Google To Encrypt All Keyword Searches

Hugh Pickens DOT Com writes "Danny Sullivan reports that in the past month, Google has quietly made a change aimed at encrypting all search activity to provide 'extra protection' for searchers, and possibly to block NSA spying activity. In October 2011, Google began encrypting searches for anyone who was logged into Google. The reason given was privacy. Now, Google has flipped on encryption for people who aren't even signed-in. In June, Google was accused of cooperating with the NSA to give the agency instant and direct access to its search data through the PRISM spying program, something the company has strongly denied. 'I suspect the increased encryption is related to Google's NSA-pushback,' writes Sullivan. 'It may also help ease pressure Google's feeling from tiny players like Duck Duck Go making a "secure search" growth pitch to the media.'"

Illusion of privacy

[NoImNotNineVolt]

Encrypting the connection between Google and the users isn't going to accomplish anything when the NSA already has full access to Google's servers.
Too little, too late. Way too late.

Re:Illusion of privacy

[geek]

Encrypting the connection between Google and the users isn't going to accomplish anything when the NSA already has full access to Google's servers.

Too little, too late. Way too late.

Google has been very adamant that the NSA does not have access to their servers. I don't know if I believe them or not but that is the premise Google is working off of.

It also means nothing when they cowtow to the national security letters like they do.

Re:Illusion of privacy

[thetoadwarrior]

Doesn't really matter. If they're encrypting it then they can decrypt it so if the NSA wants it then they'll have it.

Re:

[dreamchaser]

Not to mention that the NSA probably has backdoors at most major ISP's and can man-in-the-middle decrypt anything they want. As another poster said, it's more or less over.

Re:

[LordLimecat]

I dont think you understand how SSL works. Its entire purpose is to defeat MITM.

Re:Illusion of privacy

[dreamchaser]

I understand how it works, and there are plenty of devices that do exactly that with SSL traffic. If they can intercept the traffic and have compromised the certificates, which is certainly possible if not definite, they can decrypt it without the user ever knowing. There are even commercial devices that do exactly that.

Re:

[LordLimecat]

The devices which capture SSL traffic only work because your managed workstation has been made to trust the root CA installed on those devices. If you were to bring an unmanaged laptop into the office network, that SSL sniffer would be unable to capture its traffic.

The security of SSL hinges on trusting the right CAs; but of course the use of CAs (a system of trust) is what allows it to defeat MITMs in the first place.

Re:

[0123456]

That's easy to prove. Just show us one fake SSL certificate issued by the NSA.

So far, not a single one has ever surfaced. If it's happening at all, it's certainly very rare.

Re:

[rvw]

That's easy to prove. Just show us one fake SSL certificate issued by the NSA.

So far, not a single one has ever surfaced. If it's happening at all, it's certainly very rare.

They don't issue fake certificates. They copy the real ones.

Re:

[LordLimecat]

Why would it surface? They do not need to fake anything if they have all the keys incl. private keys.

THEY DONT HAVE the private keys. NOONE has the private keys except for the individual or company who initiated the certificate request. You create a CSR and a private key, you send the CSR to GoDaddy, they provide you with a signed public cert.

The ONLY way for them to intercept SSL is to create their own certificate for google.com and sign it with their own root cert. When they do that, and you go to google, you can EASILY verify who signed the cert, and if its the DoD you can just rip that root CA out o

Re:Illusion of privacy

[jafiwam]

I dont think you understand how SSL works. Its entire purpose is to defeat MITM.

And YOU don't understand what would happen if "the man" in the middle has access to the certificates, either the masters or the actual certificates themselves.

Do you really think "mysecretdomain.com" certificate from shitty ass low cost certificate provider doesn't have a duplicate key on file at Comodo, Network Solutions, GoDaddy or TwoCows or whatever?

They don't have to brute force or hack anything if they have an appliance in the middle that automatically grabs the certificate from the certificate issuer and spoofs both sides of the connection.

If you want your traffic encrypted, you need to generate your own certificates using software you compiled after you reviewed the code.

Re:

[Anonymous Coward]

If you want your traffic encrypted, you need to generate your own certificates using software you compiled on multiple independent compilers to counter "trusting trust" after you reviewed the code.

Re:Illusion of privacy

[icebike]

I dont think you understand how SSL works. Its entire purpose is to defeat MITM.

