A few thoughts on SSL Search

I’m incredibly happy that Google has added the option to search over SSL by going to https://www.google.com/ — note the “s” in “https.” I’m writing this blog post in a hotel right now because I’m in Europe for a week doing a series of tech talks, but I could just as easily be working down at local Dublin cafe with an open WiFi hotspot. In both cases, I might want to do a private search that the hotel or local cafe can’t see. A Secure Sockets Layer (SSL) connection provides an encrypted tunnel between my browser and Google, so other people can’t sniff what I’m searching for.

I believe encrypted search is an important option for Google searchers. The Electronic Frontier Foundation (EFF) has asked for secure search in the past (see this post from 2009), and I credit them for helping to put this on Google’s radar. Another inspiration that helped to spark this project was Cory Doctorow’s book “Little Brother.” It was one of my favorite books of 2008 and while I won’t go into the book’s plot here, it’s a quick, fun read. “Little Brother” also makes a compelling case for encrypting HTTP traffic on the web.

Some people don’t yet fully understand how SSL search works. I saw one commenter sayIf they still pass in the search parameters in the URL (Get), what’s the point? People can still see what you queried, if they made them “post” messages it might actually do something.” It’s important to realize that even though you as a surfer can see the query in the url, the sites between your browser and Google can’t. Google OS demonstrated that by sniffing a regular HTTP query and an HTTPS query in Wireshark to show that the query can’t be seen going over the wire.

Thanks to all the people at Google who did the all the hard work and heavy lifting to deliver this. One of the main engineers behind the effort was Evan Roseman, a member of the webspam team who you might have met at previous search conferences. In fact, Evan was originally scheduled to be on our site review session at Google I/O this past Thursday, but we decided that launching SSL search took priority. 🙂 I also wanted to say thanks and congratulations to the other Googlers (for example Andrew Widdowson, Nathan Dabney, and Murali Viswanathan, but also many, many others) who generously gave their time and effort to make the launch happen and happen smoothly. You might think that switching on SSL for websearch is easy, but for a website with the complexity and scale of Google, it’s really not. The launch wouldn’t have happened without a ton of assistance from Googlers from many parts of the company, and I sincerely appreciate it.

I hope you enjoy https://www.google.com and find it useful.

96 Responses to A few thoughts on SSL Search (Leave a comment)

  1. Matt – one question. Any particular reason https://google.com/ does not redirect to https://www.google.com/. Or is just that only geeks like me will try https://google.com/ on the browser location bar to nitpick about these things 🙂

  2. I am little worried about the search engine traffic and monetization of my sites. Most of the revenue come from search engine traffic – but as the secured search kills the traffic source info, ad networks like Adsense will not be able to serve high paying ads.
    Any help?

  3. The SSL certificate just for google.com so if I acccess a local address like https://www.google.co.id the browser give me warning. any plan to apply SSL on local address?

  4. This may decrease the relevancy of strategic ad placement. The CPM has got to drop if this SSL search becomes the default for the avg user at some point. Nice move by Google to give us the choose now. Thanks Matt for your take.

  5. I needed this one when dealership blocked ‘quote’, ‘auction’… and any similar keyword on their open wi-fi.

  6. This is great. I am glad that Google created Google SSL search. Thanks.

  7. Doesn’t this effectively kill keyword tracking in every single analytical application, ever?

  8. How would I use this as my default search within Google Chrome

  9. Great job! And can’t wait Google Image supports SSL too.

  10. Well, since Google is moving away from China, I guess they are now free to care about the privacy and open access for its users!

  11. Great Job! Google is always first with the innovations.

  12. My corporate site doesn’t have any SSL protected pages I want viewed, but I can see how this is a good thing. Some of my clients will definately benefit from this.

  13. Matt,

    Google I/O was excellent again this year raising the bar yet again from last years FIRST “Android I/O”.

    Are you getting people asking you for “scribbles” in Europe as a follow-up to your South American request at Google I/O after your session? 😉

    ,Michael Martin

  14. Will Google provide % of SSL search in Webmaster Tools (or better way in Google Analytics) ?

  15. There are many countries that they use Proxy or Application Layer filtering appliances to monitor and filter Internet. Therefore, they will be able to see what you do on the search over SSL, as well.

  16. Keep in mind that even with SSL search your search queries are not safe if you use search suggestions[1]
    [1] http://www.informatics.indiana.edu/xw7/WebAppSideChannel-final.pdf

  17. In reference to switch from GET to POST for the search query, while it is not possible to sniff the traffic from either GET or POST in an SSL stream, if the search is on the URL when the person doing the search clicks on a result in the page their “referer” browser header will still contain their search term and so leak the information.

