May 22, 2010

Google Secure Search

Google launched a new version of Google Search that uses an encrypted connection to Google's servers. "With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience," explains Google.

Google search over SSL works for web search, but since Google has a unified interface for search, it also works for video search, book search, blog search, news search. You won't be able to use image search, product search and Google Maps, which aren't yet properly integrated with the new Google interface.

The main benefit of using the SSL version of Google search is that the communication between your computer and Google's servers is encrypted. This is especially useful if you're using a public computer, an open WiFi network or you're using Google for sensitive searches. An interesting side-effect is that browsers no longer send referrals when you're clicking on search results that don't use SSL.

Google Secure Search has a special logo, which never changes for special occasions, and the URL is https://www.google.com.


I used WireShark, a free packet sniffer, to compare the standard HTTP interface with the new HTTPS version. As you can see, if you use Google Search over SSL, even the URL is encrypted, so your query is a secret for everyone, except Google:


If you'd like to use Google SSL as the default search engine in Chrome, go to the Settings dialog, click on the "Manage" button next to the list of search engines, add "Google SSL" and make it the default search engine. The downside is that Google Chrome will no longer show suggestions when you type your query. Google Chrome should use this in the incognito mode.


For Firefox, try this search plug-in, while for Internet Explorer, you can create a search provider using the URL: https://www.google.com/search?q=TEST.

{ via Google Blog }

43 comments:

  1. may I know why we need to have our search encrypted?I mean it's just a search result right?so if someone intercepted it then it's just fine I think.

    ReplyDelete
  2. @jacobian: Go live in China. You'll learn the value of encryption /very/ quickly.

    ReplyDelete
  3. @jacobian: Sure, if someone sees one of your search queries it probably won't have much of an impact on you. But your ISP sees all of your search queries, and potentially uses them to better understand you, much as Google does. However, there's a reasonable expectation when you search with Google that you'll let Google know what your are searching for, but that expectation does not exist for your ISP.

    ReplyDelete
  4. I'm afraid that this is completely useless as it still uses URL parameters to submit the query. This would be interesting if the search was made using HTTP POST.

    ReplyDelete
  5. The query parameters show up in your browser but are not sent in the clear over the network. See the author's wireshark experiment for reference.

    ReplyDelete
  6. "If you'd like to use Google SSL as the default search engine in Chrome, go to the Settings dialog, click on the "Manage" button next to the list of search engines, add "Google SSL" and make it the default search engine"

    while i'm able to add Google SSL to my list of engines, i cannot seem to make it my default. the button is not clickable for that entry only. is this happening to anyone else?

    ReplyDelete
  7. Google SSL isn't useful for hiding your search data form Google itself (duh)... however, there's one other benefit that I love about it, which the post didn't mention:

    Most browsers will not send the Referer: header when transitioning from a https:// URL to a http:// URL. That means that (non-https) sites you click in the search results won't be able to see the search terms you use to get there. Useful if you don't disable Referer completely for functionality reasons, but would prefer not to contribute to search term collection by random sites from your searches.

    ReplyDelete
  8. The HTTP request is encrypted, yes, but the DNS query to get Google's IP isn't.
    So if I sniff your wifi network, I don't know what your search for, but I can know that you visited Google.

    ReplyDelete
  9. You will not get my DNS query for Google's IP addy as it is located in my hosts file. Or it may be on my local DNS machine.

    So what if you know I visited Google. I was visiting Google before switching over. I will be visiting Google after switching over. No change there. However, the information on what I was searching for is no longer in the clear. I no longer have my ISP or if I was on wireless someone like you knowing what I searched for.

    PS. Not everyone visits a result immediately after searching for it. So, if I search for it at noon, but do not go to the page linked on the results list until midnight, you do not know what I searched for.

    ReplyDelete
  10. I am happy with HTTPS and keep going with them.

    ReplyDelete
  11. The searches that are banned in individual Country (don't like to mention the name) are shown?

    ReplyDelete
  12. The Google Analytics will tracks the organic visits from this secure server Google SSL.

    ReplyDelete
  13. The search results are the same. For now, Google SSL is only available for Google.com, not for international domains.

    ReplyDelete
  14. When will we see this transitioned to igoogle too; i.e., being able to use https:www.google.com/ig

    it would be really usefull for lots of people...

    ReplyDelete
  15. If I search for 'test search', the returned URL is:
    https://www.google.com/search?q=test+search

    Surely this means anyone can see my my search term? Am I missing something?

    ReplyDelete
  16. Yes, you're missing basic things about Internet protocols, packets, the way computers communicate etc. Just because you see the search terms and the URL in your browser's address bar doesn't mean that the request isn't encrypted. You obviously didn't read the post, which even includes a screenshot from a packet sniffer.

