Forgot your password?
typodupeerror
Google Security

Google Rolls Out Encrypted Web Search Option 176

Posted by CmdrTaco
from the step-in-the-right-direction dept.
KirinMercury writes "Google began offering an encrypted option for Web searchers on Friday and said it planned to roll it out for all of its services eventually. People who want to use the more secure search option can type 'https://www.google.com' into their browser, scrambling the connection so the words and phrases they search on, and the results that Google displays, will be protected from interception." Note that you need the 'www' for it to work. Dropping it redirects you to a non-ssl page. You might have read this on Saturday, but if you missed it, it's still worth knowing.
This discussion has been archived. No new comments can be posted.

Google Rolls Out Encrypted Web Search Option

Comments Filter:
  • In ~/.mozilla/firefox/(profile id).default/search.json, find this:

    {"template":"http://www.google.com/search","rels":[],"params":[{"name":"q","value":"{searchTerms}"}

    Change it to this:

    {"template":"https://www.google.com/search","rels":[],"params":[{"name":"q","value":"{searchTerms}"}

    Restart browser

    • For me, the URL when searching goes to https://www.google.com/ [google.com] after that edit, however google then redirect me to http://www.google.co.uk./ [google.co.uk] :(

    • by MoonBuggy (611105) on Tuesday May 25, 2010 @01:13PM (#32338112) Journal

      You can also edit the "keyword.URL" option in about:config to change the default address bar behaviour.

      • Great tip and much easier to do! Thanks!
        • Re: (Score:2, Funny)

          Hey, if you find opening and using a GUI easier than opening and editting a config file, you're in with the wrong crowd.

          • by Anonymous Coward on Tuesday May 25, 2010 @02:52PM (#32339726)

            What real people see in these instructions:

            1. Go to address bar.
            2. Type about:config.
            3. Type "keyword.URL" in the search bar.
            4. Double-click.
            5. Edit result.
            6. Click OK.

            What apparently "real" geeks see in these instructions:

            1. Pry your hands away from keyboard. Use chisel to remove Cheeto dust encrusting fingers there if need be.
            2. Locate mouse.
            3. Mutter profanities to poster for suggesting this primitive means of interface (this step is important, as later steps depend on it).
            4. Increase volume of profanities as you are forced to wrench your eyes away from the relaxing phosphor glow of monitor to locate mouse.
            5. Increase volume of profanities as you wait for eyes to adjust to the otherwise pitch-black room to locate mouse.
            6. Increase volume of profanities as you look for the mouse cable coming out of the computer to find mouse.
            7. Increase volume of profanities as you remember you have a wireless mouse.
            8. Go back to keyboard and type up scathing dissertation against the clearly inferior intelligence that suggested this.
            9. Realize you have now returned to step 1. Repeat from there, remembering to skip over step 8 this time.
            10. Give up on finding mouse and, grumbling, go to Fry's Electronics to find a new mouse (NOTE: if there is no Fry's nearby, you are clearly not a "real" geek, and most likely do not even exist, as the modern world ceases to exist outside the range of Fry's).
            11. Return home. Allow eyes to readjust to pitch blackness after being out in the big blue-ceiling room.
            12. Install new mouse.
            13. Reinstall new mouse.
            14. Update operating system. Mouse might work this time. Whoever heard of this new technology, anyway? "USB"? Why couldn't you find any serial port mice? Those are way more l33t.
            15. Train hand-eye coordination enough to use mouse. Try not to reflexively touch keyboard, else you will be back at step 1.
            16. Go to address bar.
            17. Increase volume of profanities.
            18. Stubbornly type "about:config".
            19. Stare at new interface.
            20. Back to Fry's to find a book on how modern interfaces work. You never had to deal with all this confusing nonsense with a keyboard, dadgummit!
            21. Type "keyword.URL" into search bar.
            22. Realize you are just bashing your precious keyboard at this point due to soaring blood pressure due to anger at having to use a mouse.
            23. Wait a few hours to calm down. Don't touch keyboard in that time.
            24. Type "keyword.URL" into search bar.
            25. Double-click.
            26. Edit result.
            27. Click OK.
            28. Make muttering comments to yourself, passively-aggressively asking if the person who suggested this is happy now.
            29. Go to IRC and detail this harrowing experience to your l33t friends.

