Forgot your password?
typodupeerror
Google Privacy News Your Rights Online

Google Switching to SSL By Default For Logged-In Users 133

Posted by Unknown Lamer
from the except-for-other-google-services dept.
nonprofiteer writes "Google plans to encrypt search for signed-in users, so that websites will no longer get to see the search terms that led a user to their site, though they will get aggregated reports on the top 1000 search terms that led traffic to their sites."
This discussion has been archived. No new comments can be posted.

Google Switching to SSL By Default For Logged-In Users

Comments Filter:
  • by treeves (963993) on Tuesday October 18, 2011 @04:26PM (#37754980) Homepage Journal

    That should be good enough, right?
    Is this a good for Google, doing the right thing story, or is there more to it than meets the eye?

    • by ackthpt (218170)

      That should be good enough, right?
      Is this a good for Google, doing the right thing story, or is there more to it than meets the eye?

      Good or bad, doesn't matter. Microsoft will try to roll out the same thing in about 18 months to much ballyhoo and fanfare.

      • by TechLA (2482532) on Tuesday October 18, 2011 @05:06PM (#37755412)
        Google isn't doing it offer better privacy. It's doing it cause trouble for competing services. It basically requires all website owners to sign up with Google to access Analytics and Webmaster Tools. It's purely an anti-competitive thing and intented to destroy their compteitors. I'd be surprised if FCC doesn't start to crack on Google's monopoly tactics soon. Google is the new Microsoft.
        • by Threni (635302)

          In which field is Google a monopoly?

          Pretty much all actions performed by a company are designed to destroy their competitors. That's the nature of the game.

        • Right.....so to protect the market and consumers the ftc needs to force Google to open up its database of user information to the public and prevent users from having encrypted connections to the Google servers.......you show 'em!

        • by epine (68316)

          Google is the new Microsoft.

          Every public company is required by law to become the next Microsoft if the business opportunity presents itself in order to provide maximum return to shareholders.

          But then, you can take it to a whole new level by submitting falsified video tapes to the DOJ.

          The government produced its own videotape of the same process, revealing that Microsoft's videotape had conveniently removed a long and complex part of the procedure and that the Netscape icon was not placed on the desktop, re

          • Every public company is required by law to follow their Articles of Incorporation

            You can set up a corporation with whatever goals you want, maximizing shareholder profit doesn't have to even be on the list. For most corporations it is, de facto, but don't make the mistake of thinking that it has to be.

            • Slowly, people are realizing that stability and profits are maximized by being a service to your customers, employees, and the world--profit is a consequence of these priorities. Henry Ford spoke of this when he was building Ford Motor Company.
          • "Every public company is required by law to become the next Microsoft if the business opportunity presents itself in order to provide maximum return to shareholders."
            Show me the law.
            I know there are laws that say they are required to follow the votes of your shareholders and hold AGMs and suchlike but show me where it says companies must maximise profits/share price at the expense of everything else.

        • by dririan (1131339)

          I'd be surprised if FCC doesn't start to crack on Google's monopoly tactics soon.

          I'd be surprised if the FCC considered using HTTPS a monopolistic practice. I'd be even more surprised if the FCC told Google "Encryption is good for security, but you can't use it, because it stops Referrer headers from being sent. Your users will just have to go without crypto."

        • by cdrudge (68377)

          It basically requires all website owners to sign up with Google to access Analytics and Webmaster Tools.

          If they don't already have an analytics package, or a Google account to access the webmaster tools for their search engine, the site maintainer either doesn't care about their site's SE performance, or is a complete idiot, or both.

          • Re: (Score:3, Informative)

            by datavirtue (1104259)
            Engaging Webmaster Tools is just part of maintaining an active website. Google analytics just slows your site and is not any better than your own server logs.
        • by Shihar (153932)

          If using encryption is a monopoly tactic, I'll take more monopolies plz. We should "monopoly" the entire web.

    • by hawguy (1600213)

      That should be good enough, right?
      Is this a good for Google, doing the right thing story, or is there more to it than meets the eye?

      It's better than nothing, which is all that Google is obligated to give them.

    • by X0563511 (793323)

      I think it's more good for everyone. it's not like you couldn't search via SSL before [google.com].

    • by daath93 (1356187)
      They are doing it so sites can't get the information without using their service, "Google Insights for Search".
      • by Omestes (471991)

        Sure, its bad for sites and webmasters... But its good for me, so I don't care. As a normal person, how is this bad for me? Where is my downside? I don't give a rat's ass if someone gets one less bit of information off of me.

