Mountain View, California — In an effort to allow for more secure searching, search engine leader Google on Tuesday, said it radically adopted its use of HTTPS security via SSL encryption as the default option among searchers who are signed in, which would prevent Wi-Fi hackers and rogue ISPs from spying on your searches.
Google Oct. 18 said that in the coming weeks, users who sign in will start being redirected to “https://google.com”. That extra “s” on HTTPS keeps data encrypted as it cycles between your Web browser and servers and has traditionally been used for things like banks and credit card company Web sites.
“This is especially essential when you are using an unsecured Internet connection, such as a Wi-Fi hotspot in an Internet cafe,” Evelyn Kao, a Google product manager, wrote in a blog post.
The change to encrypted search will be rolled out gradually over several weeks, the company said in a blog post Tuesday. People who do not have a Google account or are signed out can go directly to https://www.google.com for more secure surfing, the company stated in a blog post.
In order to counter WiFi hackers, sites that handles sensitive personal information have typically used HTTPS during the sign-in process to protect password information and then reverted back to HTTP afterwards because full encryption can sometimes slow down your experience on that site. But as more and more people sign on to services like Twitter, Facebook, or Google on public or insecure networks, it makes it easy for cyber criminals to hack in and gain access to personal account information.
“This preventive step helps webmasters keep more accurate statistics about their user traffic. They would not receive information about each individual query, however,” Kao wrote. “If you choose to click on an ad appearing on our search results page, your browser will continue to send the relevant query over the network to enable advertisers to measure the effectiveness of their campaigns and to improve the ads and offers they present to you.”
Fortunately, the latest change indicates that the communication between a user’s browser and Google’s servers will be wrapped in encryption by default for those logged into their Google account. That means that hackers, school administrators and nosy corporate network admins would not be able to see what search terms you are sending to the search giant.
Moreover, the encryption comes courtesy of SSL (Secure Socket Layer), a security standard adopted by most banking and e-commerce Websites. Google began using SSL as the default setting for Gmail in January 2010 after it learned that Gmail had been hacked in China.
For instance, when you search over SSL for “dogs,” Google encrypts the search and results that are returned, but clicking on a result ends the encrypted connection unless the destination as well is running on “https://.”
“Although SSL offers clear privacy and security benefits, it does not protect against all attacks. The benefits of SSL depend on your browser’s list of trusted root certificates, the security of the organizations that issue those certificates, and the way in which you and your browser handle certificate warnings,” Google stated. “In addition, while the connection between your computer and Google will be encrypted, if your computer is infected with malware or a keylogger, a third party might also be able to see the queries that you typed directly.”
However, the blog post did not described why the default to HTTPS is only for signed-in users. But according to spokesman Jay Nancarrow, Google’s increasing use of personalized search for logged-in users makes them ideal to start with. For now, the change does not apply to search from mobile devices and browser search bars or searches on Google search sites customized for other countries and regions. However, those are all things Google would like to encrypt as well.
More details are available on Google’s Webmaster Central blog.