And YOU don't understand what would happen if "the man" in the middle has access to the certificates, either the masters or the actual certificates themselves.

Do you really think "mysecretdomain.com" certificate from shitty ass low cost certificate provider doesn't have a duplicate key on file at Comodo, Network Solutions, GoDaddy or TwoCows or whatever?

They don't have to brute force or hack anything if they have an appliance in the middle that automatically grabs the certificate from the certificate issuer and spoofs both sides of the connection.

If you want your traffic encrypted, you need to generate your own certificates using software you compiled after you reviewed the code.

Was going to post exactly this!.

But to further the point, it is strongly suspected that SSL is already broken by the NSA, and having certificates is no longer necessary.

Google publishes its own certificate. I don't think its signed by anyone but Google, a sign they have totally given up on corrupt certification companies.
They also have changed it occasionally. I notice this when my more selective operating systems prompt me to accept new certificates for some Google Services, that they were happy to use yesterday. (These are always sort of scary events that warrant close inspection).

Re:

[Jah-Wren Ryel]

But to further the point, it is strongly suspected that SSL is already broken by the NSA, and having certificates is no longer necessary.

That is outright false. I challenge you to provide a citation to a reasonably authoritative site saying that - basically anybody who isn't a kook. You can't.

The best you can come up with is that RSA-1024 is easy enough to brute-force with modern equipment. But moving to RSA-2048, as google has already done, [blogspot.com] still provides very strong protection.

Re:

[headhot]

if the RNG that the RSA encryption is based on is compromised, the encryption is compromised.

Re:

[Jah-Wren Ryel]

if the RNG that the RSA encryption is based on is compromised, the encryption is compromised.

If you are referring to Dual EC DRBG [wikipedia.org] only RSA's BSAFE toolkit defaulted to it, because it was really slow. How many SSL implementations use BSAFE? I don't know, but I bet it isn't all that many since BSAFE is closed source and costs money. Certainly OpenSSL doesn't use it.

Re:

[LordLimecat]

The amount of outright ignorance in this thread is staggering-- from faulty assumptions that Dual EC DRBG usage was widespread, to the implication that TuCows somehow has a copy of your private key, to the assumption that SSL can just be "MITM'd".

Re:

[Jah-Wren Ryel]

Mods are on conspiracy crack tonight too.

Re:

[matthewv789]

SSL can be MITM'd so long as you can sign a certificate in a way trusted by web browsers. And it turns out quite a number of branches of the US Government are among the nearly 2000 entities with the ability to sign certificates for any domain that will be accepted by web browsers as valid and trusted (which I did not know previously). See http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf [sigcomm.org]

And RSA did recently ask developers to stop using all versions of the BSAFE toolikit (including Cryp

Re:Illusion of privacy

[icebike]

That is outright false. I challenge you to provide a citation to a reasonably authoritative site saying that - basically anybody who isn't a kook. You can't.

Clearly you phrased it that way so you could reject any site I offered, based on your own myopic view point.

So here are the rules:
You don't get to reject any source! You have to invalidate every one of these and all of their claims.
After all, extraordinary claims of something being "outright false" require extraordinary proof.

http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=2&_r=0 [nytimes.com]
http://nakedsecurity.sophos.com/2013/03/16/has-https-finally-been-cracked/ [sophos.com]
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying [theguardian.com]
http://www.theregister.co.uk/2013/09/05/nsa_gchq_ssl_reports/ [theregister.co.uk]
http://www.zdnet.com/has-the-nsa-broken-ssl-tls-aes-7000020312/ [zdnet.com]
http://www.forbes.com/sites/andygreenberg/2013/06/20/leaked-nsa-doc-says-it-can-collect-and-keep-your-encrypted-data-as-long-as-it-takes-to-crack-it/ [forbes.com]

Re:

[SolitaryMan]

None of you "sources" present any kind of proof that SSL is hacked or say anything about the technology used for it. Mostly looks like a pile of sensationalist crap to me.

Re:

[LordLimecat]

From the top:

• That NY times article was rubbish, as it makes no clear claim and provides no clear rationale behind whatever it is theyre alleging. As best as I can determine, theyre saying that the NSA "circumvents" SSL traffic by grabbing it post-decryption--despite having no source indicating that. The article even says as much in the page you linked to, 2/3 of the way down.
• The NakedSecurity post refers to issues in specific encryption algorithms, not with SSL itself. Its talking about RC4, which is anc

Re:Illusion of privacy

[icebike]

Exactly as predicted, you toss out the evidence and strut off snorting.

