Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Offers Encrypted Web Search Option

Soulskill posted more than 3 years ago | from the helping-you-hide-your-pokemon-obsession dept.

Google 288

alphadogg writes "People who want to shield their use of Google's Web search engine from network snoops now have the option of encrypting the session with SSL protection. In the case of Google search, SSL will protect the transmission of search queries entered by users and the search results returned by Google servers. Google began rolling out the encrypted version of its Web search engine on Friday. 'We think users will appreciate this new option for searching. It's a helpful addition to users' online privacy and security, and we'll continue to add encryption support for more search offerings,' wrote Evan Roseman, a Google software engineer, in an official blog post."

cancel ×

288 comments

Sorry! There are no comments related to the filter you selected.

The real reason (5, Interesting)

Anonymous Coward | more than 3 years ago | (#32305316)

The real reason is that internet hacking people have been figuring out how to monetize the traffic they sniff. This is merely Google reclaiming the market that is rightfully theirs.

Re:The real reason (4, Interesting)

Jackie_Chan_Fan (730745) | more than 3 years ago | (#32305438)

Exactly right. This is not about your privacy... Its about Google protecting their market from say Verizon who could be packet sniffing anything you search on Google, and then selling that data... which then competes with Google.

Google is simply protecting their business. It has nothing to do with user rights or privacy.

But it is a welcomed addition. Its certainly a good thing... but it is also more for Google, than for you.

Re:The real reason (4, Insightful)

Z00L00K (682162) | more than 3 years ago | (#32305574)

It's an enhancement that isn't a disadvantage for the user, so we should welcome it.

And if it also prevents man in the middle hacking of web pages it's a good thing.

Re:The real reason (0)

Anonymous Coward | more than 3 years ago | (#32305678)

Agreed, we all know that in a free market economy everybody acts according to their own selfish needs so nitpicking the reasons why Google did this or that is irrelevant.

We know that when a company says they're doing something to be nice or helpful they're really just making a move that benefits them, there isn't necessarily anything wrong with that, it's what you'd expect. It's what we'd all do if given the chance.

Re:The real reason (3, Insightful)

FuckingNickName (1362625) | more than 3 years ago | (#32305788)

Agreed, we all know that in a free market economy

Where?

It's what we'd all do if given the chance.

Speak for yourself.

It doesn't. (1)

SanityInAnarchy (655584) | more than 3 years ago | (#32305744)

Unless I'm missing something, this is only for the search itself. As soon as you actually click on of those results, you're at the mercy of whatever server you're connecting to -- and probably no longer encrypted.

Re:It doesn't. (1)

Z00L00K (682162) | more than 3 years ago | (#32305852)

It would be very interesting to see how you think that Google would resolve that problem. But of course - they could at least have provided a padlock icon or something for every link that is referring to a page using HTTPS.

But at least - now it's not that easy to snoop on the net what a certain person searches for. "Ice Cream Bomb" or "Nuclear Bomb"?

Re:The real reason (1)

RJFerret (1279530) | more than 3 years ago | (#32305896)

Agreed, also now nobody else will know which words I need to look-up the spelling of, relieving my virtual embarrassment!

(Did you know there are two "r"s in "embarrassment"?)

Re:The real reason (1)

Z00L00K (682162) | more than 3 years ago | (#32306062)

That's why I use FireFox - it has a spell checker! :p

Re:The real reason (0, Troll)

JeffSpudrinski (1310127) | more than 3 years ago | (#32305782)

This is merely Google again trying to appear that they are the good guys.

They simply want folks to continue to be reliant on them.

I've said it before and I will say it again. Google has totally lost their moral compass and will continue to make choices based upon greed and deceitful practices.

Just my $0.02

-JJS

MOD PARENT UP (0)

BhaKi (1316335) | more than 3 years ago | (#32305466)

WAY UP

Re:The real reason (0)

FuckingNickName (1362625) | more than 3 years ago | (#32305526)

You mean, it's a way of closing down Scroogle so they can ostensibly give you the protection of encryption while actually preserving the tracking abilities of a Google site.

Also, "rightfully"? I signed an agreement with Google to monetize stats about me in the same universe in which I signed an agreement with any other party analysing my traffic to do so.

Re:The real reason (1)

LordLimecat (1103839) | more than 3 years ago | (#32305684)

Why would this close down scroogle? And did you see the part in the summary where it says "optional"?

Re:The real reason (1)

FuckingNickName (1362625) | more than 3 years ago | (#32305776)

Why would this close down scroogle?

