Thursday, June 24, 2010

Google's Funky Secure Search ;-)

Google has been one company which has always have been a dream of every IT professional. They always have a unique approach in everything they do, right from search to mail to docs. If there was one thing for which google was always under the spotlight, it was for privacy (A tit bit: google search privacy policy has approximately 2000 words in it - run this command to verify if you are in linux "wget http://www.google.com/privacypolicy.html > /dev/null 2>&1 && wc privacypolicy.html && rm privacypolicy.html" - it will print the number of lines and the number of words in google's privacy policy). Google has always faced issues regarding privacy.

Ok first of all, lets define privacy with respect to internet. Defining privacy is simple, when you are on the internet, noone else should be bothered about what you are doing. The service provider's job in the internet is just to give you what you ask for and nothing else. You don't expect the service provider to develop an intelligence about your needs. They should just serve you and get lost. This is totally fine from your perspective. But the service provider thinks this way, he gives you what you want now and then collects information about whatever you ask him. Later when you are unsure of what you want, he suggests you with something based on the information he has. You are really happy that the provider is able to assist you. Now here comes the question of privacy, how do you trust the provider? What if he gives the information that he possesses about you to someone else, thereby revealing your personal self.

Not just google, the internet always had privacy concerns right from the moment it started growing (for example, the exponential growth of the size of facebook privacy policy over the past few years). If you have been following news, Google China Controversy has been a central point of talk (even in indian news channels). Google has always been criticized for not respecting the users privacy. There has even been a group of google employees who quit google and formed their own search engine with literally 100% privacy (Visit Cuil Here).

After a really long time, google has introduced the concept of secure search. First and most important of all, secure search does not imporve your privacy relations with google. Privacy issues directly between you and google remains the same. Its just that, intermediate nodes between you and google will not be able to capture any information about you. Google made gmail secure by default earlier this year and now search is secure too. And google is also looking of making search compatriots like (image search, video search, etc.) to be secure soon too.

Google Secure Search :-)


Google secure search operates in https://www.google.com. There is an interesting point to note about this URL. I will come to that in a while. Before that, I will talk about a point that secure search can cause. Academic institutions and companies block certain websites (most of the academic institutions block urls with words facebook, orkut, etc.). Now that google secure search is introduced, it can bye pass the filters set by the network administrator. For example, your network administrator says, dont allow any queries containing the word "porn". Now this filter fails while using secure search as the query is encrypted, it never matches the filter.

A simple solution to this problem is to block secure search as well. This means the network administrator will have to block any URL that starts with https://www.google.com. This solves the aforementioned problem. But here comes the funky point about the URL i was talking about. Google uses the same url for all the websites that are being authenticated by a Google Account (gmail, orkut, youtube and almost all the google products). If you had noted before, gmail's login page URL will start with https://www.google.com/Accounts followed by some other stuff (if not just goto gmail's login page and see it now). So, if the network administrator decides to block all the URL's beginning with https://www.google.com, then the users in the network will be denied access to almost all of google's services.

Nevertheless, google has thought of this problem only after the launch of secure search and is aiming to fix it by moving secure search to some other domain (something like secure.google.com may be). Here's a link to the post in google's official blog that talks about this issue.

UPDATE: Google has fixed this now and have moved their secure search to https://encrypted.google.com :-)

This post was just to explain the funky problem that google has caused the network administrators all over the world (especially in academic institutions like PSG Tech :P). Comments welcome as always :-)

-Vignesh