Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google To Encrypt All Keyword Searches

Posted by Soulskill on from the did-you-mean-*8ahd2$-#-I3oEf7? dept.

Hugh Pickens DOT Com writes "Danny Sullivan reports that in the past month, Google has quietly made a change aimed at encrypting all search activity to provide 'extra protection' for searchers, and possibly to block NSA spying activity. In October 2011, Google began encrypting searches for anyone who was logged into Google. The reason given was privacy. Now, Google has flipped on encryption for people who aren't even signed-in. In June, Google was accused of cooperating with the NSA to give the agency instant and direct access to its search data through the PRISM spying program, something the company has strongly denied. 'I suspect the increased encryption is related to Google's NSA-pushback,' writes Sullivan. 'It may also help ease pressure Google's feeling from tiny players like Duck Duck Go making a "secure search" growth pitch to the media.'"

4 of 224 comments (clear)

  1. Re:Power Implications by Anonymous Coward · · Score: 5, Informative

    According to one of the head Google staffers responsible for their SSL/TLS operations, it's pretty much a non-issue: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

    It basically ended up adding less than 1% to the CPU overhead for their servers, didn't require special hardware, and didn't involve any new systems.

  2. Re:Illusion of privacy by jafiwam · · Score: 4, Informative

    I dont think you understand how SSL works. Its entire purpose is to defeat MITM.

    And YOU don't understand what would happen if "the man" in the middle has access to the certificates, either the masters or the actual certificates themselves.

    Do you really think "mysecretdomain.com" certificate from shitty ass low cost certificate provider doesn't have a duplicate key on file at Comodo, Network Solutions, GoDaddy or TwoCows or whatever?

    They don't have to brute force or hack anything if they have an appliance in the middle that automatically grabs the certificate from the certificate issuer and spoofs both sides of the connection.

    If you want your traffic encrypted, you need to generate your own certificates using software you compiled after you reviewed the code.

  3. Re:Illusion of privacy by icebike · · Score: 4, Informative

    I dont think you understand how SSL works. Its entire purpose is to defeat MITM.

    And YOU don't understand what would happen if "the man" in the middle has access to the certificates, either the masters or the actual certificates themselves.

    Do you really think "mysecretdomain.com" certificate from shitty ass low cost certificate provider doesn't have a duplicate key on file at Comodo, Network Solutions, GoDaddy or TwoCows or whatever?

    They don't have to brute force or hack anything if they have an appliance in the middle that automatically grabs the certificate from the certificate issuer and spoofs both sides of the connection.

    If you want your traffic encrypted, you need to generate your own certificates using software you compiled after you reviewed the code.

    Was going to post exactly this!.

    But to further the point, it is strongly suspected that SSL is already broken by the NSA, and having certificates is no longer necessary.

    Google publishes its own certificate. I don't think its signed by anyone but Google, a sign they have totally given up on corrupt certification companies.
    They also have changed it occasionally. I notice this when my more selective operating systems prompt me to accept new certificates for some Google Services, that they were happy to use yesterday. (These are always sort of scary events that warrant close inspection).

    --
    Sig Battery depleted. Reverting to safe mode.
  4. Re:Illusion of privacy by icebike · · Score: 4, Informative

    That is outright false. I challenge you to provide a citation to a reasonably authoritative site saying that - basically anybody who isn't a kook. You can't.

    Clearly you phrased it that way so you could reject any site I offered, based on your own myopic view point.

    So here are the rules:
    You don't get to reject any source! You have to invalidate every one of these and all of their claims.
    After all, extraordinary claims of something being "outright false" require extraordinary proof.

    http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=2&_r=0
    http://nakedsecurity.sophos.com/2013/03/16/has-https-finally-been-cracked/
    http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying
    http://www.theregister.co.uk/2013/09/05/nsa_gchq_ssl_reports/
    http://www.zdnet.com/has-the-nsa-broken-ssl-tls-aes-7000020312/
    http://www.forbes.com/sites/andygreenberg/2013/06/20/leaked-nsa-doc-says-it-can-collect-and-keep-your-encrypted-data-as-long-as-it-takes-to-crack-it/

    --
    Sig Battery depleted. Reverting to safe mode.