UPDATE: Many users are being redirected to the non-encrypted main site — a function of Google rolling this out to all its servers. Also it is necessary to include WWW. Don’t assume your searches are encyrpted, unless the url starts with HTTPS and you see the lock icon.
The move brings the same web security system that protects online banking, website logins and shopping to search — a first for a major search engine.
The encryption makes it incredibly difficult for anyone in between your computer and Google’s servers to see what search terms you use or what results Google sends back. Additionally, when you click through a search result on Google’s new secure page, your browser will not send along “referrer data” revealing the search terms you used.
The new option does not, however, keep Google from knowing and storing what you searched on and does not make you anonymous to them. It’s designed to prevent eavesdroppers from analyzing the URL or content to see the search terms you are sending to Google, or the results.
With HTTPS on, all an eavesdropper can see is that you are using Google. When not using SSL, a user of a school or corporate network can have their e-mail and web traffic read by those who control the network, while anyone using an open Wi-Fi connection can have their traffic sniffed by a hacker using simple tools.
HTTPS will be an option, not the default, though users have the ability to set the search bars in their browsers to use it as their default. The page will have a different logo and not include links on the search page to Google’s map and image search, since those do not yet have an HTTPS option.
The encrypted option is perhaps most useful for routing around censorship from countries like China, which often block searches on politically sensitive terms. However, HTTPS is only an option currently for Google.com, not for country specific sites like Google.co.hk, the Hong Kong-based search that Mainland Chinese users are being directed to as a way for Google to stop running a censored search engine in China.
Non-English speaking users who want encryption need to use Google.com for now, choosing results in their preferred language — though this loses much of the local features that country-specific Google search sites offer.
Google’s embrace of HTTPS could begin a move by web services such as social networks to begin offering encryption for more than just logins. Such increased adoption would cut down on network eavesdropping and also have the added benefit of preventing some online attacks.
Ironically, the new option came after the search company admitted it had been mistakenly eavesdropping and recording what people were doing on unencrypted Wi-Fi networks as its Street View cars were taking pictures of cities around the world and recording the IDs of Wi-Fi networks and routers. That data is used to help geolocate people using devices without GPS, but the company said for years it was not collecting session data.
It’s doubtful Google collected very much info on any one user — as the cars are constantly in motion and cycling through the channels used for Wi-Fi, but now users of https://google.com would be safe from any similar effort.
Google turned on encryption — better known as https:// — as a default for Gmail users earlier this year.
Gmail was the first major webmail service to offer encryption for full sessions, rather than just for logins. Google allowed power users to use https:// for years, and under pressure from privacy and security advocates turned it into the default for all users earlier this year. Microsoft’s new version of Hotmail, available sometime this summer, will allow users to choose HTTPS or not, but isn’t making it the default.
Using HTTPS, rather than HTTP, is not technically difficult for smaller sites, but the authenticating handshakes between a server and a browser do require more resources from both a server and the browser. That means it costs a company more to run a service and can slow down an application. Google says it’s been working for several months on the service, and that it’s not simple, given that it search results are blended — combining information from a number of services, including YouTube, that didn’t have the capability to send information via HTTPS.
No comments:
Post a Comment