    ReplyDelete
  17. @Dr Macinyasha: Why would anyone go to China? Even the Chinese seem to prefer the reverse flow.
    Google enjoys ruining careless people privacy, see the unencrypted Wifi scandal. Why do they pretend they care now?
    ISPs know about you almost anything else you browsed AND your postal address, so where is the secrecy?
    Last, Google is not used in China and Google had to withdraw from China altogether; so who cares what two Chinese search for?
    There are no technical troubles in setting up SSL. Anyone who ever set up Apache know it is a work for one person, three minutes. So what is the achievement? Why the 10 years delay? This is the sort of fad Google will do every once in a while, to pretend they do something when in fact they are not.

    ReplyDelete
  18. About five years overdue... I totally don't see why ABSOLUTELY EVERYTHING is not TLS-encrypted actually.

    ReplyDelete
  19. @Alex Chitu - cleary you are frustrated. A person's character can be seen by the way they post. You didn't explain and provide an answer, but pointed out what you thought was the obvious. May be you have a little experience, but very little knowledge. Read the posts of people who are highly regarded on the web you will not achieve that status with the way you currently write. No response needed with claims of brilliance and exams held or places worked or sites hacked. Just learn to accept everyone starts somewhere and knocking them back to try and prove your excellence proves you are a small person...

    ReplyDelete
  20. https search is lovely, however there's one problem. It is usually not enough to know something exists (so seeing it in search result list) but you probably need more info. So you click on the search result. And voila, from then on, your browsing is probably (unless the page also uses https) visible. So - who ever is sniffing after you and trying to get info about you, he will probably still get it...

    ReplyDelete
  21. I trust Google will be talking to Congress about CIPA for all of us school districts? Lawsuit city once those images get linked.

    ReplyDelete
  22. Am I the only one noticing the https search is way too slow in chrome if used as as default search?

    ReplyDelete
  23. I always caught by someone when i searched something, very useful for me.

    ReplyDelete
  24. This new search option makes it possible for students to get around school district content filters. As a result my district is now blocking ALL secure Google pages. My students can no longer use Docs. I can't access Blogger or g-mail on campus. It absolutely cripples the programs I had going with my students and their 1:1 laptops. We might as well be in China.

    ReplyDelete
  25. So, let's assume search became 100% encrypted. What this means is developers/site owners can no longer see the search terms used to reach their site from the search engine. Now, I do not know what areas of my site to optimize because people are just landing on my site and I haven't the slightest clue what keywords they used to get there.

    I sure hope Google thought this one through, because this seems to be contradicting their relentless pursuit of creating a relevant internet.

    ReplyDelete
  26. I'm with Mrs R. I work with a groups of LAs who have also decided to block access to www.google.com because of this new service bypassing our filtering systems. This change will go out tomorrow so we are bracing ourselves for the inevitable flak! Does anyone have a name/email at Google to contact? We have to get this changed.

    ReplyDelete
  27. What is the IP address for Google secure search? (SSL search site) ? Ping doesn't work on it. I need this to redirect a URL to Google secure search in my hosts file (c:\windows\system32\drivers\etc\hosts ) Many thanks.

    ReplyDelete
  28. I've been working on a plan over the last few months to use the Google Apps for Education tools for our students. We'd particularly like to use the email service, but also like the idea of online shared docs to complement our school LAN and also our VLE.

    We've been told today that our filtering service are going to have to block google.com as it can't work with the new https://google.com with its current filtering system. We understand that we'll be able to continue web searches with google.co.uk, but google.com is apparently required to log into the Google Apps for Education area.

    I've done all the preliminary work and was just about to install and setup the Google AD sync tools to create about 1000 users for our school. It now seems that this plan will have to go on hold and I'll have to look again for another alternative. This is very disappointing and I hope that Google will be able to work with education filtering services to find a way around this? IP, UK.

    ReplyDelete
  29. All our efforts seem to be paying off - I've just had an email from Google:

    http://googleenterprise.blogspot.com/2010/06/update-on-encrypted-web-search-in.html

    E2BN
    http://protex.e2bn.org

    ReplyDelete
  30. It's a nice move by google that it will show encrypted data and secure results in it's SERP' which will enhance user trust and reliability and that's why Google is the widely used search engine all over the world since last decade.

    ReplyDelete
  31. So a monopoly on secure search query is bad because your ISP is more important than your customers business needs? Look, on the internet of today, the problem with data mining is out of control. Think! Sustainability of secure transactions between businesses and consumers is already pretty well understood. Consumers are looking for better ways to keep their data secure, and the book on how to build a site that will attract more viewers has been written a thousand times over already! So, which particular words used to get consumers get to a business site are only relevant when more than 20% of visitors are using SSL based queries like the type that google is offering. Considering many more people use Google than any other search engine, it is undeniably a bad idea for businesses that use the internet for a large portion of thier advertising to scrap Google, because of the ability of some of their users to bypass their scrupulous need for knowledge about every single query to their site. I'm just saying, taking yourself out of the business loop and ending compatibility of your site with one of the largest used search engines in the world really isn't the sign of genius.

