Google radically expanded Tuesday its use of bank-level security that prevents Wi-Fi hackers and rogue ISPs from spying on your searches.
Starting Tuesday, logged-in Google users searching from Google’s homepage will be using https://google.com, not http://google.com — even if they simply type google.com into their browsers. The change to encrypted search will happen over several weeks, the company said in a blog post Tuesday
The change means that the communication between a user’s browser and Google’s servers will be wrapped in encryption by default for those logged into their Google account. That means that hackers, school administrators and nosy corporate network admins won’t be able to see what search terms you are sending to the search giant.
Google introduced an HTTPS search option in May 2010, but users had to decide to go to that page (https://google.com). Google made it harder to find after schools objected to the change, saying it prevented them from censoring and monitoring their charges.
This go-round Google is providing a way for schools and network administrators to prevent the redirect to HTTPS, but Google will also make it clear to searchers on those networks that they are not sending data to Google via encryption.
Web marketers also howled at the idea of encrypted search, because every time a Google user clicks on a search result and goes to another website, the destination is told what search term led the user there. That marketing data is not sent from an encrypted page.
To mollify this criticism, Google is saying that from now on, websites will have to get the data on the top 1,000 search terms that led visitors to their site from Google’s webmaster tools. But the change will still throw a monkey wrench into complicated analytics tools that try to understand which search terms lead to sales on their site, which tells a website how to better optimize their website to earn those clicks.
The trade-off for users however is that they’ll be better protected when they use Wi-Fi, which is particulary easy for hackers to spy on. Tools as simple as FireSheep allow even the most unskilled computer user to hijack Facebook accounts, and more powerful tools like WireShark are easily found on the web.
The blog post did not explain why the default to HTTPS is only for signed-in users. But according to spokesman Jay Nancarrow, Google’s increasing use of personalized search for logged-in users makes them ideal to start with. For now, the change does not apply to search from mobile devices and browser search bars or searches on Google search sites customized for other countries and regions. However, those are all things Google would like to encrypt as well.
SSL doesn’t prevent Google from knowing the content of your searches, and if you did not turn off the so-called Web History option upon sign-up, Google will store them in perpetuity. Those without Google accounts or those who want to search more securely without signing in can simply navigate to https://google.com.
Google has been a leader in adding SSL support to cloud services. Gmail is now encrypted by default, as is the company’s new social network, Google+. Facebook and Microsoft’s Hotmail make SSL an option a user must choose, while Yahoo Mail has no encryption option, beyond its intial sign-in screen.