Google Rolling Out SSL Search for Google Account Users

Google has decided that the trade-off of higher latency for increased security when running searches is worth it. While there has been an SSL-enabled search for more than a year now, it was never the default. Google announced on its official blog that it would be phasing the SSL feature in as the default setting for users who are signed in to a Google account over the next few weeks.

Attempts to access http://www.google.com will be redirected to https://www.google.com. Note that other localized Google search engines, such as Google UK and Google AU, do not yet appear to have working SSL implementations. However, it is quite common for features to be rolled out to these at a much later date.

Google says that it wants to protect personalized search results from snooping eyes connected to unsecured Wi-Fi hotspots. For this reason the new SSL-based search is optionally accessible to users who are logged out or who don't even have a Google account. Of course that's merely a side benefit compared to the real reason that this is being rolled out.

Upon clicking a search result using a a standard, insecure connection, the search query is passed to the website being accessed. Sometimes this is used to highlight the keywords on the page with gaudy colors that make it difficult to read. More importantly, the search term is collected by page scripts – particularly Google Analytics – and used by the website owners to determine what search terms they are primarily being found under and what content is generating the most traffic.

SSL changes everything.

No longer will Google Analytics data let website owners know what search terms were used to bring a person to their websites - at least not for logged-in Google account users. What it will provide is the number of users who came to the site via an SSL-enabled search. After conducting some research using a site whose Analytics data I have access to, I found that, rather than displaying the keyword information, these visits will simply appear in the dashboard's Keywords section as "(not provided)". This mirrors the findings some others as well. So while you won't see a sudden and unexpected collapse in your traffic, the data that you receive in Google Analytics will have been stripped of any context or meaning, other than that it came from Google.

Fortunately, Google's benevolence prevails and the search engine giant will still provide basic aggregate information about the top search terms that provided traffic to the site from the previous 30 days via its Webmaster Tools.

From an end user perspective, is this a win for privacy? Partially, yes. However, there is a small detail in the official blog post that may easily be overlooked. Google will still be passing on the search query for AdWords (paid search results). Those who are willing to pay for your search terms are still going to get them regardless of how much encryption Google throws at its users. Whether this is an attempt at causing dodgy SEOs more pain than being hit by a giant Panda or a way of pushing more people to AdWords is anyone's guess. Regardless of the motive, it will cause headaches for website owners, especially if it is eventually rolled out as the default for users who are not logged in.

  • billybobser
    no script google analytics anyway.

    Oh Firefox ftw.
    Reply
  • nikorr
    Cool.
    Reply
  • americanbrian
    Hasn't SSL been broken recently? In what way does it offer any sort of protection? I thought that the whole world (90%)is using TLS 1.0 or something and that they have found a way to sidejack it.
    Reply
  • de5_Roy
    good approach to protect google account users and to dodge seo.
    Those who are willing to pay for your search terms are still going to get them regardless of how much encryption Google throws at its users.
    this seems to be the real reason. squeeze more money from ad companies by charging extra for the ssl data, increasing ad revenue.
    Reply
  • icepick314
    for users of Firefox, there is an extension called HTTPS Everywhere that reroutes to secure http (https) if there is one in their database...

    I think I read it on Tom's but I can't find the story...

    https://www.eff.org/https-everywhere
    Reply
  • randomizer
    americanbrianHasn't SSL been broken recently? In what way does it offer any sort of protection?
    Some researchers have found an exploit but have not publicly released the details of their implementation as far as I know. The benefits of the HTTPS connection for unsecured Wi-Fi are, as stated in the article, just a bonus. The real benefit (for Google or the end user, you decide) is that your search query isn't sent to the web server when you click on its associated search result.

    de5_roythis seems to be the real reason. squeeze more money from ad companies by charging extra for the ssl data, increasing ad revenue.
    Ad companies? AdWords campaigns are run by massive corporations right down to sole traders. I don't think this will be used to artificially inflate cost per click, but if it pushes more companies to use AdWords so that they can receive meaningful Analytics data then CPC will inevitably rise. Remember though that it's only for users who are logged into a Google account at the moment, or those who explicitly choose to visit Google via HTTPS (the latter is almost nil).

    Personally I think that Google is trying to make life harder for SEO analysts, both "good" and bad. Google doesn't like SEO analysts; they manipulate search results unnaturally. SEO is often sold as an alternative to PPC that is cheaper in the long run and with a higher ROI. It's in Google's best interest to deter companies from dropping AdWords in favour of SEO, because Google makes a bucket load of money from AdWords and absolutely nothing from SEO.
    Reply
  • mohirl
    How exactly is this a major privacy benefit? OK, so a website you visit can no longer see what search term you used to get there. They could never personally identify you from that anyway. Your ISP can no longer see what you're searching for - big deal, they can still see what sites you visit. Small online business are going to suffer massively from this, since they'll have no way of determining what their most searched for products are.

    On the other hand, Google themselves will still be retaining all the data on everything you search for, and using it to target ads at you and personalise your search results. By promoting this as a privacy incentive, they'll hope to encourage more users to search from a logged in Google account, giving themselves a bigger market share and even more information about users habits.

    This is not good for privacy in the long term. It's not good for anyone, except Google.
    Reply
  • nebun
    i have been using SSL search from google for a long time...:) it's really not that much safer since the links you click are not encrypted, the only thing that's encrypted is the search but not what you do after the search
    Reply
  • Guess what, it's not Google stripping the referer from the analytics stuff, it's the browser:

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3

    According to the standards, "Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol."

    And (IMHO) it seems as though they just don't want to implement SSL for the adwords people. It will probably go through an extra redirect, or the adwords will be sent from an insecure connection (http)..

    It has (mostly) nothing to do with google, and everything to do with the HTTP protocol.
    Reply
  • @mohirl

    You can still see entrance visits by page. If you know what keywords are associated--or at least which ones you're targeting--with the page you can still back out traffic.

    Don't get me wrong. This move isn't about "protecting your privacy." But you can still get at the data you're interested in. Google is just making it harder.
    Reply