GoogleSharing, Now With No Trust Required

An anonymous reader writes "GoogleSharing, the popular Google anonymizing service created by well known privacy advocate and security researcher Moxie Marlinspike, has released a major new version today. The biggest change is leveraging Google's SSL search option to provide an anonymizing service which doesn't require you to trust either Google or GoogleSharing. This means that anyone who wishes to opt out of Google's data collection practices can now do so without having to trust the operator of the anonymizing service."

Suddenly, it doesn't feel like '1984' anymore!

[PatPending]

A great day for liberty!

Re:Suddenly, it doesn't feel like '1984' anymore!

[shoehornjob]

A great day for liberty!

That is of course until someone in washington decides it's a security risk because terrorists could use it to plan their attacks. You know that will happen.

Re:Suddenly, it doesn't feel like '1984' anymore!

[spazdor]

The worst part is, they're right. As it turns out, the exact same kinds of privacy we want for the right reasons, the bad guys want for the wrong reasons.

Re:Suddenly, it doesn't feel like '1984' anymore!

[h4rr4r]

I would think the same privacy they want for the right reasons you want for the right reasons. To be able to have privacy.

Re:Suddenly, it doesn't feel like '1984' anymore!

[Afforess]

Now Google knows that people using the GoogleSharing Proxy are paranoid. Great, more information for the archives!

Re:Suddenly, it doesn't feel like '1984' anymore!

[Chaonici]

They also have no idea who those people are, so that information in their archives is worthless.

I'm probably earning a "whoosh" here, tho.

Re:Suddenly, it doesn't feel like '1984' anymore!

[Afforess]

Oh come on, it can't be that hard to match up spelling and search habits up with people, given enough data. In Google's case, they have lots. Lots and lots. Even if you use the proxy, you're going to visit an external machine sometime, at which case Google will have 2 key points of comparison, and Bam.

Re:Suddenly, it doesn't feel like '1984' anymore!

[Cylix]

Grammar and spelling as a virtual fingerprint...

I don't believe anything could go wrong at all.

In any event, I am afraid it is time to unveil your true identity using the grammar and spelling footprint technique. I say to you Mr. Abraham Lincoln... how does it feel to be unmasked by your own musings!

Re:Suddenly, it doesn't feel like '1984' anymore!

[shoehornjob]

The worst part is, they're right. As it turns out, the exact same kinds of privacy we want for the right reasons, the bad guys want for the wrong reasons.

So we as a nation have to decide what freedoms we are willing to sacrifice for our safety. We are having a hard time walking that line between freedom and oppression and I expect it will take a long time before things get back to normal. I'm happy that my daughter is too young to understand what's going on in the world. I guess ignorance is bliss but once you become aware of reality it's hard to go back to ignorance again.

Re:Suddenly, it doesn't feel like '1984' anymore!

[insufflate10mg]

I don't believe any of that. If I don't make spelling errors (type carefully) they cannot determine that. They also cannot determine identities via search info, too many combinations that too many people would share.

Re:Suddenly, it doesn't feel like '1984' anymore!

[dynamo]

We already decided as a nation, over 200 years ago. I'm not having a hard time walking the line between freedom and oppression, nor is anyone else who is not in a position to lose power if freedom wins. Ben Franklin was right.

Re:Suddenly, it doesn't feel like '1984' anymore!

[MyFirstNameIsPaul]

Oh, please. Just go wardriving with a vanilla install of ubuntu using a laptop you picked up on craigslist and a wifi card you found in a trash can and you're safe. As usual, these kinds of government activities only infringe on the innocent and do nothing to inhibit the criminals.

Re:Suddenly, it doesn't feel like '1984' anymore!

[AHuxley]

Yes its all about the plain text and your use of unique data eg a name on yahoo, facebook, MSN, an email ect.
That will all get noted and linked back to a friend of a friend of a friend who has been flagged as a person of interest.
http://webcache.googleusercontent.com/search?q=cache:5jex52BhXYEJ:wikileaks.org/wiki/EU_social_network_spy_system_brief,_INDECT_Work_Package_4,_2009+INDECT+Work+Package+4&cd=1&hl=en&ct=clnk as
http://wikileaks.org/wiki/EU_social_network_spy_system_brief,_INDECT_Work_Package_4,_2009 seems to be down. The NSA/GCHQ ect dont care where/how the text comes from, public/private/mirrored ect, just keep it in flowing in a usable form. Add in voice chat too :)

Re:Suddenly, it doesn't feel like '1984' anymore!

[epp_b]

It's called "acceptable risk".

Re:Suddenly, it doesn't feel like '1984' anymore!

[spazdor]

We already decided as a nation, over 200 years ago.
No we didn't.

http://books.google.ca/books?id=lmXIMZiU8yQC&pg=PA155&lpg=PA155&dq=latent+ambiguities+lessig&source=bl&ots=wR-XRpD40t&sig=uFZTqE_jsB4FiJ5EKJclyZuaNto&hl=en&ei=AoOqTMnfDYuosQPu2p3aAw&sa=X&oi=book_result&ct=result&resnum=1&ved=0CBQQ6AEwAA#v=onepage&q=latent%20ambiguities%20lessig&f=false

Re:Suddenly, it doesn't feel like '1984' anymore!

