Networking

Google Search over SSL has an oops

Google now provides SSL encryption capabilities for their search function. But, there is a problem that you need to be aware of.

Google now provides SSL encryption capabilities for their search function. But, there is a problem that you need to be aware of.

--------------------------------------------------------------------------------------

According to Google's Web Search Help blog, the search giant has decided it's important to keep search inquiries from the prying eyes:

"With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience."

TechRepublic's Chad Perrin recently penned an article about the benefits of SSL-encrypted Web searches. He also advises caution as some searches are not protected by SSL encryption and under certain circumstances SSL is vulnerable.

When I learn that an application claims to use SSL, I like to check and make sure for myself. Sometimes there are surprises and when it comes to security; that's not a good thing. I fired up Wireshark and, as stated above, the search traffic was gibberish as shown below:

Click to enlarge.

That's great. But I did see something in the packet traffic that I didn't understand, so I went to Laura Chappell's Web site. I have taken several of her classes and consider her one of the foremost experts when it comes to analyzing packets. I did not find what I was looking for, but I did come across quite a surprise.

Cached Link

In their search results, Google has what they call a cached link:

In theory, using a cached link makes sense, as explained by Google:

"Google takes a snapshot of each page examined as it crawls the web and caches these as a back-up in case the original page is unavailable. If you click on the "Cached" link, you will see the web page as it looked when we indexed it. The cached content is the content Google uses to judge whether this page is a relevant match for your query."

To their credit, if the cached link is clicked on, you will know it. Google prominently displays a window explaining the loaded page is a snapshot of the actual Web page and may not be current:

Click to enlarge.

Ms. Chappell found out that the cached link traffic is not encrypted. I went back to testing, and sure enough, if the cached link is clicked on, it reverts back to http. Notice the URL in the above slide.

Search query sent unencrypted

That's to be expected, but what's not expected is that the original search information is sent to the Google Web-cache server in the clear. Let's see if we can capture that. The first slide below is the response to my DNS query for webcache.googleusercontent.com. That's where the cache is located:

Click to enlarge.

The next slide is that of the traffic my computer is sending to webcache.googleusercontent.com. As you can see, the highlighted packet contains my original search query:

Click to enlarge.

Final thoughts

According to Google's above statement, all search traffic is supposed to be encrypted between our computers and their servers. It's not in all cases, and I felt it important to make sure everyone is aware of that.

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");

document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));

// -->

try {

var pageTracker = _gat._getTracker("UA-9822996-4");

pageTracker._trackPageview();

} catch(err) {}

// -->

About

Information is my field...Writing is my passion...Coupling the two is my mission.

42 comments
josephadeo
josephadeo

And google's SSL implementation definitely has a long way to go from its current Beta stage. There's still no extended validation ssl, for example, which could curb google-oriented phishing attempts entirely, and it would be nice to see the secured site being the default rather than something you still need to manually punch in. Unfortunately, since google is a cloud rather than simply a search engine, searching often means transmitting sensitive data -- SSL and especially EV SSL is needed to protect that. But hopefully we'll see updates from the big G soon.

sysop-dr
sysop-dr

I was surprised to find that iGoogle is not included in the effort to secure search. I use google but always use the iGoogle page instead. It won't even accept the https connection. I'm hoping that they will eventually let all of google be accessed secure.

jpk
jpk

Nice post Michael. Trust but verify :)

rkuhn040172
rkuhn040172

Surely Google is aware of this and it was just an oversight?

Michael Kassner
Michael Kassner

There is at least one case where search-query traffic is sent in the clear. That's not supposed to happen.

Michael Kassner
Michael Kassner

Search results are sent in the clear. They may not keep records, but others could capture the traffic.

Michael Kassner
Michael Kassner

I suspect i will eventually. This is a fairly new setup for Google and I have been in contact with them. They are working on getting the oops I wrote about fixed.

Michael Kassner
Michael Kassner

As an amateur radio op, there is fine distinction between what is broadcast in the clear and attaching to the network. I don't want to get into it without proper research, but if Google was just receiving information, is that wrong? I don't know and am trying to get my arms around it.

Michael Kassner
Michael Kassner

If I ever would get a tattoo. That is what it would be.