            See? That's WAY more steps than locating and editing a config file!

            • Re: (Score:3, Informative)

              by ikegami (793066)
              Actually, I hear Ctrl-L, "about:config", Enter, "keyword.URL", Tab, Tab, Enter, edit result, Enter.
      • Re: (Score:2, Informative)

        by surveyork (1505897)
        That works for the location bar. For the search bar you can add a Mycroft search plug-in: http://mycroft.mozdev.org/search-engines.html?name=google+ssl [mozdev.org] and demote/delete the built-in google search plug-in. I guess this is the non-hacker / lazy-ass method :).
      • Hmm, I tried in my SeaMonkey (SM) v2.0.4 but it didn't work. I changed all Google to have https part an restarted SM. What else did I miss?

    • Easier Solution (Score:4, Insightful)

      by datapharmer (1099455) on Tuesday May 25, 2010 @01:18PM (#32338166) Homepage
      An easier solutions is to just install the add to search bar plugin. Details on this plugin and how to get the old google layout back can be found on my website here: how to get rid of the new Google sidebar [gainesvillecomputer.com]. You may also want to go to about:config and change http:/// [http] to https:/// [https] under keyword.URL
    • Tools -> Options
      Basics Tab -> Manage button for default search
      Add Button ->
      Name: SSLGoogle (or whatever you want)
      Keyword: sslGoogle (or whatever you want)
      Url: https://www.google.com/search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%s
    • by catmistake (814204) on Tuesday May 25, 2010 @01:52PM (#32338764) Journal

      instructions for chrome & firefox:

      firefox [simplehelp.net]

      chrome [coolgeex.com]

  • by JoshuaZ (1134087) on Tuesday May 25, 2010 @12:35PM (#32337646) Homepage
    This will have an interesting impact on webmasters. If someone clicks through from a secure Google search to your webpage, the referral data is not given. That means that the person who runs the website will not only not see what the search term was they won't even see that it came from a Google search. I'm not sure how that will impact people. But if enough people use secure search, it may cause people to have to do a lot of guesswork about how much traffic they are getting from Google searches.
    • by TreyGeek (1391679) on Tuesday May 25, 2010 @12:42PM (#32337736) Homepage
      If you create a webmaster account with Google and register your site, Google will tell you how many people they send to you. They'll also give you a lot of other information like where in the list of search results was your website when it was clicked on.
    • Re: (Score:3, Informative)

      by Pharmboy (216950)

      It doesn't work for images after trying a few different ways, ie: changing the address to https after an image search, or doing a true https search, to which you don't have the option of choose "images" as a search type. You *can* search videos, news and blogs with SSL but not images at this time. Wonder why?

      • by Zerth (26112)

        Because then schoolchildren could imagesearch porn without being blocked by filters?

      • by IICV (652597)

        I would imagine that it's because when you click on an image after doing an image search, it shows you the image in a top frame with actual result page in a bottom frame. Most web browsers will whine about showing mixed content like that (since the top frame will still be secure, but the bottom frame won't), and Google probably hasn't had the time to rejigger the way image search works yet.

        • by Pharmboy (216950)

          They could still make the first page ssl, the one without the frames, which is directly on the www.google.com domain, not a sub-domain. They do the same with news, the results themselves are ssl, but the links on that page are not. There is no technical limitations to doing this, it appears they just haven't gotten around it ot.

    • Re: (Score:3, Insightful)

      by PopeRatzo (965947) *

      If someone clicks through from a secure Google search to your webpage, the referral data is not given.

      Good. That's the point.

      You want to know about the people who visit your site? Ask them to sign a visitor's book. Just because having background information on web visitors makes companies' lives easier doesn't mean that people don't have the right to surf anonymously.

    • by Dan667 (564390)
      People also abuse this information and they will be screwed as well. I for one like that I have the option to prevent those few that would like to abuse it no data.
    • by mzs (595629) on Tuesday May 25, 2010 @02:18PM (#32339162)

      You should look at the page source of a results page sometime. Right now the targets are to https://www.google.com/ [google.com] with the rest of the URL encoded to tell google where to redirect you to. The HTTP/1.1 200 OK reply sets a cookie and then the HTML has a JS and meta refresh to send yo on your way to where you expect to go to. To get the referer to indicate it was from google, all they need to do for most browsers is have the targets still be to http://www.google.com/ [google.com] instead if the real target is http instead of https. All this incidentally seems kind of pointless to me BTW, since now other parties cannot see your google searches, but they can still see the sites that you do visit from the results.