[spazdor]

I agree wholeheartedly.

Re:Suddenly, it doesn't feel like '1984' anymore!

[digitalchinky]

My understanding, other than encrypting the search terms, nothing much else has changed - sure this prevents GoogleSharing from knowing what kind of porn I like (not that I care), but as the article says, they still get the IP addresses. What does this mean for the truly paranoid? GoogleSharing and Google could easily exchange a bit of motivational cash, maybe the NSA has a box jammed on the incoming side of GoogleSharing to siphon off the IP addresses, with another in Google itself to get the actual search terms. What is Moxie Marlinspike getting from all this? Warm fuzzy feelings don't keep the lights on and food on the table.

Re:Suddenly, it doesn't feel like '1984' anymore!

[geminidomino]

Oh gods... as one of the three people on the internet that knows the difference between "lose" and "loose," they'll have no problem tracking me down!!!

Re:Suddenly, it doesn't feel like '1984' anymore!

[toastar]

Ah the ever quotable Ben Franklin, While I agree with your sentiment other people have other views:

"The constitution is not a suicide pact"
Robert H. Jackson
-Supreme court justice

Re:Suddenly, it doesn't feel like '1984' anymore!

the bad guys want for the wrong reasons.

Incidentally, does this mean it is safe to browse for child porn again?

I am only asking because I'm...er...writing a research paper on the continuing menace of child porn.

Re:Suddenly, it doesn't feel like '1984' anymore!

[schlameel]

Theirs some truth in they're. There going to find you.

Re:Suddenly, it doesn't feel like '1984' anymore!

Well, that explains why google hasn't been helpful; it doesn't get it that lots of girls are chasing me. I really don't need any more. "lose women how-to" is giving better results. Thanks!

Re:Suddenly, it doesn't feel like '1984' anymore!

To be able to have piracy.

FTFY

Re:Suddenly, it doesn't feel like '1984' anymore!

[crhylove]

Ben Franklin was right about a LOT of things, like Electricity. As was Thomas Jefferson about a great many things. They don't teach these fundamentals in schools now because corporations have decided it is against their better interest.

All this IP law is totally disgusting. That's another thing Ben Franklin was right about.

Re:Suddenly, it doesn't feel like '1984' anymore!

"The constitution is not a suicide pact"
Robert H. Jackson
-Supreme court justice

"Sticking feathers up your butt does not make you a chicken."
-Tyler Durden, American Folk Hero

Re:Suddenly, it doesn't feel like '1984' anymore!

[definate]

Come on, don't loose your temper over this, you just need to lose your pants a little and relax. Everybody knows the difference between lose and loose, it's really obvious. One has 2 o's in it, but they both mean the same thing... really.

Re:Suddenly, it doesn't feel like '1984' anymore!

[KlaymenDK]

I'm happy that my daughter is too young to understand what's going on in the world. I guess ignorance is bliss but once you become aware of reality it's hard to go back to ignorance again.

Ignorance is bliss, regardless of age.
Just last year I explained all this Internet privacy concern to my father. I don't think he liked what he learned. Sometimes I really do wish I were just another one of the happy-go-lucky sheeple, because, given the state of the world, "being aware" is just so damn depressing.

There's this choice ... "if you had to choose, would you rather be smart or happy?" After having given that some thought, I'm convinced smarts has a negative impact on happiness. :-(

Re:Suddenly, it doesn't feel like '1984' anymore!

[hairyfish]

That doesn't make sense. How do you have 'search habits'? I personally search for different things everytime I use Google. Once I know where something useful is, ie something worth habitually reading, I know where it is and therefore no longer have to search for it.

Re:Suddenly, it doesn't feel like '1984' anymore!

[sirlark]

Terrorists use pen and paper to plan their attacks!!!!! Ban writing!!!

Re:Suddenly, it doesn't feel like '1984' anymore!

[delinear]

It seems a lot of people use Google as a portal to their favourite sites. So if they are interested in buying some new shoes, or a holiday, they will return to Google each time and type in their query and then visit the preferred sites each time rather than, as you or I might, doing this once and thereafter visiting the sites direct/bookmarking said sites. I guess this is along the lines of what they mean. For instance, imagine some guy likes to slack off and browse for cheap DVDs on friday afternoons at work - if they can identify a regular pattern, and even perhaps tie it back to his GMail account, they can sell this info to a company who then fires off an email about their massive DVD sale at friday lunch time and can be almost certain he'll hit their site up first.

Re:Suddenly, it doesn't feel like '1984' anymore!

[19061969]

Quoth: "but they both mean the same thing... really."

No they do'nt!!!! And your a looser if you beleive that.

Heh, I always do'nt not feel better after Ive' losed of some energy.. As if I could care less. ;-)

Re:Suddenly, it doesn't feel like '1984' anymore!

[definate]

The'y do mean the same thing! Look it up! It's in the dictionary! And all!

Their are many comon uses' of the word loose, the most comon is the same as lose. Identical! Word' for... word!

Re:Suddenly, it doesn't feel like '1984' anymore!

[Raenex]

"if you had to choose, would you rather be smart or happy?" After having given that some thought, I'm convinced smarts has a negative impact on happiness. :-(

Lisa Simpson on Happiness vs Intelligence

Re:Suddenly, it doesn't feel like '1984' anymore!