Here it is direct from Snowden:

http://swampland.time.com/2013/09/05/five-revelations-from-snowdens-newest-leak/ [time.com]

The full extent of the NSA’s highly classified encryption cracking program Bullrun is only known by top officials in the NSA and its counterpart agencies in Britain, Canada, Australia and New Zealand. Bullrun has successfully foiled several of the world’s standard encryption methods, including SSL (Secure Sockets Layer), VPN (virtual private networks), and the encryption on 4G (fourth generation) smartphones.

Care to refute Snowden?

We are going back to my rules:

Prove your point about it being outright false or STFU.

Re:

[icebike]

So, lets set ground rules, then.

You won't take Snowends word, even though he has been 100% right.

Do you require Obama's Testimony, or God's ? What?

Pull you head out of the sand!

Re:

[LordLimecat]

Care to refute Snowden?

Sure. VPN isnt an "encryption method", its a networking technology. That right there tells me whoever penned that paragrahp has absolutely no idea what theyre talking about.

SSL isnt really an "encryption method" either, it is, again, a networking techology, and it can use several different encryption methods. I somehow doubt that the NSA has cracked them all.

Re:

[jhol13]

I do not believe all VPN and all SSL are broken. It would be pretty much impossible to break all VPN, after all they use vide variety of encryption systems.

What I believe is that many commercial, perhaps most if not all US made, VPN & SSL implementations are flawed.

Re:

[Jah-Wren Ryel]

Here it is direct from Snowden:

What you quoted is NOT direct from Snowden. Hell, the opening line right before the list of those statements is attributed to someone other than Snowden.

I quoted Snowden verbatim on the very specific point that "encryptyion works," all you've done is quote journalists who are speaking in very vague terms.

But, you know what, let's take your citation at face value. The very next statement: "Strong, non-commercial encryption systems still seem to thwart the NSA's efforts." OpenSSL is a strong, non-commercia

Re:

[bertok]

The weak point is not with the mathematics. It's like claiming nobody can break into your house because you have a solid steel door, but at the same time you have glass windows.

The weakness in SSL is the trust you have to place in the CA infrastructure, none of which is really that secure. Your browser will trust any valid certificate rooted in a trusted CA. There's no need to crack the keys of the certificates issued by Google. Keys have leaked, CAs have been hacked, intermediate authority certificates are

Re:

[pathological liar]

You're looking in the wrong place.

The public-key algorithms are only used to auth servers/clients and during the negotiation of a session key for a symmetric algorithm. Thanks to the BEAST and CRIME attacks, and the dismal uptake of TLS 1.2, once you rule out the block ciphers in CBC mode the most secure symmetric cipher that clients/servers can be expected to support is RC4, which now accounts for some huge percentage of HTTPS traffic.

Nobody is suggesting that RSA is broken, but there is speculation that t

Re:

[LordLimecat]

Do you really think "mysecretdomain.com" certificate from shitty ass low cost certificate provider doesn't have a duplicate key on file at Comodo, Network Solutions, GoDaddy or TwoCows or whatever?

Yes. TuCows, GoDaddy, and NetSol dont have your private key. All they do is sign your CSR, and provide you with a public key.

I would STRONGLY encourage that people who do not understand SSL, refrain from commenting here. There are attacks on SSL, but it seems like noone here really understands what they are or how to mitigate them.

Re:

[matthewv789]

Not even that. The US Government has certificate signing power already. They don't need to copy any existing certificates, they can just generate and sign a certificate for whatever domain they want to MITM, and it will be accepted by the major browsers. If they don't have the cooperation of the ISP, they can easily hack a router.

Reference: http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf [sigcomm.org]

We really need a new system of trust. Some mechanisms are in place to be more trustworthy, but the

Re:Illusion of privacy

[usuallylost]

Do not put to much confidence in SSL. I have tested several firewall products that allow corporations to decrypt SSL traffic coming into their networks. Basically all they need is the ability put a trusted cert on the machine and force you to use a proxy. On a lot of corporate networks your SSL traffic is being decrypted and scanned. My guess is the NSA can do the same thing to you pretty much anytime they want.

