
Cool, now the bad guys can't see my searches
oh, wait, no, Google still know exactly what I searched for and are busy monetizing that data. Score!
Google has added SSL encryption to its primary search engine. Today, with a blog post, the company announced that netizens now have the option of establishing a secure https connection when searching google.com. To use the service, you must explicitly visit https://www.google.com (Notice the extra "s"). At time of writing, the …
Could somebody please explain what are the supposed advantages of SSL when using google search, beyond third parties being unable to sniff our requests? Will SSL e.g. prevent Google from recording my personal data/interests/vices or from providing my 'suspicious' queries to the powers that might request them?
Escape, 'cause me thinks we can't.
Using encrypted SSL will prevent third party crooks like BT/Phorm profiling you on the basis of your communications with Google.
You are then free to make your own choice about using Google or not, knowing that only you and your chosen search engine see your communications.
Which is the way it ought to be.
If UK ISPs can't be trusted with communications data, encryption is the inevitable result.
There are too many idiots out there who spectacularly misunderstand what the Web is and how it works, but sadly have made it to management and oversee security.
For those who think simply using SSL somehow makes their website safe (not logins, merely using SSL for the home page and everything beyond before any login) this should be a good wakeup call into what any bot or hacker can still see. Then, they can be sacked and replaced by a competent manager who doesn't spend thousands on a new SSL website and demand his techies include Google ads, maps and other stuff that either looks good, makes money or is a lazy option to making their own.
I hope they extend the SSL certificate to the iGoogle pages. On mine, I have a preview of my GMail inbox. The thing is, I've turned on SSL only in the GMail settings... and so the preview box is meant to never display my inbox.
Sometimes it doesn't, and says I have to open GMail properly to view my inbox... but sometimes it does show my email. There doesn't seem to be a lot of logic in it, and it doesn't make me entirely trusting of GMail's SSL security.
Not only will it prevent third parties from seeing what you're searching. They won't be able to if you're searching something, downloading something over some encrypted connection or doing whatever else one could possibly do over an internet connection using encrypted traffic.
The only two parties who know will be you and the side you're connecting with, Google in this case.
For one, this would be a good way to kill DPI for good.
Ok I will try. I'm probably wasting my time because UBfusion, you sound either closed minded or a troll, so either way unwilling to see and hear, but here goes I will try.
UBfusion, on the hope you simply don't understand, I'm guessing you are not going to understand the full implications of DPI if you have never heard of it or tried to look up DPI before. So to put DPI into layman's terms, DPI is literally outright spying as in Big Brother spying on everyone's Internet connection and sadly it is increasingly already being used.
Imagine DPI literally like the post office opening and reading every letter and parcel you send and receive, which would be an unthinkable, even criminal violation of privacy. Yet that is exactly what DPI is to an Internet connection. Its a blatantly outright violation of privacy.
The reason its creeping in is because knowledge is as they say is power, so arrogant self centered powerful people want DPI so they can exploit everyone for their own gain. They wouldn't like us to spy on them, but as usual with these Narcissistic people, they fail to have empathy for everyone else.
The reason I went to the trouble to write this is because, throughout history it has always been the frankly ignorant bystanders like you UBfusion, who are part of the problem. Because your kind let society get ever more messed up, because they fail to see what is happening until its too late. They fail to see the harm Narcissistic power hungry people do to society for their own gain. They fail to help stand against the harm until it gets so bad, its too late to stand against it all to stop what is happening, because by this time the Narcissists have grown so powerful, they are almost unstoppable.
So you've never heard of DPI until now, ok now imagine how much more you are also failing to currently see that is also going on all the time in the relentless world push towards a literally Big Brother totalitarian level of spying, manipulation, exploitation and control. Its not just words, it is really happening, so wake up before its too late. Its happening simply because arrogant Narcissists with no empathy for anyone else are determined to remorselessly exploit and abuse technology for their own gain.
So please try to learn what is happening, then you can help by telling other people who still doesn't see what is going on. Only that way will we all help wake up enough people to help stand against the growing nightmare we are all rapidly sliding into.
"If they still pass in the search parameters in the URL (Get), what's the point? People can still see what you queried, if they made them "post" messages it might actually do something."
That's not how SSL works. The query string isn't transmitted outside of the encrypted connection. And using POST requests isn't in any more secure from an interception point of view, it just means people can't gleam things from your address bar. And that's not even necessary when you have your query printed (twice) on the results page, is it?
Well that screws Phorm (and their evil siblings like Hitwise and Nebuad) over.
Which makes it a slightly better world than it was yesterday.
Roll on encryption. Because if the CPS and Police won't protect the privacy/security/integrity of UK communications, it is the way forward for communications in this country.
That or walking down to the shops, buying a newspaper, paying cash, and visiting the village library from time to time... in a 1980s pre-internet retro kind of way.
Which, if I'm honest, is starting to appeal to me a lot more than being spied on for the rest of my life.
It doesn't get any stupider then this.