  18. Cool, but how can I make Firefox and Chrome use this by default? I tried editing the search engine values in both, but protocol doesn’t seem to be able to be specified?

  19. It’s interesting but how do deal with criminals that will use this protection to evade law enforcements?
    In some parts of the world you have corrupted regimes that want to imprison anyone who doesn’t agree with them. Which I believe is wrong and this would probably offer these people protection.
    But in the same time won’t this also protect pedophiles and other light-shy people from more ordinary law enforcements?

    Would be nice to get a bit more insights in how Google have discussed the ethics in this issue.

  20. Absolutely excellent news! Not that my searches are that secret, but I do appreciate having more privacy as I often work from public wifi hotspots. My Gmail is already secured, but nice to have more private searches too – thanks Google!

  21. It’s good to see secure google search. Hopefully it won’t be long untill it is rolled out for localised Google domains.

  22. that is great news! can’t wait until you can get wifi everywhere for free!

  23. I think the SSL is a very importent service.

  24. Those with nothing to hide, hide nothing 🙂

    …so other people can’t sniff what I’m searching for.

    Except Google!

  25. Its a great work… Always google rocks..But when I checked the secured search on google.com.sg its not happening. How i do that?

  26. So where does this leave webmasters, if we can’t see what keywords people are using to land on our site?

  27. Where will you be speaking this week? Just this week I looked up your post about your speaking calendar but did not see any European conferences. Would love to attend some time. Thanks

  28. No UK option 🙁

  29. I’m having the same problem as Travis………..getting it to be the default on FF…….I geuss I’ll email support……….but thanks for the news.

    Frank

  30. Thanks for the heads up on this. I am usually a little freaked out on the public wifi’s I have to use from time to time. It’s not that I am hiding anything but just don’t like the idea that what I do online somewhere isn’t private.

    Thanks for the great news!

  31. Good move by Google but although its hard many can decrypt ssl traffic and obtain sensitive information. Keep those access points locked down!

  32. There are many reasons why this is excellent news for users. Thanks, Google, I can’t wait to see this spread through all other Google searches, including local Google (esp, google.com.br!).

  33. It’s always a little weird to see tech terms go mainstream. Along with “ping” and “ipconfig” (two commands my wife knows how to use without me telling her anymore) the public now learns about “secure sockets”, and not soon enough. I applaud Google for raising awareness in this area and hope they will continue to do so.

  34. This is a great step for a more secure search experience. Looking forward to the official release!

  35. just want to know if https://www.google.com/ takes care of geolocation. I mean does the search result changes if i search using https://www.google.com/ from different countries as in normal search.

  36. While this is a step forward in the world of privacy, it does pose one problem for web marketers and web analytics. By suppressing the referrer information, some very important data used to measure the effectiveness of SEO and PPC measurement.

    I’ll need to do more tests on this to verify that this data is now suppressed and no longer available. However on a first cursory inspection it isn’t looking good.

  37. What about the effect on metrics programs? It seems that no keywords are being passed over (as defined by the https browser specifications)

    I don’t like not knowing how my visitors found my website. Does google plan to offer any breakdown of HTTPS search terms via webmaster tools?

  38. Well good move towards experiencing secure web search with Google but search personalization and other Google search query behavior , analytics tracking, trending, benchmarking will affected ?

  39. Apparently, the Chinese have made use of this:

    http://www.danwei.org/internet/baidu_vs_google_useful_results.php:

    Then I heard that Google had launched an SSL search service, so I hurried to check out the fabulous https://www.google.com. Brilliant, as expected. A search on the same “CPU 温度 软件” keywords returned the result in the image, far better than Baidu’s results, right?

    I assume this port will be blocked quickly. But, hurray for openness!

    -danny

  40. Hi guys,

    Matt thanks for pointing out the s in http, because I didn’t really pay any attention to it. Thanks for sharing.

    Kind regards,

    Sam
    X

  41. Is Google the first search engine to enable safe searching? Btw – has anyone tried a safe search on bing.com? Firefox says ‘untrusted connection’. That says it all hahahha

  42. Michael Elliot

    This is great news — I’ve been waiting for an SSL version of Google for quite a while, and it’s finally here!

    Now I can search with confidence that my queries aren’t being logged in some big government database. 🙂

  43. Matt, will Webmaster Tools report query data for HTTPS searches?

  44. First thing first: applause for the SSL support. I think it’s a very good step into the right direction.

    But then, please be careful when considering SSL to be safe. It is not, for maybe 99% of all users. In todays standard configurations of the browsers the encryption key is negotiated in an unencrypted way. This implies, that a third party sniffing the data between user and browser can easily read the encryption key in plain text and decrypt the communication data.