If you have a multi-billion dollar budget, then seeming to duplicate some of [scroogle.org] the features of a non-profit (not the important ones, mind) is a good way to reduce interest in the non-profit.

Not that Google's done anything else to bother Scroogle [theregister.co.uk] this month.

Re:The real reason (3, Insightful)

MistrBlank (1183469) | more than 3 years ago | (#32305722)

Don't care if it is. I don't know why all of our internet traffic these days isn't encrypted. Good job Google for stepping up even on the simplest of things.

Re:The real reason (0)

Anonymous Coward | more than 3 years ago | (#32305772)

It's slow. Even websites load noticeably slower and it would just be down right unforgivable for internet games in terms of ping/lab.

Re:The real reason (1, Insightful)

FuckingNickName (1362625) | more than 3 years ago | (#32305810)

All useful sites offer complete SSL access, but I guess Google - as with IPv6 - gets to be congratulated when it makes a half hearted attempt to do what real technology pioneers have been doing for a good decade.

In other news, everything Apple's ever done is original.

Re:The real reason (1, Insightful)

Anonymous Coward | more than 3 years ago | (#32306012)

Let's see. https://slashdot.org/ [slashdot.org] . No, redirects to http://slashdot.org/ [slashdot.org] . I suppose Slashdot isn't a useful site.

Re:The real reason (0)

IamTheRealMike (537420) | more than 3 years ago | (#32305844)

Do you have any evidence that this is even remotely the case? Who are these "internet hacking people" and how do they plan to "monetize the traffic they sniff"? Do they own an ad network? Do they have network taps in major internet exchanges?

No, because they don't exist.

Re:The real reason (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32305958)

Do you have any evidence that you exist? Who is "IamTheRealMike" and how does he plan to "prove his existence"? Does he really exist or is he just an automated script? Can the automated script give a sensible reply?

No, because he doesn't exist.

Security != privacy. (0, Troll)

gzipped_tar (1151931) | more than 3 years ago | (#32305332)

It means MITM attacks are more unlikely, but your data is still in Google's hand. Everyone using Google's products should be fully aware of the privacy implications as usual.

In other words, you still trade your privacy for the service provided by Google; the difference is the trade being less likely to be interrupted now.

Re:Security != privacy. (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32305364)

Thank you captain obvious. Any more insightful commentary for us?

Re:Security != privacy. (1)

WrongSizeGlass (838941) | more than 3 years ago | (#32305512)

Thank you captain obvious. Any more insightful commentary for us?

Odd != Even?
The whole in my donut is still missing?
Time + Materials != the portmanteau 'Timaterials'?

Re:Security != privacy. (5, Insightful)

drinkypoo (153816) | more than 3 years ago | (#32305370)

In other words, you still trade your privacy for the service provided by Google; the difference is the trade being less likely to be interrupted now.

Google has never shown any tendency towards abuse of my private data. My government, on the other hand, has repeatedly demonstrated its willingness to break its own laws whenever it's convenient for any of their actual constituents, i.e. corporations. I'm much more worried about my government watching my search history than google doing it. Of course, they'll give that information to my government any old time, but that's not the same thing as having it continually logged where it can fire off triggers.

No, I'm not doing anything that I feel my government would attack me for. But then, I'm not doing anything google would attack me for, either. Google continually stands in opposition to the corporations that I am concerned about. The enemy of my enemy may or may not be my friend, but odds are better than if he's my enemy's friend. Contrarily, much of what the U.S. government does makes it the enemy of any right-thinking citizen, where right-thinking is defined as "freedom-loving". (I may have a bias, but I certainly don't hide it.)

Re:Security != privacy. (2, Insightful)

BhaKi (1316335) | more than 3 years ago | (#32305496)

My government, on the other hand, has repeatedly demonstrated its willingness to break its own laws whenever it's convenient for any of their actual constituents, i.e. corporations.

You do realize that Google is a corporation too, don't you?

Re:Security != privacy. (2, Informative)

drinkypoo (153816) | more than 3 years ago | (#32305584)

My government, on the other hand, has repeatedly demonstrated its willingness to break its own laws whenever it's convenient for any of their actual constituents, i.e. corporations.
[...]
No, I'm not doing anything that I feel my government would attack me for. But then, I'm not doing anything google would attack me for, either. Google continually stands in opposition to the corporations that I am concerned about. The enemy of my enemy may or may not be my friend, but odds are better than if he's my enemy's friend.

You do realize that Google is a corporation too, don't you?

You just failed your CTBS reading comprehension test. Back to elementary school with you! (If you are in elementary school now, I apologize. I do not want to be ageist.)

