A welcome move by internet infrastructure giant Google, is their offering of Secure Sockets layer (SSL) / Transport Layer Security (TLS) session encryption, for their core web search service.
See the technical details of this offering: Google Web Search Help - SSL Search
Spy Blog notes that:
- The URL link for the encrypted web search page is https://www.google.com. Missing out the "www." takes you (via Google's clever location load balancing DNS) to the unencrypted local version of Google e.g. http://www.google.co.uk/
- The Digital Certificate used by https://www.google.com is issued by the Thawte Certification Authority under the Verisign top level CA (trusted by default by most web browsers). The level of encryption is "only" 128bit RC4, but that is still currently secure.
- Although the announcement and documentation correctly says that:
At this time, search over SSL is supported only on Google web search. We will continue to work to support other products like Images and Maps. All features that are not supported have been removed from the left panel and the row of links at the top. You'll continue to see integrated results like images and maps, and clicking those results will take you out of encrypted search mode.
it may actually be a bit better than that, for the careful web surfer. The list of "click thru" SSL enabled Google filters in the left already includes Everything, Videos, News, Books, Updates and Discussions.
Google Cache is also available via SSL session encryption, but not yet by default.
- As an example, if you search for our "Hints and Tips for Whistleblowers" (or for supposedly still legal "thought crime" documents like
), the top listing will be something like: Hints and Tips for Whistleblowers
Jan 23, 2010 ... Technical Hints and Tips for protecting the anonymity of sources for Whistleblowers, Investigative Journalists, Campaign Activists and ...
https://p10.secure.hostingprod.com/@spyblog.org.uk/.../ht4w/ - Cached - SimilarNote the URL link for the "Cached" version of the page, something which is very useful for checking out a current or recently modified or deleted web page. In this case it is
http://webcache.googleusercontent.com/search?q=cache:LwkgMf0t5L8J:https://p10.secure.hostingprod.com/%40spyblog.org.uk/ssl/ht4w/+%22Hints+and+Tips+for+Whistleblowers%22&cd=1&hl=en&ct=clnk&gl=us
However, if you resist the temptation to click on this link immediately, but instead Right Mouse click and Copy the Link Location , open up a new tab or window and paste it into your new web browser address bar, then change "http://webcache.googleusercontent.com...." to its SSL/TLS protected equivalent using "https://webcache.googleusercontent.com....", then this also offers an encrypted version of the Google Web Cache.
- The Digital Certificate used by https://webcache.googleusercontent.com is issued by Google's own Certificate Authority called Google Internet Authority, under the top level Equifax Certificate Authority (trusted by default by most web browsers). Again, the level of encryption is "only" 128bit RC4, but that is still currently secure.
Will Google soon be selling Digital Certificates, in competition with the other established Certificate Authorities ?
Privacy as a side effect of jealously guarded commercial or government data
Spy Blog has a theory that most of the Privacy which ordinary people enjoy, comes about as a result of private sector companies or government departments investing money in technology and infrastructure, to jealously guard the data of their "customers" from commercial or political rivals.
The side effect of this is to offer a measure of personal privacy from snooping by anybody else other than the company or government department you are dealing with directly.
This is more important in practice, than the fact that this happens to coincide with the internationally established Principles of Data Protection, which are spelled out in law under the very weakly enforced UK Data Protection Act 1998 Schedule 1.
This extension of SSL/TLS encrypted session protection by Google, will help improve your web searching / web browsing privacy, from the prying eyes of your local computer network systems administrators, from your Internet Service Provider and from any "snoopvertising" partners of your ISP like the notorious Phorm. etc.
Advantages for Google
From Google's point of view, it actually enhances their data collection and analysis of your web searching habits, since the SSL / TLS protocol usually gives a more accurate
reading of your Internet connection's true IP address where normal web proxy servers are in use.The SSL search page does not affect Google's "personalization" cookie tracking technology, if you sign in to your Google account.
This feature may also help protect Google's share of the web search engine market in companies, organisations or countries which censor the unencrypted version of Google search. Simply blocking SSL/TLS port 443 would be commercial suicide for any company or country, since it would also block most types of e-commerce.
Google SSL enabled web search works ok via Tor
If you use the Tor cloud of encrypted anonymous proxy servers, then your IP address will still appear to be that of a random Tor Exit node somewhere around the world (which will change in about 10 minutes or so), even through an SSL connection.
Relying on Tor via SSL and then supplying account username and password credentials to a website (e.g. a web email account or your internet bank account etc.) is not recommended, but for encrypted Google web searching, this is fine.
So far, we have not yet seen a "Google Captcha" when using SSL Google web search via Tor, but this may only be because the abusers of Tor are not yet exploiting this via scripts and malware.
Communications Data Retention
The UK Home Office under the former Home Secretary Charles Clarke, who thankfully lost his Parliamentary seat in the recent General Election "policy laundered" mandatory Data Retention through Brussels and inflicted it on 450 million innocent European Union citizens.