Re:

[slimjim8094]

Chrome has certificate pinning [chromium.org]. Basically it means that if you access a Google property, it's checking for a specific certificate - not just any old cert signed by any old CA. Sure, this doesn't help you if you're not using Chrome, but if the NSA was trying to do a blanket MITM, all Chrome browsers would blow up and you'd definitely hear about it.

Re:

[kbg]

But it doesn't matter because the NSA has all the certificates that Google has.

Re:Illusion of privacy

[TheGratefulNet]

I personally interviewed at places that were proud of their MitM ssl cert attacks. this was more than 5 yrs ago, too, when almost no one believed this was happening. (no, I didn't take the job, it sickened me to think of myself helping them out).

if you are using a work-provided computer that had the IT group installed o/s, you can't trust it. if you installed your own o/s and never gave root privs to anyone, you may be able to trust it and it should find a 'fishy' cert being pushed on you when you go thru the corp firewall.

I tell people this: if you use a work-provided system, you should not do anything personal on it (no banking, etc). that little lock icon means nothing anymore and we should all be aware of this.

Re:

[jhol13]

NSA cannot do this in wide scale as the new CERT is far too easy to detect. They might do it for one particular "suspect", e.g. I would not notice it. But there are even Firefox extensions to detect these so if deployed wide scale it would have been noticed.

Re:

[icebike]

These trust levels are forced on you. If you use an iPhone, either you trust what Apple trusts, or you don't use the device. Same with Android unless you cook your own ROM. In fact, you don't even know what CAs are on your phone most likely, nor be able to find out.

In my phone, under
Settings / Security I find an entry called Trusted Credentials

Its divided into two categories, System and User. (There are no user certs, but you can add them).

There are a boat load of certs in there on the system side. Including Microsoft, every Cert company you've (n)ever heard of.

Who knows what might be lurking. (There is one listed as "Government Root Certificate Authority". Apparently something
out of Taiwan, but it has no CN or OU).

Who's to say there aren't a few more hidden from

Re:

[LordLimecat]

Unless I am mistaken, the DoD root certs are optional and not included by default.

Re:

[russotto]

Verisign's roots are included by default. If you think the NSA doesn't have the private key for all US based certificate authorities, you're not nearly paranoid enough. And there's no way they don't have Verisign's; Verisign is far too cozy with the government.
 

Re:

[matthewv789]

Yes, this.

"We also saw a number of commercial authorities that provided a smaller number of certificates to seemingly unrelated entities. For example, VeriSign, Inc. provided intermediates for Oracle, Symantec, and the U.S. Government"

Source: http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf [sigcomm.org]

Your browser trusts VeriSign, so your browser trusts the US Government, and not just one signing certificate, a bunch of them:

"All but a handful of the authorities 4 or more intermediates away from

Re:

[interval1066]

I guess the point is Google isn't giving them, or anyone else, an open-door to its users activities. It may not mean much, but its going to play well in the press. Which is the whole point, isn't it?

Re:

[pepty]

I think they're getting a twofer: 1, Good press for supposedly making things harder for the NSA, 2, making it a PITA for ISPs to eavesdrop on/monetize google searches. ISPs can push their own targeted advertising based on search terms the same way that Google does; they can also redirect traffic away from google results and to their own affiliates based on those search terms. Paxfire offered that capability to ISPs in the past; they redirected traffic from Google, Yahoo, and Bing searches to their clients.

Re:

[skribe]

It depends. If Google has managed to implement one of the theoretical crypto magic solutions they may not need to decrypt to return a valid search result.

Re:

[MikeBabcock]

You don't seem to understand the point.

With encrypted connections that aren't in any other way compromised, the NSA has to actually make an overt effort to get data out of Google. Without encrypted sessions, they can covertly glean it from watching the wire at your ISP.

Re:

[gagol]

They may not agree with it, or even be aware of it, but it still is a very string possibility.

Re:Illusion of privacy

[fustakrakich]

...it still is a very string possibility.

Only in theory...

Re:

[gagol]

A theory, as in I have no proof, yes. If I was the head of NSA, hacking Google would be my top priority.

Re:

[gagol]

No pun intended ;-)

Re:Illusion of privacy

[AlphaWolf_HK]

Even if Google wanted to tell you that the NSA has access to their servers, knowing full well it would kill their bottom line (assuming it would), they'd be forbidden from telling you the truth anyways.

That's actually the scariest thing.

