Google launched a new version of Google Search that uses an encrypted connection to Google's servers. "With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience," explains Google.
Google search over SSL works for web search, but since Google has a unified interface for search, it also works for video search, book search, blog search, news search. You won't be able to use image search, product search and Google Maps, which aren't yet properly integrated with the new Google interface.
The main benefit of using the SSL version of Google search is that the communication between your computer and Google's servers is encrypted. This is especially useful if you're using a public computer, an open WiFi network or you're using Google for sensitive searches. An interesting side-effect is that browsers no longer send referrals when you're clicking on search results that don't use SSL.
Google Secure Search has a special logo, which never changes for special occasions, and the URL is https://www.google.com.
I used WireShark, a free packet sniffer, to compare the standard HTTP interface with the new HTTPS version. As you can see, if you use Google Search over SSL, even the URL is encrypted, so your query is a secret for everyone, except Google:
If you'd like to use Google SSL as the default search engine in Chrome, go to the Settings dialog, click on the "Manage" button next to the list of search engines, add "Google SSL" and make it the default search engine. The downside is that Google Chrome will no longer show suggestions when you type your query. Google Chrome should use this in the incognito mode.
For Firefox, try this search plug-in, while for Internet Explorer, you can create a search provider using the URL: https://www.google.com/search?q=TEST.
{ via Google Blog }
may I know why we need to have our search encrypted?I mean it's just a search result right?so if someone intercepted it then it's just fine I think.
ReplyDelete@jacobian: Go live in China. You'll learn the value of encryption /very/ quickly.
ReplyDelete@jacobian: Sure, if someone sees one of your search queries it probably won't have much of an impact on you. But your ISP sees all of your search queries, and potentially uses them to better understand you, much as Google does. However, there's a reasonable expectation when you search with Google that you'll let Google know what your are searching for, but that expectation does not exist for your ISP.
ReplyDeleteI'm afraid that this is completely useless as it still uses URL parameters to submit the query. This would be interesting if the search was made using HTTP POST.
ReplyDeleteThe query parameters show up in your browser but are not sent in the clear over the network. See the author's wireshark experiment for reference.
ReplyDelete"If you'd like to use Google SSL as the default search engine in Chrome, go to the Settings dialog, click on the "Manage" button next to the list of search engines, add "Google SSL" and make it the default search engine"
ReplyDeletewhile i'm able to add Google SSL to my list of engines, i cannot seem to make it my default. the button is not clickable for that entry only. is this happening to anyone else?
Google SSL isn't useful for hiding your search data form Google itself (duh)... however, there's one other benefit that I love about it, which the post didn't mention:
ReplyDeleteMost browsers will not send the Referer: header when transitioning from a https:// URL to a http:// URL. That means that (non-https) sites you click in the search results won't be able to see the search terms you use to get there. Useful if you don't disable Referer completely for functionality reasons, but would prefer not to contribute to search term collection by random sites from your searches.
The HTTP request is encrypted, yes, but the DNS query to get Google's IP isn't.
ReplyDeleteSo if I sniff your wifi network, I don't know what your search for, but I can know that you visited Google.
You will not get my DNS query for Google's IP addy as it is located in my hosts file. Or it may be on my local DNS machine.
ReplyDeleteSo what if you know I visited Google. I was visiting Google before switching over. I will be visiting Google after switching over. No change there. However, the information on what I was searching for is no longer in the clear. I no longer have my ISP or if I was on wireless someone like you knowing what I searched for.
PS. Not everyone visits a result immediately after searching for it. So, if I search for it at noon, but do not go to the page linked on the results list until midnight, you do not know what I searched for.
I am happy with HTTPS and keep going with them.
ReplyDeleteThe searches that are banned in individual Country (don't like to mention the name) are shown?
ReplyDeleteThe Google Analytics will tracks the organic visits from this secure server Google SSL.
ReplyDeleteThe search results are the same. For now, Google SSL is only available for Google.com, not for international domains.
ReplyDeleteWhen will we see this transitioned to igoogle too; i.e., being able to use https:www.google.com/ig
ReplyDeleteit would be really usefull for lots of people...
If I search for 'test search', the returned URL is:
ReplyDeletehttps://www.google.com/search?q=test+search
Surely this means anyone can see my my search term? Am I missing something?
Yes, you're missing basic things about Internet protocols, packets, the way computers communicate etc. Just because you see the search terms and the URL in your browser's address bar doesn't mean that the request isn't encrypted. You obviously didn't read the post, which even includes a screenshot from a packet sniffer.
ReplyDelete@Dr Macinyasha: Why would anyone go to China? Even the Chinese seem to prefer the reverse flow.
ReplyDeleteGoogle enjoys ruining careless people privacy, see the unencrypted Wifi scandal. Why do they pretend they care now?