Re:Security != privacy. (1)

nurb432 (527695) | more than 3 years ago | (#32305680)

No, I'm not doing anything that I feel my government would attack me for.

Today perhaps. The rules can change tomorrow.

Re:Security != privacy. (1)

shakuni (644197) | more than 3 years ago | (#32305854)

Google definitely uses my data in ways that I don't explicitly authorize them to (arguably it is embedded in one of those terms of service that i sign but I am not talking technicality here but perception of trust) and definitely creates suspicion on total transparency image that is often spread in this forum. I have posted my experience below.

http://diagonalslash.blogspot.com/2010/05/google-is-messing-with-my-profile-data.html [blogspot.com]

Re:Security != privacy. (2, Insightful)

fustakrakich (1673220) | more than 3 years ago | (#32305880)

Google has never shown any tendency towards abuse of my private data...Of course, they'll give that information to my government any old time, but that's not the same thing as having it continually logged where it can fire off triggers.

How do you know it's not being done automatically now? You don't.. My advice is simply to trust no one. The internet is a party line, any anybody can hear what you're doing. And government and corporation are the same. That's the way the majority wants it. The cool thing is that you can vote in a different government if you like. You don't have to vote for your spoon fed candidates if you don't want to. That means the problem is your friends and neighbors, not the government itself. It takes a bit more effort to drive a corporation into bankruptcy. Wall Street has turned that into a game of whack-a-mole.

think logically (2, Insightful)

yyxx (1812612) | more than 3 years ago | (#32305692)

In other words, you still trade your privacy for the service provided by Google; the difference is the trade being less likely to be interrupted now.

Privacy isn't an all or nothing proposition. I don't "trade in" my privacy, I disclose information selectively. When I search on a search engine, necessarily that search engine know what I searched for. Google has defined retention policies, and there is no reason to believe that they don't comply with them.

However, there are other aspects of privacy I don't have control over. There's a good chance my ISP is sniffing my packets and my government is digging through them to find whatever the political hangup of the day is, and there's a good chance that what ever they are doing, they are doing incompetently.

Now, I'd like to be able to do web searches without having to second guess whether those searches (innocuous and legal as they are) trigger some stupid keyword alert in some badly written network surveillance system. Hence, I like my connections to my search engine to be encrypted.

What Google does with those searches isn't much of a concern for me: there are no known instances of Google doing data mining on behalf of governments (all they do is respond to specific requests), and all they want to do is show me ads.

So, an encrypted connection to Google protects my privacy in exactly the way I want it to: it keeps the people who have no business looking at my web searches from looking at my web searches. Simple, eh?

Re:Security != privacy. (4, Informative)

Veramocor (262800) | more than 3 years ago | (#32305828)

Google clearly states this on their page. There is no such thing as 'free'.

"few notes to remember: Google will still maintain search data to improve your search quality and to provide better service. Searching over SSL doesn't reduce the data sent to Google -- it only hides that data from third parties who seek it. And clicking on any of the web results, including Google universal search results for unsupported services like Google Images, could take you out of SSL mode. Our hope is that more websites and services will add support for SSL to help create a better and more consistent experience for you.

We think users will appreciate this new option for searching. It's a helpful addition to users' online privacy and security, and we'll continue to add encryption support for more search offerings. To learn more about using the feature, refer to our help article on search over SSL."

They make there money by monetizing your search and with ads. You are free not to use their service.

Who is this for? (0, Troll)

ThatGuyJon (1299463) | more than 3 years ago | (#32305350)

Although I concede that this is a good thing, I can't help but question who this feature is for. Surely all the privacy-concious people who want SSL search have already moved to other search engines (given google's questionable record on privacy issues)? SSL will only protect against man-in-the-middle attacks; if anything, it's meaningless privacy theatre.

Re:Who is this for? (1)

neumayr (819083) | more than 3 years ago | (#32305380)

I agree it's a theater, making people feel more secure somehow.
But there are many opportunities for MitM attacks for Google queries, and making those harder does make sense.

Re:Who is this for? (2, Insightful)

gzipped_tar (1151931) | more than 3 years ago | (#32305442)

SSL adds protection to both ends of the communication. This may look like a circus from the user's perspective; but for Google themselves, it's better self-defense.

Re:Who is this for? (3, Informative)

euyis (1521257) | more than 3 years ago | (#32305468)

At least it's nice for Google users in China like me. The government has been actively disrupting Google's service in mainland China since they moved to Hong Kong, restting your connection if certain words/characters (yes characters!) are detected. An encrypted connection surely makes using Google in China less painful.