        So, Google is helping their bottom line, and their helping me with privacy. Sounds like the definition of "win-win" to me.

        Also, you realize you could already use Google as an encrypted service, right? This just makes it the default. Should we ban the use of secure connections now

    • by skids (119237)

      Well, really, using HTTPS and providing the linked site with a referer URL are two different things entirely, the OP makes them sound like the former necessitates the latter. The latter has more downside than the former, but both are defensible privacy measures.

    • by physburn (1095481)
      That really a lot of internet marketers and SEO specialists having to change there jobs completely. Marketers will no longer to owning the top buzzwords, and people creating for hobbies, work or leisure will get nearer the top of the pile. Should be good for readers, and might lead to more advertising spending and link gaming. So sound good to me.
      • by physburn (1095481)
        Correction, that should read, and might lead to more advertising spending less spent on changing content to get the ranking.
  • Refreshing (Score:5, Insightful)

    by Anonymous Coward on Tuesday October 18, 2011 @04:27PM (#37754994)

    This will break those sites that automatically generate content based on your search query.

    • Re: (Score:3, Funny)

      by Moheeheeko (1682914)
      Its always fun to mess with those sites just a bit. "find 'weapons grade uranium' for sale here!"
      • Its always fun to mess with those sites just a bit. "find 'weapons grade uranium' for sale here!"

        I recall one fake wiki that was supposedly a fix-your-computer site but every "wiki" page was a template using search terms to personalize the page, and they all suggested running the same EXE. Could make for some amusing pages by feeding it really disturbing strings for errors. Was loads of laughs for about 2 minutes.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I've always wondered this: how did those sites GET my search terms?

      Well, I stopped using google some time ago, but back when I was, how did they get it? I enter some terms to google.com - how does sleazywebsite.com even know that I did a search? Google knows obviously and returns the sites from its map of keywords to domains. But presumably it doesn't notify every site on the internet that matches my search that I just did one, and I've seen this happen for search terms that I'm pretty sure are unique,

      • Re:Refreshing (Score:4, Informative)

        by Qwell (684661) on Tuesday October 18, 2011 @04:55PM (#37755308)

        referer

        • Re:Refreshing (Score:4, Informative)

          by kabloom (755503) on Tuesday October 18, 2011 @06:35PM (#37756542) Homepage

          And I should point out (since the GP doesn't know about referers, he probably needs more than a one word answer) that the Referer is a field in your HTTP request that's automatically sent by your browser telling it the address of the website that you came from. Since Google (and other search engines) put the query string in the URL of the search results page (like they should), the website can read the results out of the URL and know what your search terms were.

          Google didn't invent this as a way to invade your privacy -- it's been a feature of the web since the early days.

          • Re:Refreshing (Score:5, Interesting)

            by williamhb (758070) on Tuesday October 18, 2011 @09:49PM (#37758032) Journal

            And I should point out (since the GP doesn't know about referers, he probably needs more than a one word answer) that the Referer is a field in your HTTP request that's automatically sent by your browser telling it the address of the website that you came from. Since Google (and other search engines) put the query string in the URL of the search results page (like they should), the website can read the results out of the URL and know what your search terms were.

            Google didn't invent this as a way to invade your privacy -- it's been a feature of the web since the early days.

            It's also what was behind the "Bing copies Google" ridiculousness some time ago. For Bing toolbar users, the HTTP request when you visit any site is also sent to Microsoft (if you have "suggested sites" turned on), so they get the traffic stats. Bing also used the Referer that brought a user to a page as one of its minor indexing terms. By clicking a link on a page, the user has indicated they think the link is relevant to what they are looking for -- so the Referer, and especially any query contained within it, is pretty good information. And it's the user's information -- the user both typed the search query, and chose to click the link. Google's experiment spammed the signal by ordering employees to visit a page for a made-up search query (non-existent words) so that those paid click-throughs would be the only information Bing could receive for those made-up words. The words didn't exist, so Bing couldn't index them off the web -- so it doesn't matter what algorithms Bing uses, that forced the paid click-throughs to be the only results because there was no other source of data in the world for those words. Google then spun it that it was Google's information that Bing was using (Google own their generated results page, most of which was not clicked on and did not appear in Bing) rather than the human user's information (what sites the user chooses to visit). The difference being that if it's the human user's information (if your clicks belong to you not Google), then the human user within his rights to give that information to whomever he likes, including Microsoft, and Microsoft are within their rights to use it as an index signal, albeit according to them it was a very minor one.

