains, for example. Without live packet inspection it becomes much harder to decide who to block.

      With Google providing security even for relatively non-sensitive data, there is hope of others following suit.

  4. Talking of new services ... by daveime · · Score: 4, Funny

    Slashdot began offering an dupe-free option for Web searchers on Friday (and then repeated the offer on Saturday) ... *facepalm*

    How about we just rename the site to Reddit ... I mean, every other story, we already reddit.

  5. Re:So much for "do no evil" by longacre · · Score: 2, Informative

    No. Google can and will log all your searches, just like they do now.

    --
    Airplane Photos, Airline News, Planespotting Guides
  6. Re:This will have interesting results for webmaste by TreyGeek · · Score: 5, Informative

    If you create a webmaster account with Google and register your site, Google will tell you how many people they send to you. They'll also give you a lot of other information like where in the list of search results was your website when it was clicked on.

  7. Re:This will have interesting results for webmaste by eln · · Score: 5, Insightful

    This seems likely, which of course has the very desirable (for Google) effect of locking website owners into Google Analytics. Of course, if you're a website owner who wants to run some other stats package, this is very bad news.

  8. Change in Chrome by AriesGeek · · Score: 2

    https://www.google.com/search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%s

    --
    Insert offensive troll-style sig here. Please mod or respond appropriately.
  9. 12/14/2010 log #3342 by circletimessquare · · Score: 5, Funny

    session id #4ddr-tg62-hh89

    12:30 https initiated begin session

    12:31 "divorce lawyer"
    12:34 "divorce lawyer low cost"
    12:34 "hitman hire"
    12:36 "hitman low cost"
    12:37 "assassination do-it-yourself"
    12:40 "polonium-210 availability"
    12:41 "legal anthrax"
    12:41 "ricin suppliers"
    12:42 "arsenic wholesale"
    12:43 "legal mustard gas"
    12:43 "cheap readily available poisons"
    12:46 "antifreeze toxicity"
    12:49 "brainstorming murder scenarios"
    12:52 "how to run hose from exhaust to passenger compartment"
    12:55 "wits end"
    12:41 "chloroform wholesalers"
    12:45 "shovel hacksaw garbage bags"

    12:45 interrupt: preemptive googlebot legal log crawler has identified a high criminal behavior correlation index in session id #4ddr-tg62-hh89. log and ip address forwarded to google-inbox@fbi.gov

    1:05 "stalling law enforcement"
    1:06 "good indoor hiding places"
    1:06 "proper handgun usage"

    1:26 session timed out

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  10. SSL Wikipedia & TPB by cffrost · · Score: 5, Informative

    Wikipedia and TPB have SSL versions available as well:

    English Wikipedia: https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page

    The Pirate Bay: https://thepiratebay.org/

    Still waiting on Slashdot to join the 21st century.

    --
    Thank you, Edward Snowden.

    "Arguments from authority are worthless." —Carl Sagan
    1. Re:SSL Wikipedia & TPB by totally+bogus+dude · · Score: 2, Interesting

      /. has supported SSL for a long time. I think it may have been a plumb for subscribers when I first subscribed, but it doesn't seem to be listed on the FAQ so maybe not.

      Here's your comment: https://tech.slashdot.org/comments.pl?sid=1664284&cid=32337858

  11. now we need encrypted /. by Darth+Sdlavrot · · Score: 5, Insightful

    Encrypted should be the default for every web site IMNSHO.

    1. Re:now we need encrypted /. by Mad+Merlin · · Score: 2, Interesting

      I agree, but that would require the death of IE6 (and XP), or IPv4. SSL is incompatible with name based virtual hosting unless you add in SNI, which isn't supported by IE6 (or any browser that runs on XP, for that matter).

      Don't get me wrong, I agree entirely and IE6 and IPv4 should be nothing more than a bad memory by this point, but they're not.

      --
      Game! - Where the stick is mightier than the sword!
    2. Re:now we need encrypted /. by totally+bogus+dude · · Score: 2, Insightful

      It's similar to the theory that people surfing [legit] porn through tor are doing the people who actually need the anonymity a favour: if the only things that are encrypted are things that are sensitive, then it becomes easier to target interesting sites. If everything is encrypted, then you have to decrypt everything in order to find out what bits are interesting. And that's a much harder nut to crack.

  12. Re:This will have interesting results for webmaste by Pharmboy · · Score: 2, Informative

    It doesn't work for images after trying a few different ways, ie: changing the address to https after an image search, or doing a true https search, to which you don't have the option of choose "images" as a search type. You *can* search videos, news and blogs with SSL but not images at this time. Wonder why?

    --
    Tequila: It's not just for breakfast anymore!
  13. Re:Now we just need Google itself to stop retainin by natehoy · · Score: 4, Informative

    And turning off Javascript will help you how?