Re:Who is this for? (1)

fustakrakich (1673220) | more than 3 years ago | (#32305924)

They won't reset it if they detect an encrypted connection? Because I sure would if I was the blue meanie in charge...

Re:Who is this for? (1)

lordmatrix (1439871) | more than 3 years ago | (#32305582)

Just so you know, they use 128-bit RC4 encryption, which is considered insecure. Today AES-256 is standard.

Re:Who is this for? (0)

Anonymous Coward | more than 3 years ago | (#32305700)

I don't think 128-bit RC4 is considered insecure. That's the default cipher of WPA, after all. Anyway, if you don't like it, disable it in your browser. Then the client and the server will agree on some other cipher during SSL negotiation, probably AES.

Re:Who is this for? (1)

Alwin Henseler (640539) | more than 3 years ago | (#32305704)

I doubt it's meant to prevent a government from breaking into a specific connection, or things like that. If your government wanted to do that, they might also break into your computer remotely & install a keylogger. Governments have resources to pull that kind of crap.

It's more likely meant to prevent large scale snooping on Google traffic, for marketing or other (political?) purposes. And for that purpose, any encryption is strong enough when it makes breaking into connections expensive enough (as in: not worth the effort). I'd guess the bright folks over at Google have determined RC4 128-bit good enough for that purpose.

Re:Who is this for? (2, Insightful)

yyxx (1812612) | more than 3 years ago | (#32305728)

(given google's questionable record on privacy issues)?

Really? Like what?

moved to other search engines

Like which one? Bing? What reason do I have to trust them any more than Google?

I can't help but question who this feature is for.

Pretty much anybody. Right now, your ISP and your government likely are scanning your unencrypted web communications for keywords and prohibited content. Even if you don't do anything wrong, you may trigger those systems, with potentially unpleasant consequences. An SSL connection makes that harder for them.

And it's a matter of principle: my web searches are nobody's business other than my own and my search engine's.

SSL will only protect against man-in-the-middle attacks;

SSL protects against eavesdropping.

Expect a privacy campaign from Google (0)

Anonymous Coward | more than 3 years ago | (#32305362)

They are under fire on G.Streetview in Europe this week, and need to create a lot of goodwill to get things back on track...

Scroogle is better (1)

Antiocheian (859870) | more than 3 years ago | (#32305374)

This isn't news. Scroogle has been doing this for years and besides security it also adds privacy.

Re:Scroogle is better (2, Informative)

XPeter (1429763) | more than 3 years ago | (#32305416)

Yes, but Scroogle has recently been shut down by Google, so this is their alternative.

Re:Scroogle is better (0)

bbqsrc (1441981) | more than 3 years ago | (#32305434)

This is a much more anonymous alternative. [startpage.com] They even have a custom contract with Google to not pull user data with their adsense crap. You can even proxy the links through a proxy server :)

Re:Scroogle is better (3, Informative)

Anonymous Coward | more than 3 years ago | (#32305538)

Scroogle was never shut down by google. Google changed the layout of their results page, and scroogle had to update its scraping software in order to be able to read the new format.

here [theregister.co.uk] is the article where Scroogle claims they'll have to shut down forever, and here [scroogle.org] is scroogle, working fine.

One last note, for the truly paranoid: how do you know scroogle isn't a front, run by google?

Re:Scroogle is better (3, Insightful)

James_Duncan8181 (588316) | more than 3 years ago | (#32305554)

Yes, but Scroogle has recently been shut down by Google, so this is their alternative.

http://www.scroogle.org/scrapen8.html [scroogle.org] - well, it certainly didn't take much research to work out that isn't true.

Re:Scroogle is better (1)

Allnighte (1794642) | more than 3 years ago | (#32305426)

Wasn't Scroogle messed up by a Google change recently? And Scroogle said they'd never get it working again? I think it was a Slashdot article a few weeks back. Maybe this is why?

Not only that !!! (0)

Anonymous Coward | more than 3 years ago | (#32305378)

You can also play Pacman now WOHOO!!

Now I can Google my SSN and CC#!!! (3, Interesting)

AmazinglySmooth (1668735) | more than 3 years ago | (#32305392)

I really wanted to know if any site are posting my SSN and CC#. Thanks you, Google.

Re:Now I can Google my SSN and CC#!!! (4, Informative)

hedwards (940851) | more than 3 years ago | (#32305446)

I know you're joking, but the way you do that is by googling the first 5 or 6 digits of your SSN, then manually comparing the last 4. The first 5 or 6 aren't unique and can be relatively easily guessed based upon the location and date of birth. Similar searches are great for finding CC#s that might be posted online.