Michael Kassner
Michael Kassner

I was never concerned about cached links. How many times have you clicked on the cached link? That said, I am ongoing in my research of this. When is this an automated response and if so, does the same warning window appear.

marumari
marumari

In Google's defense on this one, the SSL search thing is in beta and was only introduced back on May 21st. I have been using the SSL search exclusively since then, and they have, day by day, been adding SSL/HTTPS capabilities to their passoff services (News, Videos, Books). Many of them started out as non-SSL and have moved to SSL since then. Furthermore, even their original announcement stated: And clicking on any of the web results, including Google universal search results for unsupported services like Google Images, could take you out of SSL mode. Presumable, Google Cache is one of those unsupported services at the moment. I think we can save our panicking and breaking out of Wireshark for the day that Google announces end-to-end encryption for all their services, and fails to deliver.

apotheon
apotheon

If a follow-up article is going to steal my thunder, I'm glad it's an article that deserves to get the attention. You've done some good work, here, and written a good article. Thanks for providing more information on the subject.

seanferd
seanferd

And it definitely should be fixed, as there is really no point in claiming encrypted search otherwise. Very nice detective work. Did you ever find out the answer to your original packet question? Oh, and thanks for the link to Chappell's.

Ocie3
Ocie3

to Google and vice-versa would be meaningless, because the "searcher" is Scroogle. Google cannot identify the person or organization that is using Scroogle. Someone who captures traffic to the Scroogle web site -- or between a specific computer, or network, and Scroogle -- could, of course, obtain whatever data is contained in the packet headers and packet contents (the search terms, and the search results, respectively). Whether that can be associated with P.I.I. depends upon the data in the respective files which are being used. Maybe Scroogle should start offering SSL connections.

Ocie3
Ocie3

(mostly in the NYT) have only mentioned German law, and the legal details have been sketchy. It seems that it is not illegal to broadcast a WiFi connection, and it might not be illegal to capture traffic from it [i]unless you keep a record of it, and/or access the network, without permission of its owner[/i]. Google admits that they did record it (or someone working as their agent recorded it), but claim that it was accidental.

Neon Samurai
Neon Samurai

Unless the network is clearly identifying itself as open to strangers, siphoning off data packets is not acceptable. The owner may not be aware that they are broadcasting clear text. They may not be aware of how broken WEP is. The owner's lack of knowledge is not justification for taking advantage of them. The default assumption should be that the owner is not intending to have packets taken or visitors joining in. I'd say that detecting the network and identifying it's encryption method or lack there of is one thing but the moment you try to authenticate or start a packet dump; you've crossed a line. Pulling packets off another person's network and cracking the key already opens one up to liability even if the intent is honorable and the person never uses the found key to connect. For me, this falls along the lines with wondering into someone's home or car because they didn't lock the doors or plugging into an outside power socket because it's not contained inside a lockbox. Maybe a couple is into being watched but noticing that they've not pulled the drapes does not justify grabbing a lawn chair; your still risking legal repercussions. Officer Milo isn't going to sit down beside you and go "well, they left the wind'r open didn't they". With HAM, it's assumed that the channel is open to all listeners. Operators are generally licensed and aware of the technology they are using. Encrypted broadcast is the anomaly rather than the norm. HAM seems to have started as an open medium that one can choose to fire encrypted traffic over where LANs are closed systems which wifi AP where added into later own. In Google's case, mapping out wifi broadcasts in the hoover-mobiles is questionable but active packet capture is well into the realm of "WTF where you thinking?". They are currently spinning it as a rogue developer; "gosh, we didn't know.." when the rest of the vehicle is designed to capture any information channel it can in passing. Luckily, Germany is not lax on privacy laws to the point that Google had to consider if they where breaking more privacy laws by complying with the court order to hand over hard drives. Back to wifi; what really should be happening is vendors delivering products locked down by default. If the consumer wants to open the wifi up to the world, let them disable encryption and change the ssid to "free wifi" or similar. Expecting the consumer to take an insecure device and lock it down has yet to result in the desired outcome.

SkyNET32
SkyNET32

Trust No One... What's so great about Laura, compared to others? Any comments Mike? I was looking at her courses, don't know if any of them would really apply to me as continuing ed, I'm just a librarian trying to take over the world :D

SkyNET32
SkyNET32

Trust No One... What's so great about Laura, compared to others? Any comments Mike? I was looking at her courses, don't know if any of them would really apply to me as continuing ed, I'm just a librarian :D

Michael Kassner
Michael Kassner

This post was not to implicate anyone. It was to point out a condition that exists today. I have no doubt that Google will fix this.

Michael Kassner
Michael Kassner

I was trying hard to build on what you wrote about. That said, I would love to know how many people click on the cached link. Another question that I am working on is if the cached link comes into play when the official web site is having issues. If so, does it display the warning. Any thoughts? Edit: Spelling

Michael Kassner
Michael Kassner

Thanks, Sean Ms. Chappell is amazing. I know I am supposed to remain unbiased, but I have learned so much from her.