    • by antdude (79039)

      You could disable send referrer (network.http.sendRefererHeader). I use PrefBar [mozdev.org] extension in Mozilla's SeaMonkey v2.0.4. However, some Web sites hate the no send referrers. :(

  • MitM only? (Score:4, Interesting)

    by sabt-pestnu (967671) on Tuesday May 25, 2010 @12:36PM (#32337656)

    What this means, I believe, is that your web browsing might be immune to man-in-the-middle interception.

    Interception by Google (and thus by anyone with the power to compel Google, IE USA, China, etc) will be the same as before. As well, you're still connecting TO Google, so you're still likely to be blocked from the site by the Great Firewall arrangements, even if your search terms themselves might be encrypted.

    And not to forget that China has a tame certificate authority...

    • Not to mention that it's pretty clear the three letter agencies have gotten CA cert signed by verisign or some other company.

    • Re: (Score:3, Insightful)

      It's a bit of a stretch to say Google is "intercepting" the traffic since they are in fact the intended recipient.

    • by Itninja (937614) on Tuesday May 25, 2010 @01:07PM (#32338048) Homepage

      ...immune to man-in-the-middle interception

      That's adorable

    • by MoonBuggy (611105)

      The more of the web goes SSL, the harder it will be for governments to pervasively monitor/censor anything. Google is a positive first step.

    • Interception by Google will be the same as before.

      My mom called me last night, and I 'intercepted' everything she said.

      I do not think interception means what you think it means...

    • At the moment, in China, I'm seeing the US google page with SSL markings on the image, Google's certificate is signed to Google by Thawte Consulting (Pty.) Ltd. All looks legit to me. As for CNNIC, if you don't trust them there is nothing to stop you from taking it out of your list of trusted certificate authorities, but I have never seen it actually used to issue fake certificates before, I figure it could only really do that trick once.
  • by daveime (1253762) on Tuesday May 25, 2010 @12:36PM (#32337666)

    Slashdot began offering an dupe-free option for Web searchers on Friday (and then repeated the offer on Saturday) ... *facepalm*

    How about we just rename the site to Reddit ... I mean, every other story, we already reddit.

    • by PopeRatzo (965947) *

      How about we just rename the site to Reddit ... I mean, every other story, we already reddit.

      Don't whine.

  • so why is it that if I go to https://www.google.co.uk/ig [google.co.uk] it gets redirected to http://www.google.co.uk/ig [google.co.uk] ?

    presumably G will fix this soon? hello Google?
  • https://www.google.com/search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%s
  • session id #4ddr-tg62-hh89

    12:30 https initiated begin session

    12:31 "divorce lawyer"
    12:34 "divorce lawyer low cost"
    12:34 "hitman hire"
    12:36 "hitman low cost"
    12:37 "assassination do-it-yourself"
    12:40 "polonium-210 availability"
    12:41 "legal anthrax"
    12:41 "ricin suppliers"
    12:42 "arsenic wholesale"
    12:43 "legal mustard gas"
    12:43 "cheap readily available poisons"
    12:46 "antifreeze toxicity"
    12:49 "brainstorming murder scenarios"
    12:52 "how to run hose from exhaust to passenger compartment"
    12:55 "wits end"
    12:41 "chloroform wholesalers"
    12:45 "shovel hacksaw garbage bags"

    12:45 interrupt: preemptive googlebot legal log crawler has identified a high criminal behavior correlation index in session id #4ddr-tg62-hh89. log and ip address forwarded to google-inbox@fbi.gov

    1:05 "stalling law enforcement"
    1:06 "good indoor hiding places"
    1:06 "proper handgun usage"

    1:26 session timed out

  • SSL Wikipedia & TPB (Score:5, Informative)

    by cffrost (885375) on Tuesday May 25, 2010 @12:52PM (#32337858) Homepage
    Wikipedia and TPB have SSL versions available as well:

    English Wikipedia: https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page [wikimedia.org]

    The Pirate Bay: https://thepiratebay.org/ [thepiratebay.org]

    Still waiting on Slashdot to join the 21st century.
  • So I did some Googling (nonencrypted so maybe it can't be trusted), and found this page [devilsworkshop.org] that tells you how to set up the SSL search as the default search in FF, Chrome, and IE. There was no mention of Opera, but then, I never really bothered with Opera so I am sure someone else can figure that one out. Also, apparently the "KB SSL Enforce extension" for Chrome sets up an automatic redirect for google.com to link to https://www.google.com./ [www.google.com] I haven't tried this, however, since I don't use Chrome at work.