Re:Now I can Google my SSN and CC#!!! (5, Informative)

thijsh (910751) | more than 3 years ago | (#32305588)

Better yet google for the a range of 10000 numbers by adding two dots between the lower and upper number:
Google: 123450000..123459999

This way you can search for SSN, CC numbers etc.

Re:Now I can Google my SSN and CC#!!! (1)

noidentity (188756) | more than 3 years ago | (#32305972)

What's the error mean "Certificate is signed by an unknown authority?" Oh well, I'll search for my SSN and CC# anyway...

Implications on China (5, Insightful)

dncsky1530 (711564) | more than 3 years ago | (#32305428)

This could be an interesting development for Google's efforts in China. If the traffic between google and the client is encrypted then the firewall of China *shouldn't* be able to analyse the search results coming back. The only option for China might be to block Google SSL completely but that might be a bit too risky politically.

Re:Implications on China (2, Informative)

gzipped_tar (1151931) | more than 3 years ago | (#32305536)

It's meaningless. You search for some keywords over SSL and click on a non-https link in the result page. BAM, the Referer now points to the result page, which contains the keywords you just used in its URL.

Of course Referer is easily spoofed, but you get the idea: Google search is only one aspect of a person's online activities, and the secret hiding in it can be analysed using side channels.

Re:Implications on China (1, Informative)

Anonymous Coward | more than 3 years ago | (#32305572)

Turn the referer header off. In contrast to spoofing it, turning it off completely breaks very few web sites. In Firefox or Seamonkey: about:config -> network.http.sendRefererHeader=0.

Re:Implications on China (0)

Anonymous Coward | more than 3 years ago | (#32305982)

If your browser is not broken, there's no referer header anyway, since you're coming from an encrypted page.

Re:Implications on China (1)

roman_mir (125474) | more than 3 years ago | (#32305576)

There is a fix for that, look at what Opera is doing, they are allowing you to browse in a mode, that first caches the pages on Opera side and then pre-processes them and sends them to the browser. This could also be used to surf all the found sites through an SSL encrypted connection.

Re:Implications on China (1)

gzipped_tar (1151931) | more than 3 years ago | (#32305824)

The government can still get quite clear a picture about your online activities from the DNS queries during your supposedly "safe" browsing sessions.

Re:Implications on China (1)

roman_mir (125474) | more than 3 years ago | (#32305848)

Google already provides DNS servers, why not encrypted ones?

Re:Implications on China (4, Informative)

Nukenin (646365) | more than 3 years ago | (#32305838)

You search for some keywords over SSL and click on a non-https link in the result page. BAM, the Referer now points to the result page, which contains the keywords you just used in its URL.

According to RFC2616 (HTTP/1.1) section 15.1.3 "Encoding Sensitive Information in URI's" [ietf.org] , "Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol."

Re:Implications on China (1)

gzipped_tar (1151931) | more than 3 years ago | (#32305910)

Wow, I didn't know that. Thank you.

Still, the concern addressed in my original holds, I think. You are not suddenly safer or freer on the Internet just because the communication between you and ONE SINGLE WEBSITE has been encrypted, even if the website is one of the top search engines.

Re:Implications on China (2, Informative)

IamTheRealMike (537420) | more than 3 years ago | (#32305862)

If you read the FAQ it says the referer header is being stripped. Not sure how, but apparently it is.

Re:Implications on China (0)

Anonymous Coward | more than 3 years ago | (#32305888)

From TFA:
As another layer of privacy, SSL search turns off a browser's referrers New window icon. Web browsers typically turn off referrers when going from HTTPS to HTTP mode to provide extra privacy.

Re:Implications on China (1)

RJFerret (1279530) | more than 3 years ago | (#32305968)

Actually, from the Google information on their SSL search, "As another layer of privacy, SSL search turns off a browser's referrers. Web browsers typically turn off referrers when going from HTTPS to HTTP mode to provide extra privacy. By clicking on a search result that takes you to an HTTP site, you could disable any customizations that the website provides based on the referrer information."

Re:Implications on China (0)

Anonymous Coward | more than 3 years ago | (#32306046)

It's NOT meaningless.

This would really have helped me when I was staying in China because it would accelerate google searches, and ONLY activate Tor for the blocked content.

Googling though tor was the main bottleneck to my online activities. It also lets local geeks poke around a bit.

Very funny (1, Insightful)

blai (1380673) | more than 3 years ago | (#32305444)

I'd rather let someone else know what I'm searching something than let Google know that it is me searching it.

