Google To Encrypt All Keyword Searches 224
Hugh Pickens DOT Com writes "Danny Sullivan reports that in the past month, Google has quietly made a change aimed at encrypting all search activity to provide 'extra protection' for searchers, and possibly to block NSA spying activity. In October 2011, Google began encrypting searches for anyone who was logged into Google. The reason given was privacy. Now, Google has flipped on encryption for people who aren't even signed-in. In June, Google was accused of cooperating with the NSA to give the agency instant and direct access to its search data through the PRISM spying program, something the company has strongly denied. 'I suspect the increased encryption is related to Google's NSA-pushback,' writes Sullivan. 'It may also help ease pressure Google's feeling from tiny players like Duck Duck Go making a "secure search" growth pitch to the media.'"
Different reason cited in TFA (Score:4, Informative)
Google may be doing this not for privacy reasons at all, but because they intend to sell the exclusive organic click information and don't want third parties having access to the same information they have about those clicks.
Re:Power Implications (Score:5, Informative)
According to one of the head Google staffers responsible for their SSL/TLS operations, it's pretty much a non-issue: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
It basically ended up adding less than 1% to the CPU overhead for their servers, didn't require special hardware, and didn't involve any new systems.
Re:Bullshit PR is Bullshit (Score:2, Informative)
STFU and do your research,
>Funny how these court challenges only started happening when stuff started to become public.
https://www.eff.org/who-has-your-back-2013
Why don't you read about the companies that were pushing back before this even got announced. There are similar tables for 2012 and 2011. You'll note that Google was up there, but few others were.
The moderators need to be sacked again... Any by sacked, I also mean "kicked in the balls".
Re:Illusion of privacy (Score:4, Informative)
I understand how it works, and there are plenty of devices that do exactly that with SSL traffic. If they can intercept the traffic and have compromised the certificates, which is certainly possible if not definite, they can decrypt it without the user ever knowing. There are even commercial devices that do exactly that.
Re:Illusion of privacy (Score:5, Informative)
I dont think you understand how SSL works. Its entire purpose is to defeat MITM.
And YOU don't understand what would happen if "the man" in the middle has access to the certificates, either the masters or the actual certificates themselves.
Do you really think "mysecretdomain.com" certificate from shitty ass low cost certificate provider doesn't have a duplicate key on file at Comodo, Network Solutions, GoDaddy or TwoCows or whatever?
They don't have to brute force or hack anything if they have an appliance in the middle that automatically grabs the certificate from the certificate issuer and spoofs both sides of the connection.
If you want your traffic encrypted, you need to generate your own certificates using software you compiled after you reviewed the code.
Re:Illusion of privacy (Score:5, Informative)
I dont think you understand how SSL works. Its entire purpose is to defeat MITM.
And YOU don't understand what would happen if "the man" in the middle has access to the certificates, either the masters or the actual certificates themselves.
Do you really think "mysecretdomain.com" certificate from shitty ass low cost certificate provider doesn't have a duplicate key on file at Comodo, Network Solutions, GoDaddy or TwoCows or whatever?
They don't have to brute force or hack anything if they have an appliance in the middle that automatically grabs the certificate from the certificate issuer and spoofs both sides of the connection.
If you want your traffic encrypted, you need to generate your own certificates using software you compiled after you reviewed the code.
Was going to post exactly this!.
But to further the point, it is strongly suspected that SSL is already broken by the NSA, and having certificates is no longer necessary.
Google publishes its own certificate. I don't think its signed by anyone but Google, a sign they have totally given up on corrupt certification companies.
They also have changed it occasionally. I notice this when my more selective operating systems prompt me to accept new certificates for some Google Services, that they were happy to use yesterday. (These are always sort of scary events that warrant close inspection).
Re:Illusion of privacy (Score:5, Informative)
That is outright false. I challenge you to provide a citation to a reasonably authoritative site saying that - basically anybody who isn't a kook. You can't.
Clearly you phrased it that way so you could reject any site I offered, based on your own myopic view point.
So here are the rules:
You don't get to reject any source! You have to invalidate every one of these and all of their claims.
After all, extraordinary claims of something being "outright false" require extraordinary proof.
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=2&_r=0 [nytimes.com]
http://nakedsecurity.sophos.com/2013/03/16/has-https-finally-been-cracked/ [sophos.com]
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying [theguardian.com]
http://www.theregister.co.uk/2013/09/05/nsa_gchq_ssl_reports/ [theregister.co.uk]
http://www.zdnet.com/has-the-nsa-broken-ssl-tls-aes-7000020312/ [zdnet.com]
http://www.forbes.com/sites/andygreenberg/2013/06/20/leaked-nsa-doc-says-it-can-collect-and-keep-your-encrypted-data-as-long-as-it-takes-to-crack-it/ [forbes.com]
Re:Illusion of privacy (Score:4, Informative)
Exactly as predicted, you toss out the evidence and strut off snorting.
Here it is direct from Snowden:
http://swampland.time.com/2013/09/05/five-revelations-from-snowdens-newest-leak/ [time.com]
The full extent of the NSA’s highly classified encryption cracking program Bullrun is only known by top officials in the NSA and its counterpart agencies in Britain, Canada, Australia and New Zealand. Bullrun has successfully foiled several of the world’s standard encryption methods, including SSL (Secure Sockets Layer), VPN (virtual private networks), and the encryption on 4G (fourth generation) smartphones.
Care to refute Snowden?
We are going back to my rules:
Prove your point about it being outright false or STFU.