Google, the company that said they were against holding your information for government mandated periods of time (and then went and held it for even longer times).
Google, the company that brought us buzz. Forcing gmail users into social networking users without their consent or knowledge.
I don't think anyone outside of googles top brass can even begin to understand the genius that exists in adwords and the methods google has of capturing data and then turning that harvested information into ad-worthy material.
https://google.com = laughable.
How about a pledge from google to completely isolate all of it's systems rather then tie everything they do together. Microsoft and other companies shave been sued for things like this. Why does google get a pass, don't tell me, I already know.
If google are spying on my searches and/or recording them then they will see everything regardless of https.
But, since https is an encrypted connection to them, my ISP's DPI/phorm/whatever won't see it.
If you don't use google you're not loosing out because this is a change to something you don't use.
If you do use google you win because you already give your data to google, and now it's only google not google+Eve.
Just like their browser Chrome - http://burgerminds.wordpress.com/2009/12/22/google-chrome-security-fail-ssl-ciphers/ , their site only allows 128 bit RC4 encryption (think WEP). Tested with Firefox 3.6.3 on Win7. For anyone with the means (and access), it would be but trivial to middle-man that connection...
Besides the encryption of the data, there's also the identification part of SSL. So you know if you go to https://www.google.com (and you bother to check out the certificate), you are actually getting data from one of:
a. Google,
b. someone who managed to defraud one of the cert providers to provide them with a google.com certificate, or
c. someone who managed to exploit one of the few known and quite difficult exploits for SSL or some exploit unknown to the white hat community.
which is a smaller group of people than "either Google or anyone who's managed to compromise your PC, or your browser, or your DNS records to send you to a fraudulent 'http://www.google.com' page."
So you do get a slightly greater assurance that you're actually submitting your search info to Google to be mined, rather than to someone else to be mined...
Another advantage of SSL for search is that the search results page with its links come back via SSL. If you click on a link to some non-SSL page (over 99 percent of all the links will be non-SSL), then when you arrive at that page you will arrive with your referrer stripped. The webmaster on that site won't know that you came from Google, and won't know what search terms you used to get there. He won't even know if you used a search engine (you could have just keyed in the URL in your address bar, which would also cause no referrer). Also, most bots that steal stuff all day long do so without a referrer, which makes you even more obscure.
Sometimes your search terms can be revealing, and it is best to keep these out of the logs of the pages you click on. Remember, these logs always have your IP address. Why give them your search terms too?
The stripped referrer when going from a SSL page to a non-SSL page is part of the SSL specification, which all browsers must follow.
As with all 'standards', a more accurate version of "part of the SSL specification, which all browsers must follow" would be "part of the SSL specification, which all browsers *should* follow". No point even testing this, there's always some differences in how browsers work, although here they probably do strip it.
all you losers bitching about how pointless this is are just butthurt that you didn't think of it yourself.
of course Google will still have your data, stopping them from getting your data was never the fucking point of encrypting the connection TO THEM. That's like saying that sending your mail in an envelope is pointless because the recipient will only open it anyway. Are your nuts numb or do you just have 2 left testicles?
SSL helps prevent third parties from snooping on your searches, be that the government, the retards at your ISP, some fat "war driver" sitting outside your house with a laptop, any site that would be interested in what you searched to reach them (e.g. every site ever), creepy voyeurs on your own network, your boss etc.
So put down the monster munch and get with the fucking program.
I searched for my own site while watching the server logs. With plain http, a click produced my full Google query in my logs through the 'Referer' header. Https scoping blocked the referrer data, so this does have some value. Malware sites won't be able to create customized fake pages and it will prevent a dozen web sites knowing that you searched for "rapid corpse disposal."
It's good news for Google too. It makes their collected data very exclusive, and Google is all about making money from data.
You, sir, have hit upon the one thing that has seemingly crept up and bitten Google on the arse without the great majority of people realising how all these dynamically created spam pages are hitting the top 10 search results. Google is feeding our search parameters to other websites to process and feedback as they wish.
I only noticed this about a month ago when I hit a page that had absolutely no relevance whatsoever to my search but specifically stated "you came here looking for <search criteria>".
You'd think that a search "intelligence" such as Google wouldn't need to rely on third parties providing the relevant pages, wouldn't you?
If SSL gets rid of that then I'm all for it.
I think you misunderstood his point, he's not talking about pages he clicks on from google search results, he's talking about links showing up in the results themselves, as though he did click on the link to that page.
I've noticed that happening too, its become increasingly annoying when i'm trying to find something specific and i continuously get links to pages that are completely irrelevant to what i'm looking for and in the process alter my search terms to what that pages "THINKS" i'm looking for.
For example, the other day i was searching for "low profile AM2 heat sink", one of the links that was returned was for amazon.com, when i clicked the link it took me to an amazon search page with "Intel CPU cooler" pre-entered in the search box and a list of results for that search term, which had absolutely nothing to do with what i was looking for...