Re:Very funny (0)

Anonymous Coward | more than 3 years ago | (#32305594)

And this is why privacy tends to fail on the internet: most people are fucking morons.

and in other news... (1)

Thad Zurich (1376269) | more than 3 years ago | (#32305456)

...thousands of employers begin blocking port 443 to Google ...

Re:and in other news... (1)

cryoman23 (1646557) | more than 3 years ago | (#32305656)

ya im not an employer but i do manager a content filter for a school and for https sites we have to use IP tables to block by ip address but i prefer to use squid to block words/sites but https kinda makes that hard while intercepting traffic...

Chrome/Firefox address bar still not SSL tho. (1)

Jackie_Chan_Fan (730745) | more than 3 years ago | (#32305472)

Most people today probably enter search through their address bars...

That doesnt appear to go through SSL... yet at least.

Re:Chrome/Firefox address bar still not SSL tho. (0, Offtopic)

quantumplacet (1195335) | more than 3 years ago | (#32305620)

Firefox lets you add keyword searches (so does Opera, don't think Chrome does). Just go to https://www.google.com/ [google.com] (annoyingly https://google.com/ [google.com] redirects to http://www.google.com/ [google.com] right click in the search box and click add keyword search. I've tested and confirmed that this will use SSL.

Re:Chrome/Firefox address bar still not SSL tho. (1)

General Wesc (59919) | more than 3 years ago | (#32306056)

In Chromium (and similar in Chrome): Options: Basics: Default Search: Manage.

All HTTP traffic should be encrypted (5, Insightful)

swillden (191260) | more than 3 years ago | (#32305500)

As a matter of course, we should use SSL on all connections. In some rare cases the computation may be too much of a burden, but in the vast majority of situations it's trivial and there's no reason not to do it.

IMO, the only reason we don't do it more is because the way browsers handle self-signed certificates is broken.

There's no reason for a browser to throw up nasty error dialogs when it encounters a self-signed certificate. Instead, browsers should silently accept such certificates and record the public key fingerprint. Browsers shouldn't turn on the lock icon when using a self-signed cert, or do anything else to make the user think they're browsing on a secure connection, because they're really not, but they should go ahead and encrypt the traffic.

Not only would that provide some measure of security against eavesdropping, but it would also assist with detection of phishing attacks. Browsers could and should throw up nasty warnings/errors when connecting to a site whose certificate has inexplicably changed. This is similar to how SSH handles trust of server keys, a system that works very well in practice.

Regarding this move by Google, I think it's great. I applauded their decision to make Gmail and Google Apps HTTPS-only, and providing the option for Google Search is great, too. Hopefully they'll eventually go to HTTPS-only for search as well. Their page volumes are such that they'll have to seriously consider the impact of the encryption overhead, but I think they'll get there.

Re:All HTTP traffic should be encrypted (1, Interesting)

jimicus (737525) | more than 3 years ago | (#32305556)

IMO, the only reason we don't do it more is because the way browsers handle self-signed certificates is broken.

There's no reason for a browser to throw up nasty error dialogs when it encounters a self-signed certificate. Instead, browsers should silently accept such certificates and record the public key fingerprint. Browsers shouldn't turn on the lock icon when using a self-signed cert, or do anything else to make the user think they're browsing on a secure connection, because they're really not, but they should go ahead and encrypt the traffic

Either you're trolling or you honestly have no idea why it's a good idea to throw up all sorts of errors on encountering a self-signed certificate.

Clue: SSL is intended to guarantee that nobody can eavesdrop on your connection. As soon as you start to see anomalies in the certificate chain (such as a self-signed certificate), that guarantee cannot be upheld. In fact, there was a bug filed against Firefox a while back now when it did flash up such an error and it transpired that the connection was being eavesdropped.

Re:All HTTP traffic should be encrypted (4, Insightful)

swillden (191260) | more than 3 years ago | (#32305654)

Either you're trolling or you honestly have no idea why it's a good idea to throw up all sorts of errors on encountering a self-signed certificate.

Clue: SSL is intended to guarantee that nobody can eavesdrop on your connection. As soon as you start to see anomalies in the certificate chain (such as a self-signed certificate), that guarantee cannot be upheld.

Did you read my post? That's why the user shouldn't be given any indication that the connection is secured when a self-signed cert has been presented, because it's really not.

Sites where sensitive data is managed should not used self-signed certs, so that the certificate chain can be verified, to defeat MITM attacks. But sites that would currently not use any encryption could increase their security by a non-negligible amount by using HTTPS and a self-signed cert -- but the way browsers handle self-signed certificates is stupid and broken.

Re:All HTTP traffic should be encrypted (1)

jimicus (737525) | more than 3 years ago | (#32305714)

How's the browser meant to know the difference?

