Google To Encrypt All Keyword Searches 224
Hugh Pickens DOT Com writes "Danny Sullivan reports that in the past month, Google has quietly made a change aimed at encrypting all search activity to provide 'extra protection' for searchers, and possibly to block NSA spying activity. In October 2011, Google began encrypting searches for anyone who was logged into Google. The reason given was privacy. Now, Google has flipped on encryption for people who aren't even signed-in. In June, Google was accused of cooperating with the NSA to give the agency instant and direct access to its search data through the PRISM spying program, something the company has strongly denied. 'I suspect the increased encryption is related to Google's NSA-pushback,' writes Sullivan. 'It may also help ease pressure Google's feeling from tiny players like Duck Duck Go making a "secure search" growth pitch to the media.'"
Power Implications (Score:4, Interesting)
I'm highly interested in the power consumption implications of this move. I remember reading somewhere that Facebook faced a nontrivial increase in power usage when they switched to https for everything, and for a website like Google, those extra cycles are definitely going to add up.
Anyone from a data center care to comment on this?
Actually... (Score:5, Interesting)
They do provide a work-around if you define www.google.com as a CNAME for nosslsearch.google.com (for schools, etc, that need to filter things). I implemented this w/o updating DNS or my hosts file by adding a proxy rule that alters the "Host" field in outgoing headers to nosslsearch.google.com to be "www.google.com". It's not perfect, but along with disabling Javascript for Google, it helps a lot.
FWIW, I'm switching to use Startpage and DuckDuckGo - not because of extra privacy, but because they let me customize my results to remove all the crap that Google adds.
Re:Illusion of privacy (Score:5, Interesting)
Do not put to much confidence in SSL. I have tested several firewall products that allow corporations to decrypt SSL traffic coming into their networks. Basically all they need is the ability put a trusted cert on the machine and force you to use a proxy. On a lot of corporate networks your SSL traffic is being decrypted and scanned. My guess is the NSA can do the same thing to you pretty much anytime they want.
Re:Illusion of privacy (Score:4, Interesting)
I personally interviewed at places that were proud of their MitM ssl cert attacks. this was more than 5 yrs ago, too, when almost no one believed this was happening. (no, I didn't take the job, it sickened me to think of myself helping them out).
if you are using a work-provided computer that had the IT group installed o/s, you can't trust it. if you installed your own o/s and never gave root privs to anyone, you may be able to trust it and it should find a 'fishy' cert being pushed on you when you go thru the corp firewall.
I tell people this: if you use a work-provided system, you should not do anything personal on it (no banking, etc). that little lock icon means nothing anymore and we should all be aware of this.