Several Facts about Google and HTTPS
Three simple facts about Google and HTTPS:
One: as we posted last week, we're very pleased to hear that Google is trialling full HTTPS encryption of all Gmail pages.
Two: if Google's trials are successful, and the company does indeed make HTTPS encryption the default protocol for reading and writing Gmail messages, it will have taken a two-step lead on its competitors in the free webmail and social networking spaces. People use Yahoo! Mail, Hotmail, LiveJournal and Facebook for their private communications, but all of the private messages on those services travel over the network unprotected.1 MySpace doesn't even support HTTPS for passwords!
Three: webmail is one thing, but search is another. Sadly, it isn't possible to use Google's excellent search engine over HTTPS. If you attempt to visit google.com via https, you'll just be redirected back to unencrypted HTTP. If you try the same thing at Yahoo or Microsoft, you'll receive unhelpful error messages.
Those are three simple observations. If you're interested in some less-simple technical detail about what HTTPS actually does, why it's important, and what its limitations are, continue reading below the fold.
Why HTTPS is important
- The correct use of HTTPS, as signified by a URL starting with https:// and an unbroken lock icon in the corner of the browser window, allows you to be sure that:
- the page you're looking at was sent in encrypted form, so that eavesdroppers cannot read it; and
- a "Certificate Authority" trusted by the people who supplied your browser has done some basic checking that the organization you're talking to really owns the domain.
- Two of the biggest privacy problems with sites that do not use HTTPS are vulnerability to wholesale "dragnet" surveillance, and vulnerability to local network eavesdropping, especially on wireless networks:
- Dragnet surveillance by ISPs, advertisers and governments is a problem in many places, from Iran to the United States. HTTPS makes dragnet surveillance much more difficult, although traffic analysis is still possible.
- Watching the HTTP traffic of other people on a wireless network is extremely easy. Do you really want your neighbours, or other people in the same cafe as you to see what you're searching for?
Many people think they're safer if they use an "encrypted" wireless network, but the feeling is largely misplaced. Firstly, others who know the network password can still listen with minimal effort. Secondly, there are trivially easy attacks on WEP encryption and more sophisticated attacks that work against WPA2 even if the eavesdropper doesn't know the password.
- Not using HTTPS also leaves you vulnerable to more subtle long-range hacking attacks such as those involving falsifying DNS responses.
- Encrypting search results with HTTPS has subtle privacy effects with respect to the HTTP Referrer header. Because of fine print in the HTTP spec, an HTTPS search results page hides your query terms from any non-HTTPS sites you might click through to, but not from HTTPS sites.
The Limits of HTTPS Encrypted Search
If the sites you visit as a result of searching are not encrypted, the fact that you're reading them is still visible to eavesdroppers — the one thing that's hidden are your search terms themselves.
On the other hand, as more sites on the web become available via HTTPS, the lack of a major encrypted web search engine becomes the weakest link in the community's ability to browse those sites in privacy.
- 1. Yahoo! Mail is the least worst of these services, since it defaults to HTTPS login, but all of these services are severely lacking in security.
Recent DeepLinks Posts
Sep 3, 2015
Sep 3, 2015
Sep 2, 2015
Sep 1, 2015
Sep 1, 2015
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Defending Digital Voices
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2015 Copyright Review Process
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student and Community Organizing
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games