Re:All HTTP traffic should be encrypted (1)

swillden (191260) | more than 3 years ago | (#32305768)

How's the browser meant to know the difference?

The difference between what and what?

Re:All HTTP traffic should be encrypted (1)

cpghost (719344) | more than 3 years ago | (#32305814)

Parent poster probably meant to show an open lock for plaintext HTTP, a partially closed lock for self-certified certs that can't be tracked up to a trusted CA, and a closed lock for an unbroken chain of certs. This idea isn't so bad, IMHO.

Re:All HTTP traffic should be encrypted (2, Informative)

jellyfrog (1645619) | more than 3 years ago | (#32305878)

What?

Of course the browser doesn't know the difference between a site that uses signed certificates that is being MITM'd and one that uses a self-signed certificate. That's why neither of these should be advertised as being "secure". Because they're not. And when you go to https://my.bank/ [my.bank] and notice that the lock isn't there because someone's doing a MITM with a self-signed cert you should realise "whoa, hey, this isn't a secure connection" and proceed to not give your bank details to whoever is at the other end.

On the other hand, when you go to https://porn.site/ [porn.site] and it uses a self-signed certificate, well no, it's not secure. Maybe someone is doing a MITM attack. But at least some random person with a passive network sniffer can't see everything you're watching, and furthermore no-one even with an active MITM attack can affect your connection once it's been established.

Re:All HTTP traffic should be encrypted (4, Informative)

j-beda (85386) | more than 3 years ago | (#32305942)

How's the browser meant to know the difference?

The browser is not meant to (and cannot) know the difference between sites using a self-signed-certificate and those that should use a "real" certificate. That is what the user is supposed to do. What the original poster was suggesting was that sites using a self-signed-certificate display the site AS IF no security was present. Thus when you visited "Chris's House of Fly Fishing Forums" with a self-signed-certificate, you would not be presented with an obtrusive "watch out! this might be phony!" notification, but you would also not be presented with lots of flashing padlocks and icons indicating your high security. Such a system would not penalize websites which used self-signed-certificates IN COMPARISON TO sites which use NO certificate at all. Users however would have some actual benefit in that their fly fishing discussions would be more well secured from third parties. If people use the same or similar account names and passwords on lots of websites, identity theft would be a bit harder than just sniffing their unencrypted web traffic if all of it was secured with self-signed-certificates.

It does seem as though there would be some non-zero positive effects to more "regular" sites using encrypted sessions, and encouraging use of self-signed certificates in cases sign as these.

For a real-world example: a cheap-ass lock discourages the good-for-nothing-neighbourhood-punk-kids from rummaging through the garden shed. There is little benefit to also putting up a big sign in the drawer where we keep the key saying "the lock on the shed is a piece of shit and provides no real security".

it's not that simple (1)

yyxx (1812612) | more than 3 years ago | (#32305764)

Self-signed certificates still protect pretty well against eavesdropping (i.e., passive attacks). They don't protect against MITM attacks. But whether a certificate is self-signed is really irrelevant; even officially signed certificates are not secure against MITM attacks, since certificate authorities can forge them. The organizations likely to be able to pull off a MITM attack on my SSL connections usually can also generate certificates. In different words, there is no reason for me to trust certificate authorities; they do not have my interests at heart.

SSL needs a web of trust and mechanisms like ssh. And with a web of trust, whether something is self-signed or not doesn't matter.

As for Firefox, a simple dialog box should be sufficient; the current multi-step process is idiotic. It makes using legitimate self-signed certificates unnecessarily hard and gives people an excessive level of trust in certificates signed by a CA.

Re:All HTTP traffic should be encrypted (0)

Anonymous Coward | more than 3 years ago | (#32305790)

Self-signed certs are not necessarily an anomaly. A self-signed cert is fine provided you can personally verify its authenticity (by comparing the fingerprints in meat-world, say) and strength, as well as ensure the competency & integrity of the owner of the cert. To do this, you have to think and understand how SSL works, which is impossible for an average consumer who just wants things to work "right out of the box".

Which is the reason why there exists a market for SSL certs in the first place.

"Shee^WPeople are not able to manage their security or privacy themselves, so we the corporations and government must do it for them! They should be grateful to be ripped off and kept ignorant by us!"

Re:All HTTP traffic should be encrypted (1)

MrWim (760798) | more than 3 years ago | (#32305842)

Many websites are hosted at a single IP address. For SSL to work I believe you need 1 website=1 IP Address. I suppose IPv6 could solve this but people could then still eavesdrop on what websites you are visiting, albeit not the pages on that website. IPv6 could solve the don't have enough IP addresses problem and IPv6 would also bring IPSEC, which AFAIU will allow all IP traffic to be trivially encrypted.

