SSL Enabled Google Searches
May 22nd, 2010“Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”
—Governments Using Forged SSL Certificates for Man in the Middle Attack on “Secure” Web Sessions
A reader asked me if SSL enabled Google search was worth using.
I would say that this is probably worth using for most people. It will prevent teenagers and some other miscreants on the wire from intercepting your search sessions. However, this does nothing to keep your data private from intelligence organizations that can decrypt SSL at will. Also, Google still maintains your files for law enforcement to access.
If you have half a role of Reynolds Wrap around your skull, you might think that intelligence agencies will pay extra close attention to the searches conducted via SSL enabled pages.
My guess, though, is that the benefits of keeping things secure from just about everyone except Google, law enforcement and intelligence agencies outweighs any possible additional scrutiny this might bring from those organizations. I mean, they have it all when you use the standard session anyway, so, why not cut your boss (assuming that you can use your own computer on your office’s network; this won’t do crap for you if you’re using a machine provided by your employer), your neighbor’s teenage son, who has cracked the encryption on your wi-fi base station, and the freak who owns the coffee shop, etc. out of the picture when it comes to your search queries?
Via: Google:
As people spend more time on the Internet, they want greater control over who has access to their online communications. Many Internet services use what are known as Secure Sockets Layer (SSL) connections to encrypt information that travels between your computer and their service. Usually recognized by a web address starting with “https” or a browser lock icon, this technology is regularly used by online banking sites and e-commerce websites. Other sites may also implement SSL in a more limited fashion, for example, to help protect your passwords when you enter your login information.
…
When you search on https://www.google.com, an encrypted connection is created between your browser and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party on your network.
…
A few notes to remember: Google will still maintain search data to improve your search quality and to provide better service. Searching over SSL doesn’t reduce the data sent to Google — it only hides that data from third parties who seek it. And clicking on any of the web results, including Google universal search results for unsupported services like Google Images, could take you out of SSL mode. Our hope is that more websites and services will add support for SSL to help create a better and more consistent experience for you.
Well it’s a moot point for us in NZ, because the secure https://www.google.com redirects to the unencrypted http://google.co.nz
It works for me. I’m in NZ and it doesn’t redirect.
Here’s a screenshot:
https://cryptogon.com/images/httpsgoogleworksforme.gif
Maybe because it’s beta they’re limiting the number of searches on it. But I can hit it regularly and I’m using Telecom NZ to access the Internet.
Just did the exact same test again and it’s working correctly now, so maybe they fixed it. Not that it matters – my google reader rss subscriptions are incriminating enough.
🙂
damned if you do;
damned if you don’ t
that’ s the utter bitch of it, right ?
I believe Scroogle
http://scroogle.org/
can eliminate some if not most invasions.