ISPs know about you almost anything else you browsed AND your postal address, so where is the secrecy?
Last, Google is not used in China and Google had to withdraw from China altogether; so who cares what two Chinese search for?
There are no technical troubles in setting up SSL. Anyone who ever set up Apache know it is a work for one person, three minutes. So what is the achievement? Why the 10 years delay? This is the sort of fad Google will do every once in a while, to pretend they do something when in fact they are not.
About five years overdue... I totally don't see why ABSOLUTELY EVERYTHING is not TLS-encrypted actually.
ReplyDelete@Alex Chitu - cleary you are frustrated. A person's character can be seen by the way they post. You didn't explain and provide an answer, but pointed out what you thought was the obvious. May be you have a little experience, but very little knowledge. Read the posts of people who are highly regarded on the web you will not achieve that status with the way you currently write. No response needed with claims of brilliance and exams held or places worked or sites hacked. Just learn to accept everyone starts somewhere and knocking them back to try and prove your excellence proves you are a small person...
ReplyDeletehttps search is lovely, however there's one problem. It is usually not enough to know something exists (so seeing it in search result list) but you probably need more info. So you click on the search result. And voila, from then on, your browsing is probably (unless the page also uses https) visible. So - who ever is sniffing after you and trying to get info about you, he will probably still get it...
ReplyDeleteI trust Google will be talking to Congress about CIPA for all of us school districts? Lawsuit city once those images get linked.
ReplyDeleteAm I the only one noticing the https search is way too slow in chrome if used as as default search?
ReplyDeleteI always caught by someone when i searched something, very useful for me.
ReplyDeleteThis new search option makes it possible for students to get around school district content filters. As a result my district is now blocking ALL secure Google pages. My students can no longer use Docs. I can't access Blogger or g-mail on campus. It absolutely cripples the programs I had going with my students and their 1:1 laptops. We might as well be in China.
ReplyDeleteSo, let's assume search became 100% encrypted. What this means is developers/site owners can no longer see the search terms used to reach their site from the search engine. Now, I do not know what areas of my site to optimize because people are just landing on my site and I haven't the slightest clue what keywords they used to get there.
ReplyDeleteI sure hope Google thought this one through, because this seems to be contradicting their relentless pursuit of creating a relevant internet.
I'm with Mrs R. I work with a groups of LAs who have also decided to block access to www.google.com because of this new service bypassing our filtering systems. This change will go out tomorrow so we are bracing ourselves for the inevitable flak! Does anyone have a name/email at Google to contact? We have to get this changed.
ReplyDeleteWhat is the IP address for Google secure search? (SSL search site) ? Ping doesn't work on it. I need this to redirect a URL to Google secure search in my hosts file (c:\windows\system32\drivers\etc\hosts ) Many thanks.
ReplyDeleteI've been working on a plan over the last few months to use the Google Apps for Education tools for our students. We'd particularly like to use the email service, but also like the idea of online shared docs to complement our school LAN and also our VLE.
ReplyDeleteWe've been told today that our filtering service are going to have to block google.com as it can't work with the new https://google.com with its current filtering system. We understand that we'll be able to continue web searches with google.co.uk, but google.com is apparently required to log into the Google Apps for Education area.
I've done all the preliminary work and was just about to install and setup the Google AD sync tools to create about 1000 users for our school. It now seems that this plan will have to go on hold and I'll have to look again for another alternative. This is very disappointing and I hope that Google will be able to work with education filtering services to find a way around this? IP, UK.
All our efforts seem to be paying off - I've just had an email from Google:
ReplyDeletehttp://googleenterprise.blogspot.com/2010/06/update-on-encrypted-web-search-in.html
E2BN
http://protex.e2bn.org
It's a nice move by google that it will show encrypted data and secure results in it's SERP' which will enhance user trust and reliability and that's why Google is the widely used search engine all over the world since last decade.
ReplyDeleteSo a monopoly on secure search query is bad because your ISP is more important than your customers business needs? Look, on the internet of today, the problem with data mining is out of control. Think! Sustainability of secure transactions between businesses and consumers is already pretty well understood. Consumers are looking for better ways to keep their data secure, and the book on how to build a site that will attract more viewers has been written a thousand times over already! So, which particular words used to get consumers get to a business site are only relevant when more than 20% of visitors are using SSL based queries like the type that google is offering. Considering many more people use Google than any other search engine, it is undeniably a bad idea for businesses that use the internet for a large portion of thier advertising to scrap Google, because of the ability of some of their users to bypass their scrupulous need for knowledge about every single query to their site. I'm just saying, taking yourself out of the business loop and ending compatibility of your site with one of the largest used search engines in the world really isn't the sign of genius.