[Xemu]

Oh gods... as one of the three people on the internet that knows the difference between "lose" and "loose," they'll have no problem tracking me down!!!

Don't worry. Neither I or the other person works for a TLA.

Re:Suddenly, it doesn't feel like '1984' anymore!

[John+Hasler]

"Bam" what?

Re:Suddenly, it doesn't feel like '1984' anymore!

[John+Hasler]

> I don't believe anything could go wrong at all.

Advertisiers, who are the only ones Google cares about, can tolerate quite a bit of inaccuracy in their targeting. All that they are going to do with "fingerprinting" is cluster searches together as probably having come from the same person. Being wrong 10% of the time is no great loss to them. To me "targeted" ads are of no consequence at all as I see no ads anyway

Re:Suddenly, it doesn't feel like '1984' anymore!

[19061969]

Hey! im an will-edukated gye so I knows wat the truthy is. do'nt u go teling me nuffing i dunno ab-out.

Re:Suddenly, it doesn't feel like '1984' anymore!

[definate]

I see you good Sir, went to Harvard. I'm more of a Brown man myself. I say good day to you!

Re:Suddenly, it doesn't feel like '1984' anymore!

What's wrong with that? I like saying "Arrh!" and buckling swashes and such.

Re:Suddenly, it doesn't feel like '1984' anymore!

[White+Shade]

The problem there is that if there was ubiquitous monitoring of internet and email, how would you get in touch with the person on craigslist to arrange the purchase?

(somewhat pedantic paranoia, but it is a somewhat legit question!)

Re:Suddenly, it doesn't feel like '1984' anymore!

"Bam" what?

Bam-Bam, of course.

Oh, and Pebbles.

Re:Suddenly, it doesn't feel like '1984' anymore!

your right!

Re:Suddenly, it doesn't feel like '1984' anymore!

[shoehornjob]

So what you're saying is do you take the red pill or the blue one (obligatory Matrix reference).

Re:Suddenly, it doesn't feel like '1984' anymore!

[KlaymenDK]

I guess what I'm saying is, one should probably take the forget-it-coloured pill *unless* one has the stamina to go and change all that's wrong in the world. Otherwise, misery.

Re:Suddenly, it doesn't feel like '1984' anymore!

[mcneely.mike]

The word 'gullible' isn't in the dictionary, though...

There is still man-in-the-middle attack

[microbee]

Isn't there?

Re:There is still man-in-the-middle attack

The content is SSL protected, so not unless the GoogleSharing proxy operator has an SSL exploit.

Re:There is still man-in-the-middle attack

[microbee]

Unless GoogleSharing is playing the attack.

Re:There is still man-in-the-middle attack

The content is SSL protected all the way to Google, GoogleSharing would have to break SSL's security in order to intercept that traffic.

Re:There is still man-in-the-middle attack

[Minwee]

Don't worry, I'm sure that I can trust goggleshar1ng.com. They have an SSL certificate and a little banner on the site which says they are 100% hacker-free.

Re:There is still man-in-the-middle attack

[microbee]

If the traffic goes through GoogleSharing, then it is the man in middle who can obtain knowledge of the session keys easily, and therefore can see all traffic.

Re:There is still man-in-the-middle attack

[cheekyjohnson]

Such insolence! That "little banner" is the very thing that makes them hacker-proof!

Re:There is still man-in-the-middle attack

[Sir_Lewk]

You don't know how SSL works do you?

Actually, I'm not really sure why I phrased that as a question. You don't. To get started, look up public key cryptography.

Re:There is still man-in-the-middle attack

I don't trust crypto that depends on mathematics not advancing.

Re:There is still man-in-the-middle attack

[microbee]

This is really laughable.

I suggest you understand what is man-in-the-middle-attack first.

Re:There is still man-in-the-middle attack

[pitchpipe]

FTFA:

The result is that Google knows what is being searched for, but doesn't know where the requests are coming from. The GoogleSharing proxy can tell where requests are coming from, but can't tell what the content of the requests is.

It's like Heisenberg's Uncertainty Principle for the internet!

Re:There is still man-in-the-middle attack

[Sir_Lewk]

What do you think the entire purpose of SSL is? Educate yourself:

The Diffie-Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel.

You can't man-in-the-middle shit if you can't break RSA, or don't have google's private key. Read up on this shit before you make yourself look even more of a fool. Ignorance is forgiveable but actively avoiding the truth is not.

Re:There is still man-in-the-middle attack

[Sir_Lewk]

It is sure as hell better than the alternative, which is nothing. The only provably secure crypto are OTPs, and that won't get you a secure key exchange on an insecure network.

All other ciphers are liable to fall to future discoveries.

Re:There is still man-in-the-middle attack

I don't understand the mindset that so many people have that we should throw out the only provably secure crypto because of key exchange difficulty. Come on! It's something to think about and work on. No reason to give up.

Re:There is still man-in-the-middle attack

[Sir_Lewk]

It's not just because key exchange is difficult... secure key exchange with a OTP is impossible unless both parties already have the same pad.