Re:Illusion of privacy

[swillden]

Even if Google wanted to tell you that the NSA has access to their servers, knowing full well it would kill their bottom line (assuming it would), they'd be forbidden from telling you the truth anyways.

True... but I'm not so certain that they could be compelled to lie. When I look at the pattern of public statements and later revisions from all of the big players (telcos and tech companies), I don't see a single case of anyone actually contradicting an earlier statement. It seems to me that they've all been careful to tell the truth, though they've often been careful about how much truth they've told. Government agencies have been caught lying, but they don't have the same legal requirements to citizens as publicly-traded companies have to shareholders.

Based on that, and on my viewpoint as a Google employee who builds some of the internal security systems that the NSA would have to compromise to snoop, I am completely convinced that Google is telling the truth when it says that it has not given the NSA any sort of direct or indirect access. I'm not certain that the NSA hasn't managed to insert snooping equipment into Google data centers or on Google fiber lines without Google's knowledge. But that's why Google is making a push to get everything encrypted, internally and externally.

Just to quiet the obvious retort: Yes, I know that won't prevent the government from serving Google with warrants and NSLs and obtaining user data that way. But if they have to do it through the front door, with a request that satisfies Google's attorneys with respect to its propriety and narrow scope, then I think we (as a society) have a much more manageable problem. Still a problem, but one that can be addressed with legislation and better oversight. If the NSA is silently devouring the whole Google data stream... that's an entirely different kettle of fish.

Re:

[iiiears]

Always pleased to read an informed opinion on slashdot.

I was fascinated by the news of stuxnet and persistent rootkits. Nearly everything connected to a data bus has firmware. How likely is it that embedded devices would be compromised?

It was surprising to me even the simplest hard disk has three controller CPUs, RAM and ROM.

Thank you again for making slashdot a site about technology.
 

Dead Man's Switch

[Mr. Underbridge]

Based on that, and on my viewpoint as a Google employee who builds some of the internal security systems that the NSA would have to compromise to snoop, I am completely convinced that Google is telling the truth when it says that it has not given the NSA any sort of direct or indirect access.

I don't know if they are intentionally being this clever - but if the execs were to claim daily that they aren't bending over for the NSA, the day they stop claiming it is the day you know they are bent over by the NS

Re:

[Lennie]

Calling NSLs going through the frontdoor is kinda funny.

When you get an NSLs it basically means you have you to lie:
http://www.youtube.com/watch?v=eT2fQu50sMs [youtube.com]

Re:

[Lennie]

I think what Google should do is stop collecting data on people, that is the only way to get away from this.

Or anonymized as soon as possible.

If you collect and keep personalized data, you can't guarantee how it will be used in the future.

Re:

[icebike]

How many Google Employees can the Federal Prisons hold?

I'd like to see the entire Board of Directors, All corporate officers, and All top and Middle management employees
and Directors from each of their world wide offices come out on the steps of their headquarters and issue a statement
with published facts, naming explicit government employees and the orders they gave.

Just call the Government's bluff. And do the same for China while they are at it.

Then demand jury trials, and watch how fast they get acquitt

Re:

[X0563511]

The NSA doesn't have to have access to the servers if all network traffic is also sent into the NSA's special rack...

Back when I worked in a hosting center the FBI had a little group of machines that were theirs and we were hands-off. Our network admin would occasionally get requests to have traffic to/from particular IPs routed to their "playpen" and he would comply - while this meant they got everything they wanted, nobody was granted any access to someone's server.

Re:

[jhol13]

Well, Lavabit closed down because request to them was "too much". Google did not and will not.
So what is "too much"? I have an opinion on that and therefore I do not believe Google. On neither account ("has access" and "is working").

If Google were working on it, they would make a Javascript (i.e. client) encryption to their cloud (and email, etc). It would be quite easy to do.

Re:

[Barryke]

Google has been very adamant that the NSA does not have access to their servers.

No, Google did not choose to join a program that would give NSA access.

"we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. "
Source: http://googleblog.blogspot.be/2013/06/what.html [blogspot.be]

We know nothing about what Google did not choose to do, for all intents and purposes, because the NSA does have this goal i assume they have (or are going to) meet it. Likely in secret.

Furthermore as stated elsewhere encryption is irrelevant, with or

Re:

[vadim_t]

The important thing isn't Google's servers, but the Certificate Authorities.