ReplyDeleteThose IT admins that work for the schools that don't know how to filter Google searches without blocking a whole domain should be fired. It's apparent that those who block the whole domain are not worth their pay. SSL MITM much?! Browser URI monitor much?! std-in/OSK/Keyboard monitor much?! Can I get a cheque?
ReplyDeleteHERE WOULD BE A GOOD REASON FOR SECURE SEARCH QUERIES
ReplyDeleteWhat a sin that "We the computer users" cannot choose to have all data
we enter go into a SINGLE full text, random access data base on our
local hard drive, and / or one, or more remote servers. Perhaps you in
Iran could design that software and hardware system and sell it world
wide for enough to retire on? Like a personal google on every word you
enter, no matter to what program.. with a chronologic tag often enough
and the ability to create your own indexes to find concepts as well as
particular words. "Mind Copy" or "Life Log" might be a good title. It
could come with a [kn/] Qur~and subject index you could add your own
vocabulary words under existing subjects.
I can't find
HERE'S ANOTHER GOOD REASON
ReplyDelete...?>*:\ ...//2010:12:[Whum (exterior) [[Hnnnk]] [Thn/]]
#197 of 197: William Hale (hinging0) Fri 31 Dec 2010 (01:07 PM)
Google: please offer facebook a voluntary search box users can put on
their pages. Offer the choices of "Private search box" for owner only,
"by permission of owner search box" or "public search box" and make it
easy to change the status of the search box, and the pages to which it
applies. Perhaps there would be a button with each entry you make as to
whether you wanted it to be findable, or not?
I have several facebook pages and it's like playing "go fish" trying
to find anything. My TWITTER roll is about the only index I have.
Also please see the letter to the Supreme Leader of Iran Above.
HERE'S A THIRD GOOD REASON
ReplyDelete(sort of a recapitulation of the first two)
The more you tell us about you, the more you can do at sprint.com.
Your profile is the key!
=========NH:
Wow, this is dangerous.
The more you let your private sprint account listen to you, the more
you'll learn about what sprint can do for you.
The more you let your Sprint Private Listening Account listen to you,
the more you'll learn about what Sprint, and the world, can do for you
Your Sprint Private Listening Account is accesible only by you {Thn/
05:40] You may archive your private listening data base to your local
hard drive. At any time, you can input your delete code [[Thn/
05:48]].
You may delete all, or selected parts, or search words, from your
Sprint Private Listening Account on line data base.
You may share your SPLA on line data base {{with, or without, real
time access}} [Thn/05:49] All temporary passwords must be renewed at
least once a week.
LEGAL WARNING: Remember: a constitutionally valid, lawful federal, or
state, or local court order can permit others to access your Sprint
Private Listening Account. ALSO currently wire tapping by the US
Federal Government without a court order, or with a court order, [Thn/
05:52] is being conducted on the largest scale in the history of the
United States. Sprint is unable to inform you if the federal, or state
government monitors your account, but Sprint guards you against
unauthorized hackers. If you are concerned about this, please register
as a candidate for public office.[tn// 05:56] Thank you. [^]
I've been using the secure search and am wondering why there's no Image search as there is in the nonsecure version. Video search is supported, but not Image.
ReplyDelete@jacobian:
ReplyDeleteTry to live in a so called democratic country, like Turkey. You will be so amazed by the advanced democracy and then you will never wish to use unencrypted search again.
I agree with other posters, this should be turned on by default. Why does anyone want to do "unsecured" search anyway ?
ReplyDeleteProblem is, if you type https://google.com in your browser address bar, it re-directs to http://www.google.com, NOT https://www.google.com
ReplyDeleteYou have to type in https://www.google.com - and who types the www in nowadays?
This is horrible, it has nothing to do with security or protection and everything with money. If you use paid ads, then you get the search phrases no matter if you use SSL or not (can you just smell the money for that data). A search result is not private information, there is nothing tied to a "person" only a search phrase. Plus, those that are looking at those searches are most likey website people who want to know what you are looking for so they can provide you with what you want. If you hide that, you will start seeing a decline in things you really want to see or search for, the overall search experience will be worse off.
ReplyDeleteIs this in any way connected to the very irritating pop-up box that appears every five minutes or so? There's no "close" button and no clue as to it's provenance.
ReplyDeleteIt says "Try secure search and click with more confidence" or something along those lines.
Has anyone else experienced this?
I fervently hope it'll either disappear or I find a way to send it back to the seventh circle of hades
This comment has been removed by the author.
ReplyDeleteThanks for sharing such a descriptive and informative post. It has been written very nicely and I am sure that even a lay man would be able to understand what PPC Management, Google AdWords or digital marketing is all about. A very good post!
ReplyDelete