[LINK] SSL Encrypted Searching

[stephen at melbpc.org.au]

Google's beta encrypted searching ..


<https://encrypted.google.com>

With Google search over SSL, you can have an end-to-end encrypted search 
solution between your computer and Google. This secured channel helps 
protect your search terms, and your search results pages, from being 
intercepted by a third party. 

This provides you with a more secure and private search experience.

To use search over SSL, visit https://encrypted.google.com  each time you 
perform a search. 

Note that only Google web search is available over SSL, so other search 
products like Google Images and Google Maps are not currently available 
over SSL. When you're searching over SSL, these properties may not appear 
in the left panel. 

What is SSL?

SSL (Secure Sockets Layer) is a protocol that helps provide secure 
Internet communications for services like web browsing, e-mail, instant 
messaging, and other data transfers. When you search over SSL, your search 
queries and search traffic are encrypted so they can't be read by any 
intermediary party such as employers and internet service providers(ISPs). 

What can I expect from search over SSL?

Here's how searching over SSL is different from regular Google search:
 
* SSL encrypts the communication channel between Google and a searcher's 
computer. When search traffic is encrypted, it can't be read by third 
parties trying to access the connection between a searcher's computer and 
Google's servers. Note that the SSL protocol does have some limitations — 
more details are below.

* When you use SSL search, the browser typically does not send referrer  
information to any HTTP links you visit (but the browser will still send 
referrer information to any HTTPS links). By clicking on a search result 
that takes you to an HTTP site, you could disable any customizations that 
the website provides based on the referrer information.

* At this time, search over SSL is supported only on Google web search. We 
will continue to work to support other products like Images and Maps. All 
features that are not supported have been removed from the left panel and 
the row of links at the top. You'll continue to see integrated results 
like images and maps, and clicking those results will take you out of 
encrypted search mode.

* Your Google experience using SSL search might be slightly slower than 
you're used to because your computer needs to first establish a secure 
connection with Google.

Note that SSL search does not reduce the data that Google receives and 
logs when you search, or change the listing of these terms in your Web 
History .
 
* How will SSL search affect our content filtering services? When school 
students search using https://encrypted.google.com, their searches will 
bypass any content filters that are in place on your school network. If 
this is problematic for your school, you can block 
https://encrypted.google.com. When students continue to search using 
http://www.google.com, your content filtering will work as it always has 
in the past.

If your students try searching via the https://www.google.com homepage, 
they will be redirected to https://encrypted.google.com and will not be 
able to perform encrypted searches to bypass content filters.
 
If I block access to https://www.encrypted.google.com, will I block access 
to all of Google's authenticated services (like Google Apps for Education)?
No; logins for Google Apps for Education  and our other authenticated 
services are currently hosted at https://www.google.com. As long as you 
allow access to https://www.google.com, your organization should still be 
able to access all of our other services.

Does SSL provide complete security?

While SSL helps prevent intermediary parties, such as ISPs, from knowing 
the exact search that you typed, they could still know which websites you 
visit once you click on the search results. For example, when you search 
over SSL for [ flowers ], Google encrypts the query "flowers" and the 
results that Google returns. But when you click on a search result, 
including results like images and maps, you could be exiting the encrypted 
mode if the destination link is not on https://. 

If your computer is infected with malware or a keylogger, a third party 
might still be able to see the queries that you typed. We recommend that 
everyone learns how to prevent and remove malware. 

Remember that only Google web search supports search over SSL, so 
searching Google Images, for example, will not be encrypted.

Technical discussion of SSL protocol-level limitations
 
While SSL is a clear privacy and security benefit, we are aware of some 
technical limitations to SSL at the protocol level that are not specific 
to Google's implementation:

A determined, skilled malicious party could potentially interpose himself 
into the network traffic and present a spoofed certificate to the user. In 
many cases, this will result in a certificate warning to the user. If you 
see a certificate warning, the protection may not hold.An adversary with 
the ability to install root certificates on the machine could potentially 
interpose himself into the network traffic without any warnings 
appearing.A highly capable source may be in a position to sign 
certificates with a standard, pre-installed certificate authority (CA), 
which again would allow intercept without any apparent warnings to the 
user.Even if all web searching occurs over SSL, a passive traffic listener 
may still be able to observe DNS look-ups.

How can I confirm whether I'm on a secure connection?

Check to see that the URL you're on starts with https:// instead of 
http://. Most browsers provide a visual confirmation (such as an icon of a 
lock) in the address bar or in the status bar at the bottom of the page. 
On Google SSL search, you'll also see a special Google SSL logo with a 
lock icon. In addition to this logo, be sure to also check the https:// 
text in the address bar and any browser lock icons.

When you perform a search on https://encrypted.google.com , you might see 
a warning if a page has some non-secure components: depending on your 
browser settings, you might see the lock icon turn into a warning sign, a 
pop-up message, or some other form of alert. This issue is often referred 
to as a "mixed mode error."

Since this is a beta feature, there might be some rare cases in search 
over SSL that generate a mixed mode error. We're working to prevent such 
errors, and you can help if you report any errors  through our Help Forum. 

--

Cheers,
Stephen