October 18, 2011

Google Encrypted Search for Logged-in Users

Google announced that in the coming weeks all Google.com users that are logged in will be redirected to Google Secure Search. The secure version of Google Search has been launched last year and now includes all the features from the regular Google interface. The main difference is that the connection is encrypted and Google is the only one who knows the queries you've typed. ISPs, network administrators, those who intercept your connection and the webmasters of the pages from Google's search results won't able to find your searches. "SSL encrypts the communication channel between Google and a searcher's computer. When search traffic is encrypted, it can't easily be decoded by third parties between a searcher's computer and Google's servers," as Google says.

"As search becomes an increasingly customized experience, we recognize the growing importance of protecting the personalized search results we deliver. As a result, we're enhancing our default search experience for signed-in users. Over the next few weeks, many of you will find yourselves redirected to https://www.google.com (note the extra 's') when you're signed in to your Google Account. This change encrypts your search queries and Google's results page. This is especially important when you're using an unsecured Internet connection, such as a WiFi hotspot in an Internet cafe," explains Google.


Right now, https://www.google.com no longer redirects to https://encrypted.google.com and Google no longer informs users that they're using Secure Search. It's important to keep in mind that no other search engine offers this feature and SSL has a performance penalty, which means that search results pages will load slower. This is especially noticeable when you use Google Instant and the results won't show up as fast as before.

After the security incident from December 2009, Google went to great lengths to make its services more secure. Most services that require authentication default to SSL and many no longer offer unencrypted versions. It's interesting to see that Google Search will be treated just like Gmail, Google Docs, Google+ and other services that store user data even if this change won't make too many people happy (users will complain that search results pages load slower, webmasters will complain that their logs will be less useful, AdSense ads from search results will no longer be able to use the Google query and fewer users will click them, companies won't be able to monitor their employees' Google searches). Google already offers some solutions that address these issues: webmasters can use Google Webmaster Tools to find the most popular Google searches that sent users to their sites, while network admins can try the NoSSLSearch option.

It's an important change, but I don't see why signed-in users should be treated differently and why protecting user queries outweighs the drawbacks mentioned earlier. One of the explanations could be that search will no longer be a distinct service and will integrate with Google+, Gmail, Google Docs Drive so much that it will be hard to notice when you've switched to a different app. Larry Page, Google's CEO, has recently said that "our ultimate ambition is to transform the overall Google experience, making it beautifully simple, almost automagical, because we understand what you want and can deliver it instantly. This means baking identity and sharing into all of our products so that we build a real relationship with our users. Sharing on the Web will be like sharing in real life across all your stuff."

13 comments:

  1. "Google (Docs) Drive" any official word about that?

    ON: I see the importance of encrypting data from logged users, but don't see why to encrypt it if noone is logged in, this way you won't be "trackable"

    ReplyDelete
  2. "I don't see why signed-in users should be treated differently and why protecting user queries outweighs the drawbacks mentioned earlier."

    Seriously?

    ReplyDelete
  3. Despite the SSL, in the secure search the search string is easily findable in the URL itself after the &q=

    ReplyDelete
  4. The URL is encrypted, only the domain is transparent. Obviously, the query parameter is also encrypted when your browser performs the request. Just because you see the URL in the address bar doesn't mean it's sent that way.

    ReplyDelete
  5. You should try to understand that the entire communication between your computer and Google's servers is encrypted. That's the point of SSL: encrypting both the request and the result that's sent. The URL is part of the request and it's sent encrypted. The only thing that's not encrypted is the domain name (google.com). The URL is decrypted by Google's servers just like the source of the search results page is decrypted by your computer.

    ReplyDelete
  6. Learn more about HTTPS from Wikipedia: http://en.wikipedia.org/wiki/Https

    "Everything in the HTTPS message is encrypted, including the headers, and the request/response load. With the exception of the possible CCA cryptographic attack described in limitations section below, the attacker can only know the fact that a connection is taking place between the two parties, already known to him, the domain name and IP addresses."

    ReplyDelete
  7. SSL takes bigger servers to run bigger servers, an that costs more money.

    Now when user sign-in Google can use the data connected to that person to deliver more relavant ads to to the user, meaning they are more likely to click on those ads.

    An the more people that click on those ads the more revenue Google gets which covers the costs of the servers needed to run SSL.

    I expect more features will be added to login users over time, driving more people to sign up to Google+, and once they sign up and sign into use Google services that little red notification will keep them visiting Google+, at least that what I suspect Google ground plan is .

    Pretty simple really.

    ReplyDelete
  8. Does anyone know, on average, how many searches on Google are made by logged-in users (% of total searches)?

    ReplyDelete
  9. 10% of the searchers (not the searches), according to this post.

    ReplyDelete
  10. @Alex: thanks. I was looking for an official statement but I haven't found anything.

    ReplyDelete
  11. "no other search engine offers this feature..."

    Duckduckgo offers secure connection in their search results.

    ReplyDelete
  12. ok, i know this feature is awesome, help you search more secure... one thing that really bother me.. with the search was being personalized.. its mean that there is no point in using SEO for traffic .. i mean the viewer itself had stated the info that they want and Google make it easier for them...

    am i right or wrong???

    ReplyDelete
  13. Many sites look at keywords and use that info to help a searcher find what they're looking for on the site. I have a site that highlights Google search keywords on the landing page. How do I and others work around this change?

    ReplyDelete

Note: Only a member of this blog may post a comment.