    In short words, https is currently *not safe*, and one should not assume the opposite. There might be a time when the users have their own asymmetric private/public key set, but for the time being, https is rather a way to make reading the traffic an itsy bit more complicated.

  45. Atul Arora, I think we wanted to start out very deliberately and see what issues shook out before we widened it.

    Muhammad Panji and Jensy Smith, as I understand it, each new SSL domain requires a separate IP address. Logistically, that can be harder to allocate and provision. It made sense to start with .com and see how that went first.

    Jeff Hood, this is an opt-in feature. People have to go and seek it out, and the percentage of people who are doing that is quite small right now.

    Michael Martin, I did get one scribble request. It floored me. 🙂

    “when the person doing the search clicks on a result in the page their “referer” browser header will still contain their search term and so leak the information.” That’s not correct, ChrisRed. Browsers don’t show referrers when going from an SSL-based page to a normal HTTP page.

    Travis Lane, it’s a bit of a corner case since the protocol is changing rather than a url. Over time maybe people will write extensions or similar stuff.

    Theo Peek, I’ll be in Paris on Wednesday and Brussels on Thurs/Friday, I believe.

    Ivan, depends. Google is one of the first major search engines to offer SSL, although Scroogle might also offer SSL (not positive). On the privacy front, I think in 1999-2001-ish there was a search engine called Topclick (?) that was very privacy-friendly, right up until it went bankrupt. Off the top of my head, there’s also the AskEraser program, plus I believe IxQuick and Duck Duck Go jettison their logs.

  46. mike halvorsen

    Good news! I’m surprised this didn’t happen sooner!

  47. Hey Matt,

    I live in China and I was wondering does SSL search means the Great Firewall of China can’t see what I’m searching for and therefore can’t shutdown my Internet connection when I search for “blacklisted” terms?

  48. @John
    Yes – if the certificate is valid and signed by google no MITM can see your communication (keeping in mind the paper I cited above…). However there are *many* ways to bypass SSL completely unless you pay very specific attention to the warnings your browser generates.

  49. When a company employee needs to thank and appreciate coworkers like in this blog for doing the work they are already paid to do, it is a sign the company is getting fat.

    I bet in a few years even `thanking them` will not be enough to get them to work…

  50. Is there any way to set Google to always use HTTPS by default, like you can with GMail?

  51. @Milan
    The NoScript extension in firefox can be configured to force SSL for specific domains; you could use that.

  52. @Michael Elliot SSL doesn’t prevent e.g. ISPs or other agencies to see what websites you actually visited. Please correct me if I’m wrong, but SSL only secures the search queries and the results Google sends to you, it doesn’t encrypt the data and you send and receive after clicking on a link in Google’s search results.

  53. Safer ‘s’ does not mean Safe:)

  54. Matt thanks for sharing, looks promising, but for the last 15 min https://www.google.com is throwing a 502! Via qn iPhone. :(.

  55. Referer data is very useful, how does Google analytics get the referer data from SSL Google?

  56. Because of the Patriot Act, I’m skeptical that this feature will really do what it’s advertised to myself. Google can’t create a feature that lets child molesters and people searching for “how to poison someone” or any other search that raises red flags with some computer somewhere and or is stored on the computer so the cops can go back and find it after a scum bag commits a crime. Microsoft keeps files of our deleted stuff for law enforcement purposes; think Gates made a deal with the gov way back to that effect, without having to disclose that fact to the end user. I’m sure Google will make the same deal with big brother, and let’s face it, in this day and age, do we really want criminals to be able to search the web anonymously for how to do this or that dastardly deed? I don’t think so. Besides, there’s already software out there that lets you hide your IP address (surf anonymously) etc etc. Not sure the value of this. (I come from a military ex-intel background, hence my opinions)

  57. Milan – look at the OptimizeGoogle extension for just google services or NoScript for pretty much any website

  58. I needed such an information. Thanks a lot for sharing them here. Definitely useful for me. Keep posting more.

  59. Thanks Matt – This is a great first for Google. While I believe only a small percentage of people are likely to take advantage of it… I am curious about Google’s position regarding blackout HTTPS searches present to Web site analytics and the potential limitation of a webmasters ability to further refine organic search referred visitor experience through robust analytics data. Is Google considering possible ways to provide webmasters with SSL search queries and entry pages?

  60. Welcom to Brussels 🙂

    Don’t forget to visit Manneken Pis 🙂

    and I hope there is another volcan irruption in Island so we can keep you here, to solve our webspam problem in french. There is a lot of work.