            There is a current relevance to this history. That Referer information from the user's browser is valuable data. By making this change, Google is ensuring that they get this valuable data and other's don't. They get to see the full details of both where you came from and where you went; others only get the full details of where you went, and no longer get full details on where you came from. That's a straightforward business advantage. They can then sell more detailed stats to companies (in a freemium model), sell tools that let you access the Referer information that users used to give you for free, etc. While there's a privacy angle to this story (your data is now sent to fewer places), there's also money in this decision.

        • by antdude (79039)

          And that can be blocked/disabled in clients like web browsers. However, some sites require them. I always block my referrers that get sent if possible.

      • by D'Sphitz (699604)
        when you click a link the referring url is sent in a header. with google and most other search engines your query is in that url.
      • Reminds me of those driver websites that embed Google ad links into download buttons. Complete violation of Google TOS yet the whole site is based on that technique and returns on the top of search results.
    • Yay!
    • by blair1q (305137)

      Since the link you follow is a result of the search, it's got the content baked-in.

      Those sites that were spying on search results to decide what to do were trying to be too smart.

      Hopefully what this really fixes is the massive disconnect between prices reported by Google Shopping and the price shown on the click-through, which happens so often that it must be the result of futzing with what Google sees and what the user sees for the same search term.

  • by Hatta (162192) on Tuesday October 18, 2011 @04:27PM (#37755004) Journal

    So I have to sign up with google and let them track me, or they'll divulge my searches to websites who will track me?

    • Re:Some deal (Score:4, Informative)

      by Hatta (162192) on Tuesday October 18, 2011 @04:29PM (#37755038) Journal

      Never mind, I should RTFA. For the rest of us who didn't: encrypted.google.com [google.com].

    • by Anonymous Coward

      It's not Google divulging your searches to websites, it's you. Well, it's your web browser to be more precise, see http://en.wikipedia.org/wiki/HTTP_referrer especially the section on Referrer hiding.

    • by blair1q (305137)

      Google tracks you plenty without you signing in.

    • Re:Some deal (Score:4, Insightful)

      by scdeimos (632778) on Tuesday October 18, 2011 @05:03PM (#37755364)
      You are the product.
  • by Anonymous Coward

    On one hand automatic encription for logged in users. On the other hand google can track you better if your logged in. When your logged in they can build a profile on you based on your search terms. But many people are logged in anyways. So mixed bag.

  • Good or bad? (Score:5, Insightful)

    by Daetrin (576516) on Tuesday October 18, 2011 @04:27PM (#37755012)
    Is this going to be considered good because it helps protect our privacy from the websites? Or bad because Google is effectively monetizing the private information by keeping the details to themselves (and using it?) while only handing out aggregate data to everyone else? I can see arguments being made either way.
    • The thing I noticed was that they called out organic searches only. Does this mean the paid links in search will still have access to the search terms used?
      • by Pharmboy (216950)

        The thing I noticed was that they called out organic searches only. Does this mean the paid links in search will still have access to the search terms used?

        You can easily tell which search term was used by using a different address for each search term. (Google allows you to show only the domain name and not the full URL in ads) We have done this for years to a small extent. If you really want to get technical, you make the link for a search term (example: "soap") to be like "www.mydomain.com/myapp.cgi?so

    • Re:Good or bad? (Score:5, Insightful)

      by blair1q (305137) on Tuesday October 18, 2011 @05:00PM (#37755348) Journal

      How is it private information when you presented it to Google for them to do the legwork on finding 1.8 million matching websites?

      They're making it a shared secret between you and Google instead of a broadcast message to every link you choose to click.

      They're monetizing it because, well, they are the ones who gave you the free advice. 1.8 million times.

  • Unfortunately, it's a bit of a tradeoff. Instead of third party sites getting more details on how you arrived there, Google gets to build a more detailed profile on you via your user name now instead of simply your IP address. I don't particularly care for it either way.
    • by canajin56 (660655)
      Encrypted search works without being signed in. It's also 4 months old. The news is they are making it default for signed in users, not that it exists.
      • One and a half years old, not 4 months old. They said the encrypted search was introduced 4 months after encrypted Gmail was standardized, back in January last year.

      • by Baloroth (2370816)
        It's more than 4 months old. I've been using Google SSL searches since last summer some time. Basically, all this news means is that Google feels their SSL search is ready for wider deployment.
    • Unfortunately, it's a bit of a tradeoff. Instead of third party sites getting more details on how you arrived there, Google gets to build a more detailed profile on you via your user name now instead of simply your IP address.

      That would be a "tradeoff", if non-logged-in users couldn't also use encrypted Google search with the same features: https://encrypted.google.com/ [google.com]

  • by Anonymous Coward

    Good idea, but before the Internet was polluted with marketers and search engine spammers.

