I was thinking about this question the other day. It SEEMS obvious… I relialized that it relates to one of my favourite misconceptions about https or SSL/TLS. Often people get too focused on the encryption aspect of SSL/TLS and not the authenticity and verification properties of it. When Google first announced that Google search was going to be over “https” a few years ago I, like a lot of people, assumed that it was because it was to make your search results private.
Google’s support page, regarding SSL Search, quite correctly points out:
SSL doesn’t always protect:
- The fact that you visited google.com
- The search terms that you typed
That page also points out that SSL/TLS helps keep private the results of the search, but if someone is analyzing your communication, they can replicate your search pretty closely. The support page also points out that it protects your login information but not everyone who uses Google has a Google account. This is a good reason to have your searches over https, and SSL/TLS helps ensure that ISPs aren’t caching Google search results, but I suspect that that there is another more important reason.
I suspect Google wants to make sure that the search results that you receive from Google are authentic and haven’t been tampered with along the way. Why does it matter that your search results aren’t tampered with? Consider the way that most people log into their bank’s website. They don’t type “https://bankname.com”. They Google it. Notice the presence of “https://” in the URL.
If Google wasn’t using https or SSL/TLS, someone(ISP/government/barrista) could intercept your traffic, using well understood interception tools like Moxie Marlinspike’s SSLStrip. Under this scenario, if they were in control of your DNS or could poison your ARP table, they could proxy all your Google searches and modify all results to be unencrypted http connections. Because the bad guy has your browser sending your login information unencrypted, the attacker can see your login information in plain text as it flows through her computer.
But because Google uses a secure connection you can be assured that the results you get when you search are actually from Google. The result is that no one can downgrade your connection to an insecure connection. But I hear you saying, “but Jim, I think I might notice if I was connecting to my bank over an http connection”. And you might be right about that. But I suspect that the majority of people who would arrive at their bank via a Google search might not. I like to think of it as Google is ensuring that my search results and all of my interactions with Google are in a sort-of chain of custody that allows me and them to be sure that the content they send is legit and I am not being sent to sites that should be secure over insecure connections.
A lot of talk has been happening over the past couple of years, about whether or not the majority, if not all, sites will end up being served over SSL/TLS. I used to be unsure of which side of the argument I was on. Some very popular websites like Amazon, Apple, Newegg, Reddit etc. are sent over http and then shuttle you over https when you login. But these companies are living in that “SSL is for encryption” mindset that allows attackers to SSLStrip their login information. I think if you asked most website owners whether or not it is important that the information on their site be sent to their users in an encrypted fashion, many of them would say “no”, especially if the information on their site isn’t sensitive and if their is no login functionality on their site. If you asked most website owners if ensuring that no one can interfere with the information sent back and forth between them and their users was important, I suspect that many of them would say “absolutely”. I’m convinced that the TLSification of the web is all but inevitable, and hey, I’m in good company, Google agrees with me and so does Mozilla.