Nobody who has actually read and analysed web log files is fooled into believing that staff at ISPs and Police or Intelligence agencies will magically always avert their eyes and only read the "Communications Data" part (i.e. the subdomain and domain name e.g. www.google.com) of a web server or proxy server or load balancer or firewall or anti-virus scanner etc. log file and ignore the "Content" part of the record i.e. the Google keyword search terms
Using SSL/TLS, these keyword search terms are encrypted.and therefore hidden from casual snooping.
Obviously Google will continue to comply with legitimate, US Court ordered requests for such information in specific police or intelligence agency investigations, either from the United States of America or from foreign countries via Mutual Legal Assistance treaties, but this introduction of SSL/TLS encrypted Google web searching, may reduce some of the secret (probably illegal but how do you prove it ?) "data trawling" which now goes on.
Remember that SSL/TLS encryption whilst hiding the content of a web session from interception en route, still allows a snooper to see the time, date and IP addresses of both ends of the session and the amount of data which has been downloaded or uploaded.
This may well be enough to strongly suggest or even to prove beyond reasonable doubt that a particular computer connected to a particular web page at a certain time and date.
Google extends the use of SSL encryption, but WikiLeakS.org no longer uses it.
It is ironic that in the same week that Google have extended their use of SSL/TLS encrypted web sessions, the partially re-launched WikiLeaks.org "Whistleblower leaks" website no longer offers SSL/TLS encrypted sessions for downloads or for their onsite web search form, at all . i.e. the fact that you have searched for the keyword "injunction" on the WikiLeakS.org website is visible, in the clear, in various log file available to to your local systems administrators, Internet Service providers , Government agencies and private sector lawyers armed with Court Orders or injunctions. e.g.
http://www.wikileaks.org/w/index.php?title=Special%3ASearch&search=injunction&fulltext=SearchTrying this using https://www.wikileaks.org fails, as you get sent to the "secure" document submission system instead.
Since WikILeakS.org no longer allow the public to submit or edit comments on the Discussion pages related to each "whistleblower leak" document, the fact that this standard wiki functionality does not use SSL either, is moot.
WikILeaks.org still offer SSL encryption for their "whistleblower leak" submission pages, but this uses a deprecated RapidSSL Digital Certificate using the weak MD5 digital signature, which potentially allows their SSL sessions to be snooped on via an undetectable "man in the middle" attack using a forged Digital Certificate. Such an attack was demonstrated back in 2008.
Most potential attackers do not have the technical resources and the will to exploit this MD5 vulnerability, but the US Military and Intelligence agencies, who WikiLeakS.org spend too much of their time annoying for political reasons, certainly do.
What are WikiLeakS.org playing at with this slap dash attitude to Encryption ? They have also dropped the use of PGP Encryption and of encrypted Tor Hidden Services.
See the WikILeak.org blog for more details
- The Digital Certificate used by https://webcache.googleusercontent.com is issued by Google's own Certificate Authority called Google Internet Authority, under the top level Equifax Certificate Authority (trusted by default by most web browsers). Again, the level of encryption is "only" 128bit RC4, but that is still currently secure.
I've got the Google Captchas with Google Search over Tor and if you disable the RC4 algorithm in Firefox or use the CipherFox extension with RC4 disabled, you get AES-256.
@ Paul Qbit - thanks for using Tor to post your comment and thanks for reminding us of the Firefox settings:
1) Type “about:config” in the address bar to show the configuration parameters.
2) Make sure that “security.enable_ssl2″ is “false” and “security.enable_ssl3″ and security.enable_tls” are “true”.
3) Change to “false” the value for all ciphers that include “rc2" or "rc4" in the name.
i.e. makes sure that these are all set to "false":
security.ssl2.rc2_128;false
security.ssl2.rc2_40;false
security.ssl2.rc4_128;false
security.ssl2.rc4_40;false
security.ssl3.rsa_rc4_128_md5;false
security.ssl3.ecdh_rsa_rc4_128_sha;false
security.ssl3.rsa_rc4_128_md5;false
security.ssl3.rsa_rc4_128_sha;false
etc.
N.B. remember that nobody has shown any viable attacks on the RC4 algorithm, yet, but it is getting a bit old.
However, looking through the list above you will see references to the recently added (to both Firefox and to GNU Privacy Guard) the Camellia cipher suite, which may or may not be as strong as the standard Advanced Encryption Standard (AES), so you may not yet trust this one either.
Remember that it is more likely for the Google server SSL / TLS Digital Certificates and secret encryption keys to be compromised through "lawful" seizure of their equipment, than than through algorithmic cryptanalysis or through massively parallel brute force cracking.
Even more likely is the voluntary or forced cooperation of Google Inc. with the US domestic law enforcement authorities, but not necessarily directly with foreign ones (including those of the United Kingdom)
Hey, just looking around some blogs, seems a pretty nice platform you are using. I’m currently using WordPress for a few of my sites but looking to change one of them over to a platform the same as yours as a trial run. Anything in particular you would recommend about it?