Google search over SSL works for web search, but since Google has an unified interface for search, it also works for video search, book search, blog search, news search. You won't be able to use image search, product search and Google Maps, which aren't yet properly integrated with the new Google interface.
The main benefit of using the SSL version of Google search is that the communication between your computer and Google's servers is encrypted. This is especially useful if you're using a public computer, an open WiFi network or you're using Google for sensitive searches. An interesting side-effect is that browsers no longer send referrals when you're clicking on search results that don't use SSL.
Google Secure Search has a special logo, which never changes for special occasions, and the URL is https://www.google.com.
I used WireShark, a free packet sniffer, to compare the standard HTTP interface with the new HTTPS version. As you can see, if you use Google Search over SSL, even the URL is encrypted, so your query is a secret for everyone, except Google:
If you'd like to use Google SSL as the default search engine in Chrome, go to the Settings dialog, click on the "Manage" button next to the list of search engines, add "Google SSL" and make it the default search engine. The downside is that Google Chrome will no longer show suggestions when you type your query. Google Chrome should use this in the incognito mode.
For Firefox, try this search plug-in, while for Internet Explorer, you can create a search provider using the URL: https://www.google.com/search?q=TEST.
{ via Google Blog }
18 comments:
may I know why we need to have our search encrypted?I mean it's just a search result right?so if someone intercepted it then it's just fine I think.
@jacobian: Go live in China. You'll learn the value of encryption /very/ quickly.
@jacobian: Sure, if someone sees one of your search queries it probably won't have much of an impact on you. But your ISP sees all of your search queries, and potentially uses them to better understand you, much as Google does. However, there's a reasonable expectation when you search with Google that you'll let Google know what your are searching for, but that expectation does not exist for your ISP.
I'm afraid that this is completely useless as it still uses URL parameters to submit the query. This would be interesting if the search was made using HTTP POST.
The query parameters show up in your browser but are not sent in the clear over the network. See the author's wireshark experiment for reference.
"If you'd like to use Google SSL as the default search engine in Chrome, go to the Settings dialog, click on the "Manage" button next to the list of search engines, add "Google SSL" and make it the default search engine"
while i'm able to add Google SSL to my list of engines, i cannot seem to make it my default. the button is not clickable for that entry only. is this happening to anyone else?
Google SSL isn't useful for hiding your search data form Google itself (duh)... however, there's one other benefit that I love about it, which the post didn't mention:
Most browsers will not send the Referer: header when transitioning from a https:// URL to a http:// URL. That means that (non-https) sites you click in the search results won't be able to see the search terms you use to get there. Useful if you don't disable Referer completely for functionality reasons, but would prefer not to contribute to search term collection by random sites from your searches.
The HTTP request is encrypted, yes, but the DNS query to get Google's IP isn't.
So if I sniff your wifi network, I don't know what your search for, but I can know that you visited Google.
You will not get my DNS query for Google's IP addy as it is located in my hosts file. Or it may be on my local DNS machine.
So what if you know I visited Google. I was visiting Google before switching over. I will be visiting Google after switching over. No change there. However, the information on what I was searching for is no longer in the clear. I no longer have my ISP or if I was on wireless someone like you knowing what I searched for.
PS. Not everyone visits a result immediately after searching for it. So, if I search for it at noon, but do not go to the page linked on the results list until midnight, you do not know what I searched for.
I am happy with HTTPS and keep going with them.
The searches that are banned in individual Country (don't like to mention the name) are shown?
The Google Analytics will tracks the organic visits from this secure server Google SSL.
The search results are the same. For now, Google SSL is only available for Google.com, not for international domains.
When will we see this transitioned to igoogle too; i.e., being able to use https:www.google.com/ig
it would be really usefull for lots of people...
If I search for 'test search', the returned URL is:
https://www.google.com/search?q=test+search
Surely this means anyone can see my my search term? Am I missing something?
Yes, you're missing basic things about Internet protocols, packets, the way computers communicate etc. Just because you see the search terms and the URL in your browser's address bar doesn't mean that the request isn't encrypted. You obviously didn't read the post, which even includes a screenshot from a packet sniffer.
@Dr Macinyasha: Why would anyone go to China? Even the Chinese seem to prefer the reverse flow.
Google enjoys ruining careless people privacy, see the unencrypted Wifi scandal. Why do they pretend they care now?
ISPs know about you almost anything else you browsed AND your postal address, so where is the secrecy?
Last, Google is not used in China and Google had to withdraw from China altogether; so who cares what two Chinese search for?
There are no technical troubles in setting up SSL. Anyone who ever set up Apache know it is a work for one person, three minutes. So what is the achievement? Why the 10 years delay? This is the sort of fad Google will do every once in a while, to pretend they do something when in fact they are not.
About five years overdue... I totally don't see why ABSOLUTELY EVERYTHING is not TLS-encrypted actually.
Post a Comment