Slashdot Mirror

← Back to Stories (view on slashdot.org)

Concerns Over Google Modifying SSL Behavior

Posted by timothy on from the hey-fellas-this-just-looks-bad dept.

Lauren Weinstein writes "Google is handling SSL search queries on https://www.google.com/ in a manner significantly different than the standard, expected SSL end-to-end behavior — specifically relating to referer query data. These changes give the potential appearance of favoring sites that buy ads from Google. Regardless of the actual intentions, I do not believe that this appearance is in the best interests of Google in the long run."

3 of 130 comments (clear)

  1. Re:Its in the best interest of users by Jonner · · Score: 4, Informative

    Please read TFA. The question is not over use of SSL, which the author of TFA "applauded."

  2. Re:Summary by Anonymous Coward · · Score: 3, Informative

    Summary for the security conscious: since you switched to using https://encrypted.google.com months ago, you're fine, nothing new here. Move along.

    Summary for the masses: Google is now using security by default (if you're logged in), but it isn't quite as secure as is possible.

  3. Re:Its in the best interest of users by NevDull · · Score: 3, Informative

    First of all, any well-architected clustered app spends more time waiting for I/O at the web tier than it uses CPU, so the 2% "penalty" is on an underutilized resource anyway. Second, terminating SSL at your load balancers is standard practice, be they Amazon ELB SSL termination, F5 BigIPs, or reverse proxies. Again, all otherwise I/O-bound implementations which can spare the CPU.

    The fact that SSL obscures the requested URI from intermediaries seems in-line with the goals of Wikipedia for free information sharing -- with SSL operating properly, an intermediary may be able to tell that you were on Wikipedia, but not what you were looking at.

    SSL/TLS and/or its successors everywhere is in everyone's interest if maintaining privacy from ubiquitous snooping is a concern.