Peter Eckersley's homepage

Several Facts about Google and HTTPS

By Peter Eckersley
Published on 2009-06-25, on the EFF blog.

Three simple facts about Google and HTTPS:

One: as we posted last week, we're very pleased to hear that Google is trialling full HTTPS encryption of all Gmail pages.

Two: if Google's trials are successful, and the company does indeed make HTTPS encryption the default protocol for reading and writing Gmail messages, it will have taken a two-step lead on its competitors in the free webmail and social networking spaces. People use Yahoo! Mail, Hotmail, LiveJournal and Facebook for their private communications, but all of the private messages on those services travel over the network unprotected.1 MySpace doesn't even support HTTPS for passwords!

Three: webmail is one thing, but search is another. Sadly, it isn't possible to use Google's excellent search engine over HTTPS. If you attempt to visit google.com via https, you'll just be redirected back to unencrypted HTTP. If you try the same thing at Yahoo or Microsoft, you'll receive unhelpful error messages.

We've been privately urging Google to make their search service available by HTTPS for some time, but nothing has happened. Yahoo and Microsoft should of course do the same. At the moment, the only search engine that offers protection against eavesdropping is a metasearch site called Ixquick (they also have a truly excellent privacy policy). We hope that some day, the major search engines can catch up with Ixquick.

Those are three simple observations. If you're interested in some less-simple technical detail about what HTTPS actually does, why it's important, and what its limitations are, continue reading below the fold.

Why HTTPS is important

  • The correct use of HTTPS, as signified by a URL starting with https:// and an unbroken lock icon in the corner of the browser window, allows you to be sure that:
    1. the page you're looking at was sent in encrypted form, so that eavesdroppers cannot read it; and
    2. a "Certificate Authority" trusted by the people who supplied your browser has done some basic checking that the organization you're talking to really owns the domain.
  • Two of the biggest privacy problems with sites that do not use HTTPS are vulnerability to wholesale "dragnet" surveillance, and vulnerability to local network eavesdropping, especially on wireless networks:
    • Dragnet surveillance by ISPs, advertisers and governments is a problem in many places, from Iran to the United States. HTTPS makes dragnet surveillance much more difficult, although traffic analysis is still possible.
    • Watching the HTTP traffic of other people on a wireless network is extremely easy. Do you really want your neighbours, or other people in the same cafe as you to see what you're searching for?

      Many people think they're safer if they use an "encrypted" wireless network, but the feeling is largely misplaced. Firstly, others who know the network password can still listen with minimal effort. Secondly, there are trivially easy attacks on WEP encryption and more sophisticated attacks that work against WPA2 even if the eavesdropper doesn't know the password.

  • Not using HTTPS also leaves you vulnerable to more subtle long-range hacking attacks such as those involving falsifying DNS responses.
  • Encrypting search results with HTTPS has subtle privacy effects with respect to the HTTP Referrer header. Because of fine print in the HTTP spec, an HTTPS search results page hides your query terms from any non-HTTPS sites you might click through to, but not from HTTPS sites.

The Limits of HTTPS Encrypted Search

If the sites you visit as a result of searching are not encrypted, the fact that you're reading them is still visible to eavesdroppers — the one thing that's hidden are your search terms themselves.

On the other hand, as more sites on the web become available via HTTPS, the lack of a major encrypted web search engine becomes the weakest link in the community's ability to browse those sites in privacy.

  • 1. Yahoo! Mail is the least worst of these services, since it defaults to HTTPS login, but all of these services are severely lacking in security.

← Home