All that the NSA has to do is to get some CA to emit certificates for Google's domains. Then they can easily place themselves as a man in the middle, and the user won't notice.

No access to Google's servers necessary, then.

Re:

[vadim_t]

It's got nothing to do with the private key.

NSA goes to Verisign (for instance). Says "please sign our key for google.com". Verisign signs it. NSA intercepts traffic between google.com and you. Browser deems cert as valid, as Verisign signed it, and you seem to be connecting to google.com.

The CA system is weak because so long the connection is signed by a CA in the browser's list, the browser doesn't care which it is, even if it changes on a daily basis. If you can convince any CA in the list to sign what y

Any different from https://google.com ?

[Valdrax]

How is this different from just using HTTPS Everywhere or typing https://google.com/ [google.com] into the URL bar?

Re:

[ArcadeMan]

Nobody types "google" in the URL bar these days, the URL bar sends your search requests directly to Google/Yahoo!/Bing/etc.

Re:

[John Bokma]

If only I got a dollar each time someone exactly did that.

Re:

[MikeBabcock]

I watch people every day type "Google" into the yahoo/bing search bar, then search. I've seen people type "Bing" into the Google search bar to then search with Bing.

When I offer to change their default homepage, they complain their Internet is broken (because the startup page is wrong).

Re:

[bill_mcgonigle]

It's actually pretty important, due to a design problem with Chromium - the unified search and URL field.

Let's say you want to search. You type 'news for nerds' in the field, and Google auto-completes as it goes. Each keypress you send to Google gives you updated search results. OK, you were going to send it to Google anyway, so you kinda accept that.

Now, instead, you type: s-l-a-s-h-d--o-t-.-o-r-g and those are all sent to Google. Suddenly Google knows about all the *non-Google* websites you're visiti

Re:

[Valdrax]

Neither you nor the summary answers my question: Does it do anything different from doing that and provide any extra security?

Re:

[SpaceLifeForm]

It is a re-direct. And it happens immediately. Bookmarks or links (external to Google) that contain search terms will still give away the search terms.

[google.com] http://www.google.com/#q=google+enables+more+https [google.com]
redirects to
[google.com] https://www.google.com/#q=google+enables+more+https [google.com]

I like that maps and news are now also https.

So, to answer your question, no, it is not different, there is no extra security or privacy over doing it yourself.

It is just automatic.

Power Implications

[Anonymous Coward]

I'm highly interested in the power consumption implications of this move. I remember reading somewhere that Facebook faced a nontrivial increase in power usage when they switched to https for everything, and for a website like Google, those extra cycles are definitely going to add up.

Anyone from a data center care to comment on this?

Re:Power Implications

[Anonymous Coward]

According to one of the head Google staffers responsible for their SSL/TLS operations, it's pretty much a non-issue: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

It basically ended up adding less than 1% to the CPU overhead for their servers, didn't require special hardware, and didn't involve any new systems.

One down...

[93 Escort Wagon]

Thing about DuckDuckGo is... they promise I'm anonymous to them. There's value in that, at least to me.

Google's move is certainly welcome, but all it means is - going forward - only Google will be collecting my information as opposed to Google + NSA.

Re:

[dcollins]

As others have said, the NSA documents say they have access to Google's servers. Encrypting the connection between the user and Google doesn't change that, right? Very puzzling.

Re:

[swillden]

As others have said, the NSA documents say they have access to Google's servers.

No, they don't. The PRISM slides were extremely vague about how the data was collected; the idea that they have direct access is speculation which Google has consistently and clearly denied. And it's worth noting that they claimed they started getting data from Google back before Google went SSL for nearly everything.

Re:

[FatLittleMonkey]

It's the difference between the police going into a hotel and presenting a warrant requiring them to show the police their guest list, and the police secretly parking an unmarked van just outside the hotel and recording every visitor/car/etc coming in and out of the hotel grounds without any warrant or notification.

In the former, the hotel knows what is being asked for, and when, and can (if they believe the request unlawful) challenge it in court. (Or challenge the gag clause, as some providers have succes

Re:

[ortholattice]

Doesn't DuckDuckGo have US servers? I would trust ixquick.com more.

Re:

[bloodhawk]

this doesn't in anyway protect you from NSA, Google still has access to the information, The NSA has access to google (be it directly or via court order). The only thing this prevent is sniffing external to that which I think most people would consider a far lower risk.