    I've left referrers disabled for years.

  • by Anonymous Coward

    For the version of firefox I'm using now:
    HTTPS to HTTPS - Passed
    HTTP to HTTP - Passed
    HTTP to HTTPS - Passed
    HTTPS to HTTP - Not passed

    So if you want the referrer as a webmaster, run a secure site

    • Sure, but the link farms don't want to pay for SSL certificates for their subdomains such as https://viagra.spamsite.com/ [spamsite.com] , https://buy-viagra.spamsite.com/ [spamsite.com] , etc. I think I'm going to like this change.
    • by mounthood (993037)

      HTTPS to HTTP - Not passed

      So if you want the referrer as a webmaster, run a secure site

      Many Google search result links go through redirection. They use JavaScript so the browser still shows the URL if you hover over the link. Here's what's included on an SSL search result link:

      onmousedown="return rwt(this,'','','','1','AFQjCAHIe9S3k-PkE4lzgXFEjII7Gc_PVg','','0CEM0FjAA')"

      This way they can record your selection when you click a link. Redirecting isn't necessary to record your selection (they could use AJAX) and they don't seem to redirect all the time. So if you click a link that's redir

  • HTTPS Everywhere (Score:5, Informative)

    by Anonymous Coward on Tuesday October 18, 2011 @04:55PM (#37755304)

    ...is a Firefox plugin that does that for you anyways. Google has a standard HTTPS page, as does a number of other sites, like Wikipedia.

    While I applaud Google for doing this for its signed-in customers, people should be using HTTPS for everything, everywhere, if possible. Sure, it has its flaws, but better flawed privacy than no privacy.

    • by Tomato42 (2416694)
      Definitely this! If they also started checking if the same pages aren't available using HTTPS on other sites and presenting HTTPS links to users it would be golden!
    • HTTPS Everywhere seems to slow things down more than it should, though.
  • My guess is that they feel like Google wants to emulate that facet of the Facebook model. It has been said that Facebook's database of user activities and preferences is superior because it shows a more qualitative preference than "a random Google search." By walling off authenticated users, they make it possible to tie search terms more accurately to a particular user. This should shift search preferences and habits results... perhaps even improve the quality.
  • Hmm. At certain places (of employment), they use a proxy that always forces Google searches to have SafeSearch on. Using https for Google appears to bypass this particular constraint. For the moment, anyway.

    • Well, they can still MITM the connection, since they have the power to install their own CA certificate on the employees' computers.

      Squid has SslBump [squid-cache.org] and Dynamic SSL Certificate Generation [squid-cache.org] for such purpose.

    • by HTH NE1 (675604)

      Hmm. At certain places (of employment)

      (and of education and of public services)

      they use a proxy that always forces Google searches to have SafeSearch on. Using https for Google appears to bypass this particular constraint. For the moment, anyway.

      The IP range for secure searching is different from the IP range for other Google secure services. Such institutions just block access to Google secure search IPs, redirecting you back to the insecure version so they can spy on you and deny and/or punish you for seeking inappropriate knowledge (Security Now 255 [twit.tv], 27:37 - 33:20).

      There's no need for a gateway to act as a MITM performing encryptions and decryptions when it can be a MITM forcing plaintext communications f

  • by AHuxley (892839) on Tuesday October 18, 2011 @05:47PM (#37755888) Homepage Journal
    http://cryptome.org/0005/ssl-broken.htm [cryptome.org] on this issue.
    Welcome to en.wikipedia.org/wiki/Clipper_chip, Enigma or the fun of Data Encryption Standard era standards in your new safe browser.
  • Everyone benefits (Score:4, Insightful)

    by FyberOptic (813904) on Tuesday October 18, 2011 @07:50PM (#37757174)

    This is particularly beneficial to all the hapless people who think using open wifi is perfectly safe. And it saves Google from having to deal with stolen accounts as a result. That's why it's so popular on places like Twitter and Facebook, too.

    That's not to say that SSL is perfect, and a hapless user can still be tricked or spied upon once somebody starts ARP spoofing'em or SSL stripping or what have you. But some protection is better than none.

  • It's funny to think about Google hiding referrer data from their own service.
  • Since Google accounts for 90% (or more) of the searches performed, what use is the keyword-part of Google Analytics?

    Or will they in some magical way make it work with GA, but no other tracking tool?

  • Couldn't Google change their HTML form method to use POST? That would remove most of the value from the HTTP-Referer header.

Blessed be those who initiate lively discussions with the hopelessly mute, for they shall be known as Dentists.

Working...