But hey, lets consider that it's possible to exchange a 256bit AES key provably securely with a OTP with somebody you don't have prior arrangements with. What are you going to do next, use AES? All your provable security is for naught if you do that!

Do you know what size OTP you need to transmit a 1 MB OTP? 1 MB.

Due to the very well established and mathematically defined limitations of OTPs, there are only a handful of real world scenarios where they are useful. If you need a high security and low bandwidth connection with somebody, know ahead of time how much data you'll reasonably have to push through, and know for a fact that you can safety exchange keys (won't need the security until later), then a OTP can work.

Basically, any situation that you ever hear about OTPs being used historically (cold war spy shit), is realistically pretty much the only sort of situation where it will ever make any sense.

Re:There is still man-in-the-middle attack

[Dumnezeu]

The man-in-the-middle is there, but he can't do anything, because of the way SSL works. There is not man-in-the-middle attack. Very good question though!

Re:There is still man-in-the-middle attack

why don't you read up on how a proxy works? GoogleSharing can read the persons query. If they can change the cookies, there is no reason they can't also see the query or in fact, change the search results before sending them back (add some of their own ads!). I'm not suggesting they are doing this, but you still have to trust GoogleSharing.

Re:There is still man-in-the-middle attack

[Sir_Lewk]

Why don't you read up on how SSL works? Or hell, just read up on what it's even meant for. The only reason it is used is because people assume other people are going to try exactly as you suggest. It is all about establishing secure connections over insecure ones. The assumption that there is somebody between you and the party you're talking about is implicit.

Googlesharing can't read your traffic because it's encrypted. You can confirm that it's encrypted, and encrypted by and only by google, by checking the certificates yourself. It's really not rocket-science.

In the first version you did have to trust googlesharing. In this version, thanks to added SSL support, you don't have to. It's right there in the fucking summary if you could bother to read the damn thing.

Re:There is still man-in-the-middle attack

You've already been told to look up what SSL means. Stop posting gibberish until you've done that.

Re:There is still man-in-the-middle attack

[IpalindromeI]

Here's the quick rundown:

You contact Google's server through the proxy, and the server sends you Google's public key. This key isn't secret, so it doesn't matter if the proxy gets it, too.

Now you use their public key to encrypt a message telling them the symmetric encryption key you want to use for the rest of the communication. Only Google can decrypt that message, so only you and Google will know the key to use to decrypt the rest of your communications.

A man in the middle attack is only possible if GoogleSharing can either break or guess Google's private key, or the symmetric key you agreed to use after the handshake. Both are very hard to do. So don't worry about it.

Really?

[toastar]

You want me to trust a corporation like google? If I wanted to search truly Anonymously I'd use Tor First

Re:Really?

You're fucking retarded.

Re:Really?

No!

(Is teh jokes? It's teh mans writings tis parent teh best? Is teh articulative ability gonse?)

Re:No, not Really?

[snowraver1]

Let me refer you to the second sentence of the summary:

"The biggest change is leveraging Google's SSL search option to provide an anonymizing service which doesn't require you to trust either Google or GoogleSharing."

Kids today...

Why not just not have a Google account?

[John+Hasler]

Google search and news work fine without one.

Re:Why not just not have a Google account?

[spazdor]

Don't think that just because you haven't got an account, they haven't got an "account" on you.

Re:Why not just not have a Google account?

[Chaonici]

I imagine you're still tracked by your IP address, by cookies, and/or any other methods I don't know about.

Re:Why not just not have a Google account?

They still track you by cookie and IP address.

Re:Why not just not have a Google account?

[John+Hasler]

> I imagine you're still tracked by your IP address...

Dynamic. They might be able to tie clusters of my searches together that way. So what?

> ...by cookies...

No cookies, no scripts.

> ...and/or any other methods I don't know about.

Which would be just as likely to work through this thing. Browser fingerprinting would be one such. It would let them tie all of my searches together. So what?

Re:Why not just not have a Google account?

[John+Hasler]

That would be a silly waste of their resources.

Re:Why not just not have a Google account?

Uh, no.

Even assuming they do near the minimum retention they could(they do more), they'd at least have your current "session" info flagged to your IP/cookie/whatever else they track with nowdays.

The only real questions are how long a session lasts, when they throw out that info(if ever), and how prone they are to "combine" that auto generated account to a single user's account.(User made or another automatic one)

Re:Why not just not have a Google account?

[spazdor]

You do know what Google's business model is, right?

Re:Why not just not have a Google account?

[spazdor]

I'm certain there are statistical techniques that can be used to tie separate unique, "unrelated" sessions back together when they come from the same user. Some websites expose their account usernames to Google, which can provide near-sure matches.

Certain users habitually use Google to get to their favourite sites because it's literally quicker than typing a URL, and many of those probably use the same abbreviations for those sites each time. My ex-girlfriend used to get to Facebook by typing "face" into Google and clicking "I'm feeling lucky." I bet combining 4 or 5 separate browsing idiosyncrasies like that is enough to uniquely identify many users.

Re:Why not just not have a Google account?

[Dumnezeu]

What about cookies and IP address?

Re:Why not just not have a Google account?

[John+Hasler]

Google is an advertising agency. I see no ads.