WRONG. RC4 is not the reason for the weakness of WEP. Rather, it is the way WEP sets up the session key.
http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy#Flaws
RC4 as used in SSL is safe, because it properly creates a new session key each time a SSL connection is being created.
Whether government intel can't break RC4, I don't know. But the same can be said about AES and 3DES.
My Orange internet contract update email states, in tiny letters at the bottom:
Par l'acceptation de cette offre, vous autorisez France Télécom à utiliser les données relatives à votre trafic afin de pouvoir vous proposer les produits ou services de France Télécom pouvant répondre à vos besoins, et ce pour une durée de douze (12) mois à compter de leur émission. Vous pouvez vous opposer à cette utilisation à tout moment en contactant le Service client à l'adresse mentionnée ci-dessus.
I have contacted Orange, twice, to oppose this traffic monitoring, and both times I have been pointed to my settings/options to activate the "liste rouge". NO, people, making my Internet phone number unlisted and placing myself on a don't-cold-call list is NOT disabling traffic monitoring. Are they specifically trained in how to miss the point? In each email the above paragraph was quoted, so while my French might be lacking, it would be bloody obvious what I was referring to. Indeed, in my second email I said I did not *want* any products or services beyond faster internet (I am on 1 megabit due to remote location), a Livebox that fully works (instructions say you can plug in USB devices for NAS capabilities, reality says otherwise), and lower cost (~30-50 euros a month is the norm for an unbundled-line service). WTF do they think they can sell to somebody whose Internet time is spent, mostly, between Veoh for obscure fansub animé and El Reg? At least World+Kitten is fully aware of Google's data-sucking activities, given Orange's (deliberate?) attempt to deflect my opposition request two times, what are their *real* intentions? At least now some of my data will be hidden from my own ISP. It's simpler than buying into a VPN service.
[bootnote: Google may be able to, through profiling, make fairly accurate guesses as to who I am and where I live. All to attempt to throw advertising at me that is mostly blocked. :-) My ISP, on the other hand, already has my exact location, a copy of my identity papers, brief information about my employment, and my bank information. Makes you wonder, doesn't it?]
"all you losers bitching about how pointless this is are just butthurt that you didn't think of it yourself.
of course Google will still have your data, stopping them from getting your data was never the fucking point of encrypting the connection TO THEM. That's like saying that sending your mail in an envelope is pointless because the recipient will only open it anyway. Are your nuts numb or do you just have 2 left testicles?
SSL helps prevent third parties from snooping on your searches, be that the government, the retards at your ISP, some fat "war driver" sitting outside your house with a laptop, any site that would be interested in what you searched to reach them (e.g. every site ever), creepy voyeurs on your own network, your boss etc."
Actually, I did think of the idea years ago. I dismissed it. Why? Simple. It will offer little, if any, boost to security.
Why do I say this? That is also simple. While it will protect your search terms, if your connection is being monitored, as soon as you click on a link on your search results. what you have clicked is visible to those monitoring your connection.
The timing of this announcement is rather suspect. Google announced it the same day the announced they had "accidentally" copied WiFi data. They probably thought they needed something to reduce the bad publicity. This solution, while expensive, was probably the easiest to implement.
I know Dephormation from other forums, and, TBH, am surprised he thinks any differently to me about this.
"you have clicked is visible to those monitoring your connection."
You assume that the link being clicked is not to another SSL site. This could be the start of the whole internet switching to SSL which is an event that I would welcome.
BTW, the button "Reply to this post", that's right... the one under every comment. Have you clicked it? You won't beleive what it does.
"I know Dephormation from other forums, and, TBH, am surprised he thinks any differently to me about this".
I think we agree completely. :o)
This will do much more to protect Google's commercial interests than anyone's privacy, because so much else is presently currently unencrypted.
More generally... the web develoeprs need to learn that encryption for all internet communication is essential, because ISPs and Governments simply cannot be trusted to respect and protect the confidentiality of our personal and commercial communications data.
"Actually, I did think of the idea years ago. I dismissed it. Why? Simple. It will offer little, if any, boost to security."
And I guess you think that the purpose is to boost security? Very funny. Blocking referrer data is where this is at. I am looking forward to not having my time wasted by fake pages customized with my search terms.
Just had a go and the speed seems fine FWIW - No difference to the usual.
Whether it provides a major or minor boost to security, it's still a boost aint it? Can't really be a bad thing I wouldn't have thought...
Oh, and "Are your nuts numb or do you just have 2 left testicles?" - Way to brighten my morning, ta mate :D
They're more concerned about security: http://www.theregister.co.uk/2009/08/03/new_crypto_attack/
(Seriously, in the work I've done, I've noticed that clients and servers tend to select the LOWEST common security setting available, which is OK for compatibility, but sucks for actual security...)
Also should handle this:
http://www.dslreports.com/faq/16534
Mgmt Summary: ISP hijacks all search traffic to Google and sends it to their ad-ridden Yahoo-based search page. You have to opt-out on a web page (may just be a cookie or something equally stupid) in order to stop it. This happens even if you don't use the ISP DNS servers.