Gmail Adds Encrypted Search to Foil Snoopers

SSL set by default for logged-in users

Google is extending SSL encryption security to search traffic for all logged-in Gmail users, the company has announced.

The key phrase here is 'by default' because it has been possible for Google search users to access encrypted search manually since May of last year using the https://encrypted.google.com/ site.

Over the next week or so users accessing the search site with the extra 's' will have all search queries and results pages encrypted from prying eyes even when using insecure channels.

"This is especially important when you're using an unsecured Internet connection, such as a WiFi hotspot in an Internet cafe," said Google, dryly, announcing the upgrade in an official blog.

Google doesn't mention it but using SSL will also hide searches from ISPs.

To date, few users have heard of the manual SSL search facility nor perhaps have considered the security risks when punching in search terms while mobile. From now on, as long as they are Gmail users and are logged in when running searches they will benefit from the new layer of security.

It's a small upgrade that will probably be of more significance for webmasters, who will not receive as much data from encrypted search queries as they are grown used to under non-SSL search. For any worried about losing visibility on user interests, Google is pushing them to its Webmaster Tools system that offers data on the top 1,000 search queries for a particular site.

The slow creep of SSL started with its introduction on Gmail as an option as far back as July 2008, which was eventually made default in January 2010.

Twitter started using SSL by default only a few weeks ago (although this process might not have completed for everyone) while Facebook offered it as an option for the security conscious earlier this year.

Why not just turn it on by default for everyone at the same time? In short, performance. SSL adds overhead by setting up a tunnel between the server and the user and that risks adding latency for the user. Google, Twitter and Facebook will one day be all-SSL by default but need time to upgrade their infrastructure to cope with its demands.

And do users really need it? Are mundane searches really that interesting to eavesdroppers?

The best example of how easy it can be for outsiders to log search results is probably Firesheep, a simple proof-of-concept browser tool that lets anyone intercept traffic sent though non-encrypted WiFi.

As celebrity Ashton Kutcher found out to his cost earlier this year, such interception can allow hackers to impersonate him on twitter once the session key has been sniffed. That was one motivation for Twitter's sudden conversion to the SSL mana around the same time.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies