Google Offers Encrypted Web Search Option 288
Posted
by
Soulskill
from the helping-you-hide-your-pokemon-obsession dept.
from the helping-you-hide-your-pokemon-obsession dept.
alphadogg writes "People who want to shield their use of Google's Web search engine from network snoops now have the option of encrypting the session with SSL protection. In the case of Google search, SSL will protect the transmission of search queries entered by users and the search results returned by Google servers. Google began rolling out the encrypted version of its Web search engine on Friday. 'We think users will appreciate this new option for searching. It's a helpful addition to users' online privacy and security, and we'll continue to add encryption support for more search offerings,' wrote Evan Roseman, a Google software engineer, in an official blog post."
Re:Scroogle is better (Score:2, Informative)
Yes, but Scroogle has recently been shut down by Google, so this is their alternative.
Re:Now I can Google my SSN and CC#!!! (Score:5, Informative)
Re:Who is this for? (Score:3, Informative)
Re:Implications on China (Score:2, Informative)
It's meaningless. You search for some keywords over SSL and click on a non-https link in the result page. BAM, the Referer now points to the result page, which contains the keywords you just used in its URL.
Of course Referer is easily spoofed, but you get the idea: Google search is only one aspect of a person's online activities, and the secret hiding in it can be analysed using side channels.
Re:Scroogle is better (Score:3, Informative)
Scroogle was never shut down by google. Google changed the layout of their results page, and scroogle had to update its scraping software in order to be able to read the new format.
here [theregister.co.uk] is the article where Scroogle claims they'll have to shut down forever, and here [scroogle.org] is scroogle, working fine.
One last note, for the truly paranoid: how do you know scroogle isn't a front, run by google?
Re:Implications on China (Score:1, Informative)
Turn the referer header off. In contrast to spoofing it, turning it off completely breaks very few web sites. In Firefox or Seamonkey: about:config -> network.http.sendRefererHeader=0.
Re:Security != privacy. (Score:3, Informative)
My government, on the other hand, has repeatedly demonstrated its willingness to break its own laws whenever it's convenient for any of their actual constituents, i.e. corporations.
[...]
No, I'm not doing anything that I feel my government would attack me for. But then, I'm not doing anything google would attack me for, either. Google continually stands in opposition to the corporations that I am concerned about. The enemy of my enemy may or may not be my friend, but odds are better than if he's my enemy's friend.
You do realize that Google is a corporation too, don't you?
You just failed your CTBS reading comprehension test. Back to elementary school with you! (If you are in elementary school now, I apologize. I do not want to be ageist.)
Re:Now I can Google my SSN and CC#!!! (Score:5, Informative)
Google: 123450000..123459999
This way you can search for SSN, CC numbers etc.
Re:Chrome/Firefox address bar still not SSL tho. (Score:3, Informative)
Actually, you can find instructions on setting Google SSL as your search engine here: http://googlesystem.blogspot.com/2010/05/google-secure-search.html [blogspot.com]
Have fun!
Re:Adjusting search boxes (Score:4, Informative)
https://addons.mozilla.org/en-US/firefox/addon/161901/ [mozilla.org]
Re:Security != privacy. (Score:5, Informative)
Google clearly states this on their page. There is no such thing as 'free'.
"few notes to remember: Google will still maintain search data to improve your search quality and to provide better service. Searching over SSL doesn't reduce the data sent to Google -- it only hides that data from third parties who seek it. And clicking on any of the web results, including Google universal search results for unsupported services like Google Images, could take you out of SSL mode. Our hope is that more websites and services will add support for SSL to help create a better and more consistent experience for you.
We think users will appreciate this new option for searching. It's a helpful addition to users' online privacy and security, and we'll continue to add encryption support for more search offerings. To learn more about using the feature, refer to our help article on search over SSL."
They make there money by monetizing your search and with ads. You are free not to use their service.
Re:Implications on China (Score:4, Informative)
You search for some keywords over SSL and click on a non-https link in the result page. BAM, the Referer now points to the result page, which contains the keywords you just used in its URL.
According to RFC2616 (HTTP/1.1) section 15.1.3 "Encoding Sensitive Information in URI's" [ietf.org], "Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol."
Re:Implications on China (Score:3, Informative)
Re:All HTTP traffic should be encrypted (Score:2, Informative)
What?
Of course the browser doesn't know the difference between a site that uses signed certificates that is being MITM'd and one that uses a self-signed certificate. That's why neither of these should be advertised as being "secure". Because they're not. And when you go to https://my.bank/ [my.bank] and notice that the lock isn't there because someone's doing a MITM with a self-signed cert you should realise "whoa, hey, this isn't a secure connection" and proceed to not give your bank details to whoever is at the other end.
On the other hand, when you go to https://porn.site/ [porn.site] and it uses a self-signed certificate, well no, it's not secure. Maybe someone is doing a MITM attack. But at least some random person with a passive network sniffer can't see everything you're watching, and furthermore no-one even with an active MITM attack can affect your connection once it's been established.
Re:All HTTP traffic should be encrypted (Score:5, Informative)
How's the browser meant to know the difference?
The browser is not meant to (and cannot) know the difference between sites using a self-signed-certificate and those that should use a "real" certificate. That is what the user is supposed to do. What the original poster was suggesting was that sites using a self-signed-certificate display the site AS IF no security was present. Thus when you visited "Chris's House of Fly Fishing Forums" with a self-signed-certificate, you would not be presented with an obtrusive "watch out! this might be phony!" notification, but you would also not be presented with lots of flashing padlocks and icons indicating your high security. Such a system would not penalize websites which used self-signed-certificates IN COMPARISON TO sites which use NO certificate at all. Users however would have some actual benefit in that their fly fishing discussions would be more well secured from third parties. If people use the same or similar account names and passwords on lots of websites, identity theft would be a bit harder than just sniffing their unencrypted web traffic if all of it was secured with self-signed-certificates.
It does seem as though there would be some non-zero positive effects to more "regular" sites using encrypted sessions, and encouraging use of self-signed certificates in cases sign as these.
For a real-world example: a cheap-ass lock discourages the good-for-nothing-neighbourhood-punk-kids from rummaging through the garden shed. There is little benefit to also putting up a big sign in the drawer where we keep the key saying "the lock on the shed is a piece of shit and provides no real security".
IXQUICK (Score:1, Informative)
https://ixquick.com
Encrypted search.
They do not record your IP address
you can access search result pages via their proxy service too.
Re:Now I can Google my SSN and CC#!!! (Score:4, Informative)
Better yet google for the a range of 10000 numbers by adding two dots between the lower and upper number:
Google: 123450000..123459999
This way you can search for SSN, CC numbers etc.
When I try that, all I get is a message from Google that accuses me of being a bot, and they won't process my request in order to protect their users.
Google's We're sorry page (Score:3, Informative)
I had to wait a couple minutes, log in using my Google account, and then search for various antispyware-related keywords before Google would let me run a query like this again.
Re:Security != privacy. (Score:3, Informative)
Well, yeah, the queries you actively send to Google are in Google's hands.
The privacy benefit is directly linked to the security benefit, in that people other than the one to whom you are choosing to give your data to provide you with a service don't have quite as easy access to it in transit.
Privacy doesn't mean no one has your information, it means that only the people you choose to give your information to have it.
Re:All HTTP traffic should be encrypted (Score:3, Informative)
Certainly, if the browser receives a self-signed certificate from a formerly-secure site, it should complain loudly. Also, browsers should make the secured status of sites very obvious, and sites with self-signed certs are not secure.