    ReplyDelete
  32. Those IT admins that work for the schools that don't know how to filter Google searches without blocking a whole domain should be fired. It's apparent that those who block the whole domain are not worth their pay. SSL MITM much?! Browser URI monitor much?! std-in/OSK/Keyboard monitor much?! Can I get a cheque?

    ReplyDelete
  33. HERE WOULD BE A GOOD REASON FOR SECURE SEARCH QUERIES

    What a sin that "We the computer users" cannot choose to have all data
    we enter go into a SINGLE full text, random access data base on our
    local hard drive, and / or one, or more remote servers. Perhaps you in
    Iran could design that software and hardware system and sell it world
    wide for enough to retire on? Like a personal google on every word you
    enter, no matter to what program.. with a chronologic tag often enough
    and the ability to create your own indexes to find concepts as well as
    particular words. "Mind Copy" or "Life Log" might be a good title. It
    could come with a [kn/] Qur~and subject index you could add your own
    vocabulary words under existing subjects.

    I can't find

    ReplyDelete
  34. HERE'S ANOTHER GOOD REASON

    ...?>*:\ ...//2010:12:[Whum (exterior) [[Hnnnk]] [Thn/]]
    #197 of 197: William Hale (hinging0) Fri 31 Dec 2010 (01:07 PM)

    Google: please offer facebook a voluntary search box users can put on
    their pages. Offer the choices of "Private search box" for owner only,
    "by permission of owner search box" or "public search box" and make it
    easy to change the status of the search box, and the pages to which it
    applies. Perhaps there would be a button with each entry you make as to
    whether you wanted it to be findable, or not?

    I have several facebook pages and it's like playing "go fish" trying
    to find anything. My TWITTER roll is about the only index I have.

    Also please see the letter to the Supreme Leader of Iran Above.

    ReplyDelete
  35. HERE'S A THIRD GOOD REASON
    (sort of a recapitulation of the first two)


    The more you tell us about you, the more you can do at sprint.com.
    Your profile is the key!

    =========NH:
    Wow, this is dangerous.
    The more you let your private sprint account listen to you, the more
    you'll learn about what sprint can do for you.
    The more you let your Sprint Private Listening Account listen to you,
    the more you'll learn about what Sprint, and the world, can do for you
    Your Sprint Private Listening Account is accesible only by you {Thn/
    05:40] You may archive your private listening data base to your local
    hard drive. At any time, you can input your delete code [[Thn/
    05:48]].
    You may delete all, or selected parts, or search words, from your
    Sprint Private Listening Account on line data base.
    You may share your SPLA on line data base {{with, or without, real
    time access}} [Thn/05:49] All temporary passwords must be renewed at
    least once a week.
    LEGAL WARNING: Remember: a constitutionally valid, lawful federal, or
    state, or local court order can permit others to access your Sprint
    Private Listening Account. ALSO currently wire tapping by the US
    Federal Government without a court order, or with a court order, [Thn/
    05:52] is being conducted on the largest scale in the history of the
    United States. Sprint is unable to inform you if the federal, or state
    government monitors your account, but Sprint guards you against
    unauthorized hackers. If you are concerned about this, please register
    as a candidate for public office.[tn// 05:56] Thank you. [^]

    ReplyDelete
  36. I've been using the secure search and am wondering why there's no Image search as there is in the nonsecure version. Video search is supported, but not Image.

    ReplyDelete
  37. @jacobian:
    Try to live in a so called democratic country, like Turkey. You will be so amazed by the advanced democracy and then you will never wish to use unencrypted search again.

    ReplyDelete
  38. I agree with other posters, this should be turned on by default. Why does anyone want to do "unsecured" search anyway ?

    ReplyDelete
  39. Problem is, if you type https://google.com in your browser address bar, it re-directs to http://www.google.com, NOT https://www.google.com

    You have to type in https://www.google.com - and who types the www in nowadays?

    ReplyDelete
  40. This is horrible, it has nothing to do with security or protection and everything with money. If you use paid ads, then you get the search phrases no matter if you use SSL or not (can you just smell the money for that data). A search result is not private information, there is nothing tied to a "person" only a search phrase. Plus, those that are looking at those searches are most likey website people who want to know what you are looking for so they can provide you with what you want. If you hide that, you will start seeing a decline in things you really want to see or search for, the overall search experience will be worse off.

    ReplyDelete
  41. Is this in any way connected to the very irritating pop-up box that appears every five minutes or so? There's no "close" button and no clue as to it's provenance.
    It says "Try secure search and click with more confidence" or something along those lines.
    Has anyone else experienced this?
    I fervently hope it'll either disappear or I find a way to send it back to the seventh circle of hades

    ReplyDelete
  42. This comment has been removed by the author.

    ReplyDelete
  43. Thanks for sharing such a descriptive and informative post. It has been written very nicely and I am sure that even a lay man would be able to understand what PPC Management, Google AdWords or digital marketing is all about. A very good post!

    ReplyDelete

Note: Only a member of this blog may post a comment.