Dosnt Support Google Chrome

I do all my browsing in Google Chrome and don't want Google to know about me when I use my Gmail, Google Voice, Google Transit, Google Maps, or just plain Google. The fact that it's only supported in firefox doesn't help out people like me.

Re:Dosnt Support Google Chrome

[Chaonici]

> and don't want Google to know about me when I use my Gmail, Google Voice, Google Transit, Google Maps, or just plain Google
If it requires you to be logged in (such as Gmail), GoogleSharing doesn't help you. This is intended for Google services that can track you without an account, such as search.

Re:Dosnt Support Google Chrome

Is this sarcasm? By virtue of using personalized login-required services like Gmail and Voice, you cannot hide information about you.

Chrome users can install these two Google extensions for further privacy:

• Google Analytics Opt-out Add-on (by Google)
• Google SSL Web Search beta (by Google)

Disclaimer: These two extensions rely on you trusting Google. Neither of them achieve what TFA intends to do.

Re:Dosnt Support Google Chrome

Also, unrelated but worth a mention anyway:

Secbrowsing - plugin version checker (by a Google employee. Read the SecBrowsing blog for Chrome security news).

Re:Dosnt Support Google Chrome

[minus9]

This was modded funny, it should have been "insightful".

If you really hold such distrust for google that you need to jump through all these hoops perhaps you should use the services of another company instead.

Other search engines are available.

Re:Dosnt Support Google Chrome

Exactly
 
This has been a frustrating thread.... basically - how do I freeload on this company's search facility, without giving them any analytics to show the targeted ads their business model relies on?
 
Use something else already.

Re:Dosnt Support Google Chrome

[John+Hasler]

> Other search engines are available.

Bing?

Re:No, not Really?

[shoehornjob]

Somebody mod this guy up. I need more points.

Is it really secure?

[digitit]

Why exactly is this being evanglized? Does nobody notice that you're installing a Firefox extension? A Firefox extension? From AMO? Which had at least two viruses just in the last year?

Re:Is it really secure?

It's open source, previous versions have been available for review for almost six months now, and is driven by Moxie and the Institute For Disruptive Studies, who are reputable people in the security industry.

Not a Rhetorical Question

[Colonel+Korn]

How is this different from the SSL version of Scroogle search, which has been around for at least a year?

https://addons.mozilla.org/en-US/firefox/addon/12506/

Honestly, I'm too lazy to read TFA tonight, but if there's a benefit to GoogleSharing, what is it?

Re:Not a Rhetorical Question

[Chaonici]

From GoogleSharing's FAQ:

Why not use Anonymizer or any other anonymizing proxy service?

General purpose anonymizing proxies are designed for something else.

      1. Most will mask your IP address, but not the identifying information in your HTTP headers. Google will still know who you are based on your Cookies, User Agent, etc...
      2. If the proxy does attempt to anonymize HTTP headers, they will do it by completely stripping cookies from your request. Google does not like this, and will tag you as a SPAM bot (how convient for them to do), which will force you to type in a CAPTCHA every time you issue a Google search, and will prevent you from issuing Maps requests at all.
      3. These types of proxies can be slow. It's not necessary to proxy all of your internet traffic if you're just trying to protect yourself from Google. Since GoogleSharing only proxies Google traffic, our bandwidth needs are much lower and thus our performance is much greater.

Re:Not a Rhetorical Question

GoogleSharing is completely transparent and doesn't require you to change your workflow at all. Also, Scroogle doesn't work for things like maps, images, products, groups, etc... but most importantly, Scroogle can see your search traffic while GoogleSharing can not.

Re:Not a Rhetorical Question

[icebraining]

To refine this post's sibling, Scroogle sets an SSL between you and them, not you and Google, like GoogleSharing does (GS just anonymizes the encrypted connection).

Re:Not a Rhetorical Question

[Colonel+Korn]

From GoogleSharing's FAQ:

Why not use Anonymizer or any other anonymizing proxy service?

General purpose anonymizing proxies are designed for something else.

      1. Most will mask your IP address, but not the identifying information in your HTTP headers. Google will still know who you are based on your Cookies, User Agent, etc...

      2. If the proxy does attempt to anonymize HTTP headers, they will do it by completely stripping cookies from your request. Google does not like this, and will tag you as a SPAM bot (how convient for them to do), which will force you to type in a CAPTCHA every time you issue a Google search, and will prevent you from issuing Maps requests at all.

      3. These types of proxies can be slow. It's not necessary to proxy all of your internet traffic if you're just trying to protect yourself from Google. Since GoogleSharing only proxies Google traffic, our bandwidth needs are much lower and thus our performance is much greater.

For reference, Scroogle strips the headers, addressing GS's point #1, and then generates dummy cookies that prevent point #2 from being a problem. There's no noticeable difference in speed between direct Google and use of Scroogle, which like GS doesn't proxy non-Google traffic, and has a for efficient default search result screen than Google itself.

The other responses to my reasonable question (which got modded troll because...well I have no idea) actually pointed out meaningful differences, though. Scroogle lacks image and map searching, for instance, and could feasibly spy on your traffic before they delete their logs in 48 hours.