    The links themselves are google links, regardless of whether JS is on or off, your click goes to something like:

    http://www.google.com/url?sa=t&source=web&ct=res&cd=3&ved=0CBoQFjAC&url=http%3A%2F%2Fblah.blah.com%2Fbyu%2Findex.php%3Fp%3D15365%26more%3D1%26c%3D1%26tb%3D1%26pb%3D1&ei=2fn7S4mMEsGBlAem2fTBDw&usg=AFQjCNHWjfNi_UtFFF-vpxP0qcH9eQKvzg&sig2=pjkVdJt9EijRDfi3g7eMsA

    And Google captures the bits they want then sends you to the page they showed you in the first place.

    Retype the URL from orbit, it's the only way to be sure.

    --
    "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  14. Re:Was this posted before? by Unordained · · Score: 4, Interesting

    I'm actually intrigued by this concept of Slashdot purposefully (assumption: text in current summary implies they did this on purpose) re-posting news to make sure we see it, a form of public-service-announcement. Yes, Slashdot is a news service, but I don't generally see timestamp-based news-services prioritizing/reposting content like this. The main news sources just keep covering the same story over and over again, as if it were evolving by the minute, but that's about it. Interesting.

  15. Default by fulldecent · · Score: 4, Funny

    Wake me up when they enable a default option like in Gmail.

    --

    -- I was raised on the command line, bitch

  16. Re:This will have interesting results for webmaste by FuckingNickName · · Score: 2, Interesting

    The client creates the referrer header... it's a privacy invasion in the same way that it would be a privacy invasion to tell you that I have a spoon fetish then complain because you heard me tell you.

    Of course, how you process that information can and will be regulated, and it is possible to store/use the information in a way that will violate my privacy. But it's not your fault that you heard it, and I can't blame you if you don't forget it providing you don't choose to write it down.

  17. Re:Don't Be Evil by hedwards · · Score: 3, Insightful

    Technically, this just restricts the evil to mostly Google.

  18. I fail to see by thechemic · · Score: 2, Interesting

    I fail to see how this provides any search privacy at all. Any network administrator can see the search phrase in the URL: https://www.google.com/search?hl=en&source=hp&q=printer&aq=f&aqi=&aql=&oq=&gs_rfai= And then, you would see the very next URL the user selected ie: http://en.wikipedia.org/wiki/Printer_(computing) Sure, the search RESULTS might be encrypted... but ugh, cant administrators still see what you searched for and ultimately where you went?

    --
    Let's make like a bird... and get the flock outta here.
    1. Re:I fail to see by Anonymous Coward · · Score: 5, Informative

      No, that's not how https works. All a network administrator will see is what host was connected to. After the secure socket is opened, only then is the command sent out over the encrypted stream to "GET someresource".

    2. Re:I fail to see by SharpFang · · Score: 3, Funny

      otherwise the admin would easily see https://login.yourbank.com/?login=you&password=hunter2

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    3. Re:I fail to see by StikyPad · · Score: 3, Informative

      All I saw was https://login.yourbank.com/?login=********&password=********

      --
      https://www.eff.org/https-everywhere
  19. Easier Solution by datapharmer · · Score: 3, Insightful

    An easier solutions is to just install the add to search bar plugin. Details on this plugin and how to get the old google layout back can be found on my website here: how to get rid of the new Google sidebar. You may also want to go to about:config and change http:/// to https:/// under keyword.URL

    --
    Get a web developer
  20. Searches are still open to side channel attacks by amiga500 · · Score: 2, Interesting

    I study done a few months ago showed how one can easily deduce searches by looking at the size of the AJAX requests. http://www.schneier.com/blog/archives/2010/03/side-channel_at.html Yes, https should have been available a long time ago, and still isn't available for www.google.com.hk.

  21. For Google Chrome by ClosedEyesSeeing · · Score: 3, Informative

    Tools -> Options
    Basics Tab -> Manage button for default search
    Add Button ->
    Name: SSLGoogle (or whatever you want)
    Keyword: sslGoogle (or whatever you want)
    Url: https://www.google.com/search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%s

  22. Simple Chrome and Firefox howtos: by catmistake · · Score: 3, Informative

    instructions for chrome & firefox:

    firefox

    chrome

    --
    The Admin and the Engineer
  23. Re:This will have interesting results for webmaste by hawguy · · Score: 3, Insightful

    Since most people don't know about the referer header, I don't think your analogy is correct. It would be more like if I taped a note on your back that says "I have a spoon fetish". The note is easy for you to find and remove (or alter) if you really want to.. but most people wouldn't even think to look there.

  24. Re:This will have interesting results for webmaste by PopeRatzo · · Score: 2, Insightful

    If someone clicks through from a secure Google search to your webpage, the referral data is not given.

    Good. That's the point.