Bullshit PR is Bullshit

[Guppy06]

Google has quietly made a change aimed at encrypting all search activity to provide 'extra protection' for searchers, and possibly to block NSA spying activity.

What would encryption do when the NSA has access to the servers?

'I suspect the increased encryption is related to Google's NSA-pushback,'

Except that pushback itself is also pure political theater. Funny how these court challenges only started happening when stuff started to become public.

Google has made their bed. Let them lie in it.

Re:

[Anonymous Coward]

STFU and do your research,

>Funny how these court challenges only started happening when stuff started to become public.

https://www.eff.org/who-has-your-back-2013

Why don't you read about the companies that were pushing back before this even got announced. There are similar tables for 2012 and 2011. You'll note that Google was up there, but few others were.

The moderators need to be sacked again... Any by sacked, I also mean "kicked in the balls".

Re:

[Guppy06]

STFU and do your research,

Your source (emphasis mine):

In the category of protecting user privacy in the courts, Google deserves special recognition this year for challenging a National Security Letter.

My source [theguardian.com]:

No telecommunications company has ever challenged the secretive Foreign Intelligence Surveillance court's orders for bulk phone records under the Patriot Act, the court revealed on Tuesday.

Now, do you want to split hairs and argue that "maybe Google isn't a 'telecommunications company'" or "maybe the orders they got weren't f

Re:

[kqs]

Now, do you want to split hairs and argue that "maybe Google isn't a 'telecommunications company'" or "maybe the orders they got weren't for 'bulk phone records'," or do you want to maybe acknowledge that the industry in the US doesn't give a flying fuck if nobody is looking (or is even allowed to look)?

So you don't even know what a telecommunications company is, but that's okay, you'll spew your "facts" anyways. The best defense against the government is an informed populace. Sadly, we've mostly got people like you who refuse to educate yourself. Be proud, you're part of the reason the NSA got this far and hasn't had to back down.

As far as I can tell, the internet companies have done more that any others is trying to hold back the NSA. They're not perfect, but they've tried, and deserve recognition fo

Re:

[Guppy06]

As far as I can tell, the internet companies have done more that any others is trying to hold back the NSA.

Meh. [opensecrets.org]

Concerns over the Foreign Intelligence Surveillance Act (FISA), as well as attempts by intelligence agencies to collect user information from email and social networking sites, appeared on the second-quarter lobbying disclosure reports of several tech firms.

The topic wasn't mentioned in any first quarter 2013 reports, before public revelations that the National Security Agency was collecting data on American citizens from email and social networking sites.

While it's not clear from lobbying reports how

Re:

[Seumas]

The whole Google/Yahoo/Facebook/Whoever + NSA thing is like this:

You're making out with a chick that is maybe not so hot. You're having a good time and you're both getting your rocks off, but you wouldn't want your friends and family to catch you.

One day, your buddies drop on by early and catch you mac'n on said girl. Startled, you push her away and are very vocally all "eeew yuck! Get off me! what are you doing?!" and telling your friends (who keep teasing you about it for the next month) about how you two

Re:

[swillden]

Google has quietly made a change aimed at encrypting all search activity to provide 'extra protection' for searchers, and possibly to block NSA spying activity.

What would encryption do when the NSA has access to the servers?

Nothing, if they have access to the servers, which Google denies giving them, and which none of Snowden's documents have claimed. The documents only said that they were getting Google data, not how, and they say the take started back before Google went SSL for nearly everything, which may be a clue as to how they were getting the data. Or maybe the NSA managed to sneak some hardware in to get it on the sly; that possibility is why Google has accelerated their plans to encrypt all internal traffic as well.

Re:

[slimjim8094]

I likewise work for Google (though the opinion here presented is my own), and I know a lot of people (some of whom are very high up) would be quitting if Google was kowtowing to government requests (excepting lawful warrants). There are *tons* of people who spend their days trying to protect all this information from any external entity, and if it came out that they were just wasting their time because there was some back door, they'd feel betrayed.

Different reason cited in TFA

[dkleinsc]

Google may be doing this not for privacy reasons at all, but because they intend to sell the exclusive organic click information and don't want third parties having access to the same information they have about those clicks.

Better than nothing, I suppose.

[gallondr00nk]

Still, half of the reason to use Duck Duck Go or some other privacy oriented search engine is not just HTTPS but the fact they don't feed everything you search for into an enormous data mining effort.