Re:Not a Rhetorical Question

[Burz]

Numbers 1 and 2 are lies. Tor insists you should use the Torbutton add-on for Firefox in order to address these problems. Cookies from Tor-mode and non-Tor-mode are segregated from each other. So cookies work fine while using Google anonymously - I just tested it and there were no CAPTCHAs.

Hyped/exaggerated summary

Popular anonymizing service. Well-known privacy advocate. Please. That's enough to make me distrust your extension more than I already distrust Google.

Re:Hyped/exaggerated summary

[icebraining]

Download extension. Unzip it. Read the code.

Who exactly do you need to trust?

Re:Hyped/exaggerated summary

[SnowZero]

Who exactly do you need to trust?

Ken Thompson? Reflections on trusting trust.

Re:Hyped/exaggerated summary

Your compiler!

Fail

Just downloaded it and tried it.. It said that the proxy was not accepting requests. Wait a little while before you go for this.

Re:No, not Really?

[TheDarkNose]

The funniest thing about the second part of your comment is that your ID has more digits. HA HA HA!!! Well... not really.

Re:No, not Really?

[interkin3tic]

Let me refer you to the second sentence of the summary:

Look old man, if it was important, it would be in the FIRST sentence because that's how we kids do it these days even if it means run on sentences and now I'll get off of your lawn.

Re:No, not Really?

[dakameleon]

Bro, more than 140 characters? Gimmie a minute, I need to check like three other services.

Re:No, not Really?

[vux984]

Let me refer you to the second sentence of the summary:

"The biggest change is leveraging Google's SSL search option to provide an anonymizing service which doesn't require you to trust either Google or GoogleSharing."

Wow.

You are right. That says I don't have trust google or googlesharing. ... assuming I trust the entity that makes that claim.

Oh. The entity making the claim that I don't need to trust GoogleSharing is GoogleSharing. Neat.

So if I don't trust googlesharing, why would my distrust be satisfied by the fact that they claim I don't need to trust them? That makes about as much sense as a fly asking the spider if he can take a nap on the web... the spider said he wasn't hungry... I guess there's nothing to worry about. :facepalm

Now, if you had instead referred me to the googlesharing FAQ:

http://googlesharing.net/faq.html#faq6

"If you're still worried, remember that the GoogleSharing addon and proxy code is publicly available. So it's possible for you to run a GoogleSharing proxy yourself, or to find someone who you do trust."

That's at least a step in the right direction. I can inspect and run the software on a server I do trust.*

And if I use the GoogleSharing servers, than I do still need to trust GoogleSharing to be running the software they claim to be running. I expect they are worthy of that trust but you still have to trust them unless you are running your own server after inspecting the source.*

** And you will need to find a bunch of people who trust YOU using your server for you to derive any privacy benefit from running your own server. Bit of a catch-22 there.

Re:No, not Really?

[nuckfuts]

Welcome to Slashdot, where people are too lazy to read the summaries, never mind the articles, and restating a sentence from the summary gets modded +5 Informative.

Trademark issues*

[Acetylane_Rain]

While I appreciate (the existence of) the service, methinks this is a trademark suit just begging to happen. I mean take a look at their logo [png graphic]. It really looks like an official Google site. In this age of massive information sharing, I have my doubts about patents and copyrights in general.

However with patents, I'd give the trademark owner the benefit of the doubt (you're not necessarily evil if you sue for trademark infringement), unless your trademark happens to be a pure (uncombined) dictionary word (in English or whatever language) or a common or well-etablished proper name (e.g. Smith or Madonna). Thus, I'd throw out any lawsuits involving Apple(tm) or Oracle(tm) but not Facebook(tm), Microsoft(tm), Apple Computers(tm) or Apple Records(tm). Obvious parodies are another matter, so there might be room for site names like Googlevil.

[*] I'm using trademark in the general sense to refer to symbols or names that make up the business identity of a company.

Re:Trademark issues*

Google is probably way too smart to take any legal action over this (it'd be a big PR loss), but they've been slipping lately...

There's also "trademark fair use."

Anonymized HTTPS, really?

HTTP headers (e.g. User Agent) are encrypted with SSL on user's computer. How can GoogleSharing anonymize encrypted data?

Re:Anonymized HTTPS, really?

[AHuxley]

Its hidden on your computer as the https, then sent up to google, google unpacks, NSA at some point has a look, google sends on as https.
To any non US state/federal/hacker your text https to google I think?

Re:Anonymized HTTPS, really?

[maxwell+demon]

I think it basically acts as NAT router: It makes your browser send the encrypted data to GoogleSharing, then GoogleSharing just replaces the IP addresses so that the destination is Google and the source is GoogleSharing. For the return packets the IP addresses are changed the other way, so you get the packet back from GoogleSharing. All other functionality (like not sending any information from your cookies or manipulating User Agent) can be implemented locally at your browser by the extension.

Disclaimer: I didn't read the code (nor did I see any good description on the page), so this is basically how I think it works. Maybe I'm completely wrong (but I cannot think of another way how it could work).

Re:Anonymized HTTPS, really?

Yep. I had the same question as the GP.

Doesn't this mean that you could monitor my searches, though?