Ocie3
Ocie3

that we can use Secure Scroogle, too: https://ssl.scroogle.org/ The ISP won't be able to read the traffic between my computer and the secure Scroogle server. It doesn't matter whether anyone reads the traffic between Scroogle and Google, because ordinarily there isn't any data in the packets or their headers which identifies the searcher. It is a stretch of the imagination to conceive of any that would, assuming that Scroogle has not made any mistakes in their system.

apotheon
apotheon

I guess the question, then, is which you mistrust more -- Google or your ISP. If you use Scroogle, your ISP's servers get to see all your unencrypted traffic between your browser and Scroogle. If you use Google's encrypted search, Google gets to see all your encrypted traffic to and from Google, since it's getting unencrypted at Google's end. It's really sort of a case of six of one and half a dozen of the other, as far as I can see -- because I don't particularly trust either my ISP or Google.

santeewelding
santeewelding

The truth of the matter? The thing of it is? Revealment? I hang on your every word.

Ocie3
Ocie3

Actually, I had forgotten about it until I was referring someone to Scroogle today and re-checked my bookmarks. Anyone who wants to use Scroogle can use a secure connection: https://ssl.scroogle.org/

Michael Kassner
Michael Kassner

I feel is possible. Any stop in the path get information in the clear. Edit: Spelling

santeewelding
santeewelding

Imagine if everything you and Michael wrote were encrypted the way I encrypt.

apotheon
apotheon

The worst part of everything in this, in my opinion, is that amateur radio operators are not allowed to use encryption.

Neon Samurai
Neon Samurai

The thing I'm getting hung up on is that they "accidentily" ran three years worth of packet capture. That negates the "rogue engineer" and "accidental software bug" excuses they've given. It'll be interesting to see how it all plays out in various legal regions. I'm going to fetch my popcorn. :D

Michael Kassner
Michael Kassner

are pretty clear. Most RF transmissions are in the clear and public domain. For example, amateur radio ops are not allowed to use encryption. The ISM, cellular, and a few other RF bands are unique in that encryption is allowed and licenses are not required. Still, I suspect if push comes to shove, any in the clear RF may be legally public domain. The legal system is more concerned about unwanted devices attaching to networks. That is why when I scan/wardrive, I disable that ability.

michaelok
michaelok

The "still in beta" is a lame excuse. This illustrates the decline in software quality over the years, that Google seems to be at the forefront of. Once it's out on production servers, available to the masses, it can no longer hide behind the "it's only beta" label. This should have been caught in Systems testing - it's a design flaw. It's a disturbing trend that companies like Facebook are now picking up - slap some poorly tested code out there, and let people like the author catch it. What if we applied this same attitude to cars? Toyota could say - no worries, your brakes are still in beta. Air traffic control problems? Not our fault, it's beta software, says right there in the fine print. Google cloud computing is not secure, exposing private, confidential information to hackers? Oops! Sorry! Yeah, right.

Ocie3
Ocie3

but, in the beginning, in an ordinary search from Google's main search page (http://www.google.com/), if the web page in a search result could not be retrieved, then Google explicitly offered to show the cached page instead. That is, if the DNS resolver returned an error for the URL, then Google offered to show the cached page instead. (However, I don't know whether that works when the DNS resolver returns the IP address for an ad-laden "suggestion" page with a search function on it, instead of an HTTP error page.) It has been quite a while since I've seen Google offer to show the cached page, but a few years ago it was not uncommon at all. I don't recall the time that Google began including the URLs for cached pages in the primary search results. And it would not surprise me if Google now automatically shows the cached page when the primary URL in the search result returns an error.

Michael Kassner
Michael Kassner

That the cached web page is served up if the official web page has problems. If that is true, then the search query information will be sent at that time.

apotheon
apotheon

I'm not entirely sure what you're asking. Would you please rephrase it?

Michael Kassner
Michael Kassner

Google is known for having applications in beta for years. Gmail was in beta for two years if I remember correctly. You are right in this case, as SSL Web Search has only been out for a very short time. It is still important to know though.

adakar_sg
adakar_sg

Still in beta is it not? Not that i'm saying i'm not glad you told, but things in beta are expected to have bugs, if not they would probably have released it allready

seanferd
seanferd

Biased or not, your estimation of Ms. Chappell and inclusion of a link to her site are appreciated and worthwhile. If you are indeed displaying a bias, I work on the assumption that something substantial caused you to be biased in her favor. Since you are a primary link in my own Web-of-Trust/Quality/Appreciation/etc., I can certainly consider heading in directions you may point in your writing. :)

Editor's Picks