Anyway, doesn't the alleged NSA backdoor into Google as part of the PRISM program make any supposed "anti-NSA" stance a completely empty gesture?

The intense backtracking that the PRISM providers have done since the revelations seems very disingenuous.

Re:

[PRMan]

Google claims they have only responded to warrants and NSLs and would be really happy to show you the numbers, but NSA won't let them. Based on their continued statements to this effect, I think I believe them.

Too little too late

[intermodal]

I've switched to https/ssl DDG, and am much more comfortable searching there because I know that my Google account - which has tentacles everywhere - is not going to magically forget my "don't track my browsing history" setting. The idea that Google could still store the search and connect it to my account is a problem.

Re:

[intermodal]

it's crazy to me that I'm left thinking how much better off we were when we had pre-Microsoft hotmail and geocities, all from public terminals. I was basically untraceable, as I didn't even have Internet at home. At best, they could have come up with a city...if the hosts even had enough storage devoted to logs for that data to even exist.

Keyword$ on AdWords

[michaelmalak]

The cynical amongst web analytics professionals accuse Google of hiding organic keyword searches from website operators in order to force them into paying for AdWords with its paid keywords.

Re:

[mackil]

The cynical amongst web analytics professionals accuse Google of hiding organic keyword searches from website operators in order to force them into paying for AdWords with its paid keywords.

I was wondering this myself, as someone who is very annoyed with the "(not provided)" entry in my Keywords list in Analytics. I know, hardly a big deal in the grand scheme. Call me selfish.

Will they hide search info from 3d party sites?

[RGRistroph]

Will they make it so that if you arrive on a web page via a google search, the operator of that web page cannot see the search terms that lead you there ? I think that would be an improvement.

Re:

[jafiwam]

You can do that manually by copying the URL or (in some cases) selecting the URL in the description below and right clicking "go to this address"

Lots and lots of small time "web site operators" would absolutely hate it if they stripped those search terms off, a whole industry of SEO scammers would disappear overnight.

THEY SHOULD DO IT!

Re:

[RGRistroph]

Or that could be done with a plugin . . . it would also deprive google of the data of what links were clicked in searches.

Re:

[dcollins]

Yes, that's what they say, and actually it's the only functional change I can really see from this. Follow the 2nd link in the OP.

"When you search from https://www.google.com, websites you visit from our organic search listings will still know that you came from Google, but won't receive information about each individual query. They can also receive an aggregated list of the top 1,000 search queries that drove traffic to their site for each of the past 30 days through Google Webmaster Tools."

Actually...

[fahrbot-bot]

...what it does is prevent my proxy/filter (Proxomitron) from altering queries and result pages, like stripping out the link redirects, disabling the Toolbar, Suggestions, Instant, etc...

They do provide a work-around if you define www.google.com as a CNAME for nosslsearch.google.com (for schools, etc, that need to filter things). I implemented this w/o updating DNS or my hosts file by adding a proxy rule that alters the "Host" field in outgoing headers to nosslsearch.google.com to be "www.google.com". It's not perfect, but along with disabling Javascript for Google, it helps a lot.

FWIW, I'm switching to use Startpage and DuckDuckGo - not because of extra privacy, but because they let me customize my results to remove all the crap that Google adds.

Not going to help

[davydagger]

So long as google creates profiles based on those searches, they are still accessable to the Feds, either by purchasing them, even through a strawman if needbe, or by force via subopenea, or other legal sanctions.

This isn't just about the NSA

[Monsuco]

SSL is there to keep common snoopers (ISPs, potential identity thieves, punks on the corporate network with wireshark, etc.) from eavesdropping on you. Yeah, the vast resources NSA may very well have the ability to break it, but they're hardly the only threat out there. I'm far more worried about the potential for an identity thief to read my traffic than for the NSA to do so.

The NSA is hardly the biggest threat to your privacy and they're probably not the most dangerous.

Re:

[AlphaWoIf_HK]

The NSA is hardly the biggest threat to your privacy and they're probably not the most dangerous.

The government having access to all this information is very dangerous, and I think people would do well to stop downplaying this threat.

Nice try

[GodfatherofSoul]

I don't trust you anymore

Re:

[Agent ME]

NSA would need a CA under their control, and MITM requires a bit more hardware than their mass-eavesdropping setups. It's a lot of effort to go through when they already "ask" Google for access to their servers.