With the release of GoogleSharing 0.20, even the GoogleSharing proxy is not capable of monitoring your search queries. The addon pre-fetches the identity information from the GoogleSharing proxy, uses that to construct an anonymized request, and then routes an encrypted connection to Google through the GoogleSharing proxy. So while the traffic is routed through GoogleSharing, it is encrypted to Google and thus not visible to the GoogleSharing proxy.

The result is that Google knows what is being searched for, but doesn't know who issued the request. The GoogleSharing proxy can tell where requests are coming from, but can't tell anything about the content of the request. The only thing you have to trust is that the operator of the GoogleSharing proxy is not actively colluding with Google in order to determine the identities of GoogleSharing users.

If you're still worried, remember that the GoogleSharing addon and proxy code is publicly available. So it's possible for you to run a GoogleSharing proxy yourself, or to find someone who you do trust.

In this case I don't see any purpose in using the GoogleSharing proxy over a regular proxy. I trust a regular proxy more than their own (because their website is all FUD, plus the blatant advertising on Slashdot, and the out-of-context quote/lie by Schmidt). The extension itself can replace the cookies and user agent strings (even if it isn't doing it now).

Re:Anonymized HTTPS, really?

[AHuxley]

regular proxy ? Who is gifting the world a service? A front company, data mining, hacker, researcher? For profit or fun?
Anyway you look at it even if the proxy on offer is 100% safe, who is next door?
As for the " out-of-context quote" and the google MAC map making efforts, long term cookies, telco tracking ect it all its a pattern.

My favorite part

[MyFirstNameIsPaul]

googlesharing.net uses no javascript. Hurray!

Re:My favorite part

[maxwell+demon]

Except in the browser extension, I guess ...

do you know how instant search works?

[way2trivial]

they pass each keystroke in real time to the servers.

go ahead, type carefully..

they'll see each letter as typed and "fingerprint" you that way
the typing speed and corrected mispellings even without you hitting 'search'

Re:do you know how instant search works?

Easy enough to get around - just type it all out in another window (text editor would be easiest), proof it carefully, then copy/paste.

Re:do you know how instant search works?

[maxwell+demon]

Not if you block JavaScript.

Re:do you know how instant search works?

[muckracer]

> just type it all out in another window (text editor would be easiest), proof it carefully, then copy/paste.

Or even easier, use the built-in search entry bar in Firefox (to the right of the location bar). It only gets transmitted when you hit Enter or click on the magnifying glass icon. Couple that with the Scroogle Firefox add-on and you're searching anonymously and SSL-encrypted (FWIW):

https://addons.mozilla.org/en-US/firefox/addon/12506

Always wondered though, if you can still do an anonymous search in one tab while having your non-anonymized Gmail account open in another. Probably not...

Re:do you know how instant search works?

Okay, how about this one - if you land on a page with Google ads, they pick up the referer [sic] and use Google location services to discover where you are. They then check for any Google Android phones in the same location via GPS and activate the camera. Using tracking software they look for anyone within the field of view who is typing in a pattern that matches the text entered - if it finds a match they take a snapshot of the person's face and go looking on Facebook for tags to identify you and the next thing you know your "secret" search for goat pr0n just earned you a crate full of goat spam more per day.

Re:do you know how instant search works?

This sounds a lot like the defunct Google Wave technology.

Re:do you know how instant search works?

[mcneely.mike]

Here, fixed it for you:

Okay, how about this one - if you land on a page with Google ads, they pick up the referer [sic] and use Google location services to discover where you are. They then check for any Google Android phones in the same location via GPS and activate the camera. Using tracking software they look for anyone within the field of view who is typing in a pattern that matches the text entered - if it finds a match they take a snapshot of the person's face as it is reflected in a drop of water... it then uses image manipulation technology to enlarge, enhance and correct the image and go looking on Facebook for tags to identify you and the next thing you know your "secret" search for goat pr0n just earned you a crate full of goat spam more per day.

Re:No, not Really?

[Sir_Lewk]

And if I use the GoogleSharing servers, than I do still need to trust GoogleSharing to be running the software they claim to be running.

No you don't, that's the difference between this version and the previous version. (I know, I know, RTFS is for wimps...) Unless their servers are using a previously unknown SSL exploit* then all you need to do is make sure the cert is correct. That's the thing with SSL, you only need to trust the CA. For the same reason that you don't have to trust your ISP (and every shady goon working there) you don't need to trust googlesharing (now).

*Hmm... well this is Marlinspike...

Nagware?

Is there a version that doesn't nag for donations and doesn't show itself on the status bar? Can't be bothered with that junk.

Re:Nagware?

Yeah, I hate when free services that benefit everyone ask for entirely voluntary donations in order to keep providing said service. It's just... it's junk, you summed it up, bro.

My God Google is really starting to scare me

[GodfatherofSoul]

I got an Android phone a month ago and that damned think does everything in its power to get you to enable "total information awareness" settings. Every time I use Google Maps I've got to proactively stop it from sharing my location information. Apps like this will be a blessing as soon as we see a more complete suite of pro-privacy variants come into being.

Re:My God Google is really starting to scare me

[maxwell+demon]

Google is your god? :-)

Re:My God Google is really starting to scare me

[KlaymenDK]

Yeah well. I'm on the Android platform myself, but have a more resigned approach because at some point the whole exercise becomes absurd. But then, I'm not really the target audience: I just wanted a modern pda, not a googlephone; sadly pda's don't exist any more. And even more sadly, the OpenMoko and similar truly open initiatives failed to produce a device that's workable in practice (the OM is awesome, but not exactly stable or long-lived).

Re:My God Google is really starting to scare me

[delinear]

I'm kind of with you. While I value my privacy, I'm starting to not care so passionately about trying to alert others to the importance of privacy and to at least understand what information they're giving up. Like you, I'm probably not in Google's target demographic. I don't impulse buy anything, and any purchases I do make I research thoroughly, so I'm more than happy for them to try and find a pattern that they think will sell me stuff if it means I get to enjoy a bunch of great services for free. If they ever start collecting or using my personal data for anything other than trying to sell me crap I'll make the effort to go off the radar again, but right now I've got a good balance of enjoying the benefits of other people being consumer sheep without the disadvantages of following the herd.

Re:My God Google is really starting to scare me

You, sir, are an iPhone user. If you cannot figure out how to turn off location sharing by default (here's a hint, turn Latitude the fuck off and setup your Google account correctly using the dashboard) then you appear to be one of the impatient "omg why won't it just WORK" crowd that does so love His Jobsiness. If you can't work stuff out (simple stuff too!) Then android is not for you

Posted from my motherfucking Nexus One that does none of the retarded shit described in parents post.

Captcha: red raw. I lol'd.

Re:My God Google is really starting to scare me

[GodfatherofSoul]

It is turned off. My point is, it keeps trying to turn itself back ON!!! Thanks for your moronic anti-fanboy non sequitor, though.

Re:No, not Really?

And if I use the GoogleSharing servers, than I do still need to trust GoogleSharing to be running the software they claim to be running. I expect they are worthy of that trust but you still have to trust them unless you are running your own server after inspecting the source.*

No you don't. All you have to trust is that SSL works the way it's supposed to work. Then if the certificate verifies properly, you know you have an encrypted connection through GoogleSharing that GoogleSharing can't read, because that's what SSL is for. I mean sure, they could be in cahoots with Google and then you would be screwed, but that's unavoidable.

Re:No, not Really?

[Sir_Lewk]

for that matter: Welcome to Slashdot, where people think scepticism is a good replacement for education and intelligence.

It seems like half the commenter here may have at least RTFS, but simply don't know what SSL is.

Re:No, not Really?

[maxwell+demon]

Well, you also have to trust the Firefox extension (or read and understand the code, and trust your ability to find issues if there are any).

For the non-technical users

Can some one explain how is this any more secure? At some point, won't 'google' servers have to decrypt the encrypted search to know what to search for in the first place?

Re:For the non-technical users

[delinear]

Google know what the search term is, but they won't know where it's come from, since the whole point of the proxy is to make it appear that the proxy server is the origin.

Anonymous Coward

will this work with Tor?

Yo Dawg!

[Nyder]

Yo Dawg! I heard you anonymize the non-anonymous SSL, so now anonymous can opt-out and be an anonymize anonymous.

Re:No, not Really?

What are they supposed to do besides release the code? Send you a Christmas card?

like

[yarisma]

I think that it is confidential, because of Google's highly successful on the basis of increases in google, but google seems to be an organization of monopoly infrastructure, in doing so is very solid and high quality services by all existing popular Preferred access pt http://www.hakyolunda.com/

wisdom from Kennedy

[AliasMarlowe]

Just last year I explained all this Internet privacy concern to my father. I don't think he liked what he learned. Sometimes I really do wish I were just another one of the happy-go-lucky sheeple, because, given the state of the world, "being aware" is just so damn depressing.
There's this choice ... "if you had to choose, would you rather be smart or happy?" After having given that some thought, I'm convinced smarts has a negative impact on happiness. :-(

Perhaps, but the bliss of the ignorant will endure only as long as there are enough smart and educated people resisting the many tendencies to drive everyone into servitude and constraint.

"Liberty without learning is always in peril; learning without liberty is always in vain." - J.F.Kennedy, 18 May 1963.

Liberty and learning go hand-in-hand. Separate them, and you lose both.

It's sad to think...

[DoChEx]

that if you want to kept things private then you must have something to hide... Some of us are just paranoid!

Can't Google finesse this?

How long before Google changes their search page to include collecting and appending to the request whatever identification information they want? It would get SSL encrypted, so GoogleSharing couldn't strip it out or replacing by the fake information.

Yeah, sure

How can I trust that I don't have to trust the GoogleSharing-proxy?

Well

[Zixaphir]

Looks like Google has a huge pool in which to gather generalized data on what "people who want privacy" tend to do with that privacy from.

I see what you did there!

Don't think that just because you haven't got an account, they haven't got an "account" on you.

You're to get someone to make an "In Soviet Russia" joke there weren't you?

Re:No, not Really?

[YourExperiment]

tl;dr

scepticism?

Welcome to Slashdot where people think that scepticism is a good replacement for skepticism

Re:scepticism?

[Sir_Lewk]

Welcome to slashdot, where people incorrectly think there can be only one correct spelling for a word.

Re:No, not Really?

[lxs]

Flowers would be nice...

Re:No, not Really?

[brentonboy]

Equivocate much?