  61. I am very happy Google did this. I hate being “watched” when searching. Kudos to Google… now if they’d only get out of China!

  62. Hi Matt,

    As others have mentioned, I think that adding SSL to google is a great step forward. Are there any plans to incorporate this option into the search function of the Google web browser Toolbar?

  63. Love the whole SSL touch. I wonder if rather than having to “opt-in” wouldn’t it be a nice function for Chrome if when someone opened a new incognito window that when they browse to; or go directly to google.com that it would redirect them to “https”?

    Though I realize this type of detection may cause some to panic. But I believe I’m correct in stating that the incognito only has to do with the current browser session on that particular computer. I think it would be a nice marketing feature to not only go incognito on your computer but also on the network(s).

    Just my two cents. I’m sure that’s all it’s worth.
    TTFN,
    Brian 😉

  64. I wondered the same thing as Rick Stouder, Travis Lane and everyone else that wants to make this default on Google Chrome… and believe I have the answer.

    You may follow Matt’s instructions earlier in his blog to remove extra search parameters: http://www.mattcutts.com/blog/clean-up-extra-url-parameters-when-searching-google/; but replace the google:baseURL with https://www.google.com (because it’s currently only supported by Google US, I believe): "https://www.google.com/search?q=%s".

    Happy Googling!

  65. Kinda scared :/

    Does that mean end of analytics and studying your competition?

  66. @Matt

    Google OS demonstrated that by sniffing a regular HTTP query and an …

    You are calling googlesystem.blogspot.com as “Google OS”. First of all at least Google employees should not refer a unofficial site in such a way as to make it feel like official site. Secondly there is no “operating” in the url, so calling it “Google OS” is not right… As far as I remember once this site was shut down because of carrying google in its name without permission and later reinstated. If “operating” is not part of url this site should be forced to call them “Google System” not “Google Operating System”

  67. Hi Matt,

    After adding the SSL feature in Google search , will it affect the keywords staticstics in Google Analytics?

  68. This is a great step for a more secure search experience. Looking forward to the official release!

  69. I like the idea of secured search. We will have to see what the future lays in store from the outcome of it.

  70. Secure searching with SSL? Google never stops amazing me. One thing I’m worried about like many other folks is GA. Will analytics be useless for people coming in from SSL search?

  71. Hi Matt – Please would you let us know if we can use the secure search to effectively turn off personal search? At the moment to do that I use the Google Chrome Incognito window – but typing https:// might be quicker. Please advise.

    Liz

  72. Wow! Great for people who travel alot, and are continuously around a hotspot. I think I can now ‘try’ getting out of ‘Tor'(http://izlooite.blogspot.com/2010/04/do-no-trust-browse-safe-and-secure.html) and use Google SSL.

  73. Actually, what Google is doing is what facebook fails to do. GIVE SECURITY TO ITS USERS. lol

    Anyway, this is a nice move from google. However, will there be such ways that data can’t be possibly sniffed but google has a backup of everything? Well, since cyber crimes are still on the loose. ^_^

  74. Its good but it is interesting to see that how it will effect on analytical data?

    Thanks for update!

  75. Will the SSL harm SEO analytics:)?

  76. Wifi security is a big deal. Glad to see Google is working on this stuff.

    I’m probably asking a ridiculous question, but…

    If the user does a ssl google search at https://www.google.com/, does this mean that a site like http://www.whitehouse.gov/ would not show up in the search results? (it’s a website without an https: on the front of it).

    I’m wondering if this approach at https://www.google.com/ is to send the search query in an encrypted packet. or if it means to also only return pages with an https:// on the front of it. or both.

  77. I can see obvious benefit to the adult masses. However, I work for a company who provide services to education from kindergarten to university which includes web filtering to protect children. The service allows schools and secure units etc to allow or deny individual sites based on content and also applies a score to certain words which could expose children to content they cannot deal with.

    We now have a choice, to block Google entirely or to intercept SSL the former now being the preference which will affect millions of searches.

    That in itself is a frustration although we can make a decision and act on it. The really frustrating things are that no-one seems to have considered the affect on vulnerable people where censorship is due to age or mental ability to deal with the results which are presented to them. When you’re talking about children, particularly those in the 11-15 age group who have particularly good IT skills and actively work to get around proxies providing filtering (through proxy bypass websites etc). Additionally, the difficulty (possibility?) in contacting Google to discuss it is dire.

    I can see some of the other political and social reasons to introduce SSL search (and as others have discussed, the financial benefits), it’s a shame that the responsibility of such a move was not thought through.

    I’d really like to discuss ways of protecting our children and young people while still using Google if anyone at Google would be open to such a talk.