Localization? (1, Interesting)

Anonymous Coward | more than 3 years ago | (#32305518)

So I just tried https://www.google.co.uk/ and it redirects to unencrypted http://www.google.se/ (.se because that's where ipredator connections show-up as, I guess)

I got a glimpse of this early yesterday (2, Interesting)

sootman (158191) | more than 3 years ago | (#32305638)

After typing in www.google.com to play some Pac-Man [slashdot.org] yesterday I was saddened to see the regular logo instead of the game but then I noticed I was at https://www.google.com/ [google.com] . At first I thought all requests to http://.../ [...] were being redirected to https://.../ [...] but after a couple reloads I was back at http://.../ [...] and Pac-Man, and even when I typed in https://.../ [...] it redirected me back to http://./ [.]

My question now is, how long until the built-in browser search box in Safari uses this? (I'm sure the one in Firefox can handle this already, or will soon.) Another question: why not use https all the time? I know it's a bit more CPU to encrypt things, which is unnoticeable on modern clients, but how much of a strain is it on servers? Also, are there any popular clients out that don't support it? Is there any reason not to go all https all the time?

HTTPS.. (0)

Anonymous Coward | more than 3 years ago | (#32305642)

HTTPS is a joke really, a quick MITM (man in the middle) with ettercap or the like and you can forward the victim a fake SSL certificate when they do an "encrypted" google search and their data will be decrypted as it passes through your man in the middle.

protects your privacy from everyone but google (1)

bcrowell (177657) | more than 3 years ago | (#32305648)

This protects your privacy from everyone but google. Having someone sniff your packets is theoretically possible, but extremely unlikely in reality. On the other hand, you are absolutely guaranteed that google will harvest and store the information from your searches in order to show you ads that they think you'll be interested in. This is why I habitally use the search engine clusty.com for web searches. Clusty's search results usually seem to be about the same quality as google's, and clusty has a better privacy policy.

IP tracking (2, Insightful)

nurb432 (527695) | more than 3 years ago | (#32305664)

But google still knows what you did.

Re:IP tracking (1)

Yvanhoe (564877) | more than 3 years ago | (#32305834)

and if neither terrorist-turorial.org or wetpussies.com offer SSL connections, this is quite useless.

Adjusting search boxes (1)

teslatug (543527) | more than 3 years ago | (#32305688)

Does anyone know how to adjust Firefox's search bar to use the SSL version of Google?

Mocking DuckDuck Go (1)

Simon (S2) (600188) | more than 3 years ago | (#32305710)

Looks like google is just mocking [gabrielweinberg.com] DuckDuckGo.
But the use of SSL on google does not offer you privacy: google still knows who you are and what you searched for.

Optimize Google (0)

Anonymous Coward | more than 3 years ago | (#32305712)

Optimize Google [optimizegoogle.com] . Sorted.

Scroogle Scraper instead (0)

Anonymous Coward | more than 3 years ago | (#32305726)

SSL is available with Scroogle Scraper, and has been for a long time.

https://ssl.scroogle.org/

Nice lock icon! (0)

Anonymous Coward | more than 3 years ago | (#32305798)

One more technique to add to my sslstrip arsenal :D

Check that fingerprint... especially at WORK (3, Interesting)

yup2000 (182755) | more than 3 years ago | (#32305820)

but be sure to write down google's ssl fingerprint... and check it every now and then yourself. You never know when your place of work decides to start intercepting https! Mine did recently until I pointed out issues with HIPAA compliance in conjunction with our limited personal use policy! They (work) installed their own certificate on everyone's computers (but they didn't do Firefox which is why i noticed)... and then they modified the proxy servers to start taking a peek before re-encrypting and sending it along :(

why not iGoogle SSL too? (1)

oddTodd123 (1806894) | more than 3 years ago | (#32305900)

This doesn't work with iGoogle yet. Boo.

Also, I'd rather they make encrypted search an account setting or a cookie setting instead of requiring you to go to a separate URL.

The bad news: (0)

Anonymous Coward | more than 3 years ago | (#32305934)

the results of your search is encrypted as well, but you do not have the key for interpreting it.

The feature we really need (2, Insightful)

dawilcox (1409483) | more than 3 years ago | (#32306002)

I've been waiting for google to provide a button on their search page "Don't connect this search with my IP address". It's not the me vs my peer privacy that I care about the most, it's the me vs google privacy that scares me.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>