    H
  • by Darth Sdlavrot (1614139) on Tuesday May 25, 2010 @12:53PM (#32337868)

    Encrypted should be the default for every web site IMNSHO.

    • Re: (Score:3, Interesting)

      by Mad Merlin (837387)

      I agree, but that would require the death of IE6 (and XP), or IPv4. SSL is incompatible with name based virtual hosting unless you add in SNI, which isn't supported by IE6 (or any browser that runs on XP, for that matter).

      Don't get me wrong, I agree entirely and IE6 and IPv4 should be nothing more than a bad memory by this point, but they're not.

    • by Eil (82413)

      To put it bluntly, what for?

      HTTPS only conceals the content of your web browsing, not which sites you visit. Except for user authentication, and possibly user-to-user messages, adding HTTPS to Slashdot and most other public content sites would be utterly pointless since anyone who sees that your computer is talking to a Slashdot IP has immediate access to all of the content you're viewing.

      Sensitive communications (email, IM, etc) should be encrypted. But anything that's public, nah. If you really want compl

      • Re: (Score:3, Insightful)

        It's similar to the theory that people surfing [legit] porn through tor are doing the people who actually need the anonymity a favour: if the only things that are encrypted are things that are sensitive, then it becomes easier to target interesting sites. If everything is encrypted, then you have to decrypt everything in order to find out what bits are interesting. And that's a much harder nut to crack.

  • Default (Score:5, Funny)

    by fulldecent (598482) on Tuesday May 25, 2010 @12:59PM (#32337946) Homepage

    Wake me up when they enable a default option like in Gmail.

  • You have to be careful to type the https:/// [https] and the www or you don't get SSL. I think it should be the opposite: Google shoud detect if you can handle SSL and use it if you can and not if you can't.
  • I fail to see (Score:2, Interesting)

    by thechemic (1329333)
    I fail to see how this provides any search privacy at all. Any network administrator can see the search phrase in the URL: https://www.google.com/search?hl=en&source=hp&q=printer&aq=f&aqi=&aql=&oq=&gs_rfai= [google.com] And then, you would see the very next URL the user selected ie: http://en.wikipedia.org/wiki/Printer_(computing) [wikipedia.org] Sure, the search RESULTS might be encrypted... but ugh, cant administrators still see what you searched for and ultimately where you went?
  • I study done a few months ago showed how one can easily deduce searches by looking at the size of the AJAX requests. http://www.schneier.com/blog/archives/2010/03/side-channel_at.html [schneier.com] Yes, https should have been available a long time ago, and still isn't available for www.google.com.hk.
  • It'd be nice if they could also enable SSL for those of us who use the Google Personalized page (aka iGoogle) at http://www.google.com/ig [google.com]

  • will it not only be encrypted from snoopers & sniffers, will it be encrypted from google itself?
  • DevilsWorkShop.org has some succinct instructions on how to set this as the default search type in the "Big Three" browsers of IE, FF, and Chrome.

    http://devilsworkshop.org/how-to-use-google-ssl-search-as-default-search-engine-in-chrome-firefox-and-internet-explorer/ [devilsworkshop.org]

    I have no affiliation with them.

  • Incognito? (Score:3, Interesting)

    by djdanlib (732853) on Tuesday May 25, 2010 @04:41PM (#32341080) Homepage

    A logical next step would be to set https as the default when in Incognito mode in Chrome, or Private Browsing in Firefox.

  • by Tim C (15259) on Wednesday May 26, 2010 @09:29AM (#32347624)

    It also only works for google.com - or at least, going to https://www.google.co.uk/ [google.co.uk] redirects you to http://www.google.co.uk./ [google.co.uk]

You are an insult to my intelligence! I demand that you log off immediately.

Working...