    Matt, I’d be interested in your thoughts and beliefs on this as well, is censorship always bad and would a parent agree?

  78. Kudos to Google for making this important feature available. None of Google’s competitors have been forward-thinking enough to provide secure search. This is a very noble gesture.

  79. Since you made this post, I believe this is important on the Internet, but I can think of the uses I would need this for. To be quite honest, if people want to watch me surfing for a new pair of shoes from google, why is this important to me a user? I end up on a non ssl page anyway that they can capture.

  80. I am definitely in favor of the new secure way to do this – especially when I am out in the open at wifi places which is more and more now.

  81. I’ve often wondered about the security while using a hotel’s wifi. I travel quite a bit and know that the information can easily be accessed. I am glad to see SSL certificate for google.com – however, I would also like to see this expanded to include other extensions as well. Great start Google!

  82. I really like the Idea of having a secure search though Google. I think it is just one more step in the right direction for the continued growth of the internet.

    With so much “internet crime” I will take anything that will keep me a little better protected.

  83. I couldn’t believe that Google didn’t have https for last 10 years. Although i never tried it but I thought obviously Google would work with https :S.

    Anyway, Will the https be a kind of private search where Google won’t return us customized results based on our previous history? I am not really sure if Google have that kind of service but I really do need one. Sometimes my site always comes on first page for me but on the second/third page for other users.

  84. I’m with Lewis on this one…. Although I can see the benefits for the general public, for example carrying out searches in wifi hotspots, this is a major problem for education and other bodies protecting vulnerable children and adults from undesirable material through the use of Web filtering products. We use a system based on Dans Guardian that enables all unencrypted Google Searches to be appended with <a href="http://www.google.co.uk/intl/en/landing/familysafety/&quot; title="SafeSearch"?

    I'd be interested to know how the heck we deal with this one? We have a number of schools using Google Apps, and with regional broadband consortia deciding to block http://www.google.com (will https://www.google.co.uk follow?) it leaves us in the position of effectively blocking the use of Google Apps. Lost business to Google? Do they care? I think not; when I have tried to contact them previously… no response… Thanks for thinking of the little, Education guys….. We will be suggesting to schools to make use of Bing, or some other search engine.

    Why can they not move the SSL search to a new domain? Leave the existing in place? Thus allowing blocks to SSL search, and thus maintaining access to Google Apps? I doubt there will be any useful response from Google, although I have raised it on their forums.

    If there are any other educational institutions in the same situation…. I'd be interested in hearing from you.

    Unimpressed.

  85. Hi Matt,
    Just like John, I also live in China, and am wondering what SSL means while doing search in China. Thanks, Assie

  86. Hey, Matt

    Could you please consider adding this feature to google.com.hk? We need stuff like this in China!
    Also, it would help if you just activate it and not advertise it much since they’d block it in 3,41 seconds.

    Thanks, man!

  87. Thanks, I find it useful – especially when staying in hotels.

    Br, Andreas

  88. It seems that Google have recognised and commited to resolve the issue with our concerns in mind:

    Source: http://googleenterprise.blogspot.com/2010/06/update-on-encrypted-web-search-in.html

    “We’re working hard to address this issue as quickly as possible and in a few weeks we will move encrypted search to a new hostname – so schools can limit access to SSL search without disrupting other Google services….”

    This is really encouraging.

  89. Hye Matt and everybody,
    I think it’s a very good idea but why Google doesn’t think and use it before ?
    In the future, it has to be extended to all Google projects for securing people. Nowadays the “s” has a real impact on the user experience.
    To be continued…

  90. Will there be data on the usage of this option as more discover it?

  91. Really interesting post Matt, I never knew the the “s” in https meant that it was secure.

    I’ll start using https://www.google.com more often now.

  92. A long time ago I was taught that if you have SSL that it helps with your search engine rankings. Is this still a helpful thing to do or a waste of money? Which verified badges do you recommend to help search engines recognize that your site is valid?

  93. The EFF’s HTTPS Everywhere extension for Firefox automatically enables HTTPS for many websites.

    https://www.eff.org/https-everywhere

  94. Does anyone know the answer to this? Isn’t there another certification you can get for your site to help with SEO?

    A long time ago I was taught that if you have SSL that it helps with your search engine rankings. Is this still a helpful thing to do or a waste of money? Which verified badges do you recommend to help search engines recognize that your site is valid?

  95. This never crossed my mine “https.” Google search. I’m familiar with this when I’m logging into a secured page as most of us are, but not searching.

  96. @Billie – As I understand, no, there is no benefit from an SEO perspective (Matt, correct me if wrong?). But there is certainly a benefit from a conversion POV if you are selling online, etc.

css.php