    You want to know about the people who visit your site? Ask them to sign a visitor's book. Just because having background information on web visitors makes companies' lives easier doesn't mean that people don't have the right to surf anonymously.

    --
    You are welcome on my lawn.
  25. Re:This will have interesting results for webmaste by mzs · · Score: 4, Interesting

    You should look at the page source of a results page sometime. Right now the targets are to https://www.google.com/ with the rest of the URL encoded to tell google where to redirect you to. The HTTP/1.1 200 OK reply sets a cookie and then the HTML has a JS and meta refresh to send yo on your way to where you expect to go to. To get the referer to indicate it was from google, all they need to do for most browsers is have the targets still be to http://www.google.com/ instead if the real target is http instead of https. All this incidentally seems kind of pointless to me BTW, since now other parties cannot see your google searches, but they can still see the sites that you do visit from the results.

  26. Re:So much for "do no evil" by melikamp · · Score: 2, Insightful

    A centralized search provider cannot help but have complete information about searches coming from a given IP. Even if we use a P2P search, the peers we end up using can profile us. To increase privacy, one could generate more searches. It is trivial to write a shell script to wget a bogus google search every minute or so, pick a few words at random out of the result and use them for the next request.

  27. Re:So much for "do no evil" by Dumnezeu · · Score: 3, Informative

    But at least your ISP won't.

    --
    Yes, it's sarcasm. Deal with it!
  28. Re:Mod Parent up! Easier method by Anonymous Coward · · Score: 5, Funny

    What real people see in these instructions:

    1. Go to address bar.
    2. Type about:config.
    3. Type "keyword.URL" in the search bar.
    4. Double-click.
    5. Edit result.
    6. Click OK.

    What apparently "real" geeks see in these instructions:

    1. Pry your hands away from keyboard. Use chisel to remove Cheeto dust encrusting fingers there if need be.
    2. Locate mouse.
    3. Mutter profanities to poster for suggesting this primitive means of interface (this step is important, as later steps depend on it).
    4. Increase volume of profanities as you are forced to wrench your eyes away from the relaxing phosphor glow of monitor to locate mouse.
    5. Increase volume of profanities as you wait for eyes to adjust to the otherwise pitch-black room to locate mouse.
    6. Increase volume of profanities as you look for the mouse cable coming out of the computer to find mouse.
    7. Increase volume of profanities as you remember you have a wireless mouse.
    8. Go back to keyboard and type up scathing dissertation against the clearly inferior intelligence that suggested this.
    9. Realize you have now returned to step 1. Repeat from there, remembering to skip over step 8 this time.
    10. Give up on finding mouse and, grumbling, go to Fry's Electronics to find a new mouse (NOTE: if there is no Fry's nearby, you are clearly not a "real" geek, and most likely do not even exist, as the modern world ceases to exist outside the range of Fry's).
    11. Return home. Allow eyes to readjust to pitch blackness after being out in the big blue-ceiling room.
    12. Install new mouse.
    13. Reinstall new mouse.
    14. Update operating system. Mouse might work this time. Whoever heard of this new technology, anyway? "USB"? Why couldn't you find any serial port mice? Those are way more l33t.
    15. Train hand-eye coordination enough to use mouse. Try not to reflexively touch keyboard, else you will be back at step 1.
    16. Go to address bar.
    17. Increase volume of profanities.
    18. Stubbornly type "about:config".
    19. Stare at new interface.
    20. Back to Fry's to find a book on how modern interfaces work. You never had to deal with all this confusing nonsense with a keyboard, dadgummit!
    21. Type "keyword.URL" into search bar.
    22. Realize you are just bashing your precious keyboard at this point due to soaring blood pressure due to anger at having to use a mouse.
    23. Wait a few hours to calm down. Don't touch keyboard in that time.
    24. Type "keyword.URL" into search bar.
    25. Double-click.
    26. Edit result.
    27. Click OK.
    28. Make muttering comments to yourself, passively-aggressively asking if the person who suggested this is happy now.
    29. Go to IRC and detail this harrowing experience to your l33t friends.

    See? That's WAY more steps than locating and editing a config file!

  29. Incognito? by djdanlib · · Score: 2, Interesting

    A logical next step would be to set https as the default when in Incognito mode in Chrome, or Private Browsing in Firefox.

  30. Re:Mod Parent up! Easier method by ikegami · · Score: 2, Informative

    Actually, I hear Ctrl-L, "about:config", Enter, "keyword.URL", Tab, Tab, Enter, edit result, Enter.

  31. Re:This will have interesting results for webmaste by barzok · · Score: 3, Insightful

    Ask them to sign a visitor's book

    It's 1996?

  32. Not just www required by Tim+C · · Score: 2, Informative

    It also only works for google.com - or at least, going to https://www.google.co.uk/ redirects you to http://www.google.co.uk./

    --
    It's official. Most of you are morons.