Why Does Google Use https:// for Search Results?

I was thinking about this question the other day.  It SEEMS obvious…  I relialized that it relates to one of my favourite misconceptions about https or SSL/TLS.  Often people get too focused on the encryption aspect of SSL/TLS and not the authenticity and verification properties of it.  When Google first announced that Google search was going to be over “https” a few years ago I, like a lot of people, assumed that it was because it was to make your search results private.


Google’s support page, regarding SSL Search, quite correctly points out:

SSL doesn’t always protect:

  • The fact that you visited google.com
  • The search terms that you typed


That page also points out that SSL/TLS helps keep private the results of the search, but if someone is analyzing your communication, they can replicate your search pretty closely.  The support page also points out that it protects your login information but not everyone who uses Google has a Google account.  This is a good reason to have your searches over https, and SSL/TLS helps ensure that ISPs aren’t caching Google search results, but I suspect that that there is another more important reason.

I suspect Google wants to make sure that the search results that you receive from Google are authentic and haven’t been tampered with along the way.  Why does it matter that your search results aren’t tampered with?  Consider the way that most people log into their bank’s website.  They don’t type “https://bankname.com”.  They Google it.  Notice the presence of “https://” in the URL.


2014-12-13 22_26_16-bank of america - Google Search


If Google wasn’t using https or SSL/TLS, someone(ISP/government/barrista) could intercept your traffic, using well understood interception tools like Moxie Marlinspike’s SSLStrip.  Under this scenario, if they were in control of your DNS or could poison your ARP table, they could proxy all your Google searches and modify all results to be unencrypted http connections.  Because the bad guy has your browser sending your login information unencrypted, the attacker can see your login information in plain text as it flows through her computer.

But because Google uses a secure connection you can be assured that the results you get when you search are actually from Google.  The result is that no one can downgrade your connection to an insecure connection.  But I hear you saying, “but Jim, I think I might notice if I was connecting to my bank over an http connection”.  And you might be right about that.  But I suspect that the majority of people who would arrive at their bank via a Google search might not.  I like to think of it as Google is ensuring that my search results and all of my interactions with Google are in a sort-of chain of custody that allows me and them to be sure that the content they send is legit and I am not being sent to sites that should be secure over insecure connections.

The other thing to consider is SPDY/HTTP2 which, while it looks like it won’t require TLS encryption,  has some interesting performance benefits to actually using TLS.

A lot of talk has been happening over the past couple of years, about whether or not the majority, if not all, sites will end up being served over SSL/TLS.  I used to be unsure of which side of the argument I was on.  Some very popular websites like Amazon, Apple, Newegg, Reddit etc. are sent over http and then shuttle you over https when you login.  But these companies are living in that “SSL is for encryption” mindset that allows attackers to SSLStrip their login information.  I think if you asked most website owners whether or not it is important that the information on their site be sent to their users in an encrypted fashion, many of them would say “no”, especially if the information on their site isn’t sensitive and if their is no login functionality on their site.  If you asked most website owners if ensuring that no one can interfere with the information sent back and forth between them and their users was important, I suspect that many of them would say “absolutely”.  I’m convinced that the TLSification of the web is all but inevitable, and hey, I’m in good company, Google agrees with me and so does Mozilla.

Image Credit

6 thoughts on “Why Does Google Use https:// for Search Results?

  1. The in HTTPS, SSL/TLS encrypts Get and Post Request which contains the full URL containing the search term. So it does protect your search term from being viewed over the wire. What it does not protect against is the HTTP Referral that is sent when you click a link. Which means the site you navigate to can determine what you searched for.

  2. I’ve only found your site in 2016 (today), but since late 2014 (a few days before your article), I’ve been refusing to work with businesses that don’t have or want transport security for dynamic resources, and upgraded as many customers as I can to at least self-signed (private in-house only apps).

    If I have to work on or administer systems; then them not having SSL is like having an ATM that someone else operates. You have to shout your numbers at them from the street, and they scream out the screen values back to the street. It’s a bad situation, only an idiot would accept it.

  3. That’s all fine as long as it can be assured that the search result will be served via https and this could be assured (in a TOFU way) by using HSTS headers. However, those are used only by http://www.google.com and not by google.com (and apparently also not by localized servers such as http://www.google.de). Thus a search submitted to http://google.com might end up at an attacker and instead of redirecting to https:www.google.com the attacker might send his own (unencrypted, why not) faked search result. As those who google their bank url cannot be expected to check the padlock on google search result, the protection is all gone if they are also too lazy to type www …

Leave a Reply to ipp Cancel reply