Encrypted Google Search And China's Great Firewall

[roddy]

Google is set to start offering search over https rather than http - ie traffic back and forth will be encrypted, just as it is when you use gmail, or check your bank balance online, or pay for something by credit card.

Questions for those who know: Will this scupper keyword filtering on Google search results? I'd imagine it will, and could see China opting to block https://www.google.com accordingly.

[gougou]

But hasn't that option always been around? It's a faint memory because it was before they switched to HK (i.e. a long, long time ago), but I seem to remember that when I got a temporary block on http://www.google.com, I would switch to the https version and could continue my search. I think it was still able to filter keywords though.

[roddy]

Don't think so - try to get https now and it redirects to http.

Apparently it's going to be made an options under your Google account - it won't be available for non-logged in users. Not sure if it'll be opt-in or opt-out.

[adrianlondon]

SSL does get around keyword filtering. I had difficulty downloading an email from my UK local council while living in Beijing back in 2006/7, probably due to it having too many "vote", "democracy" and "you decide" type things in it ;) I switched to SSL POP3 (from non-SSL POP3) and it downloaded fine.

[roddy]

Right enough, I've done the same thing in the past now I think of it.

If it's opt in and hidden in settings they may just ignore it, but if it was to be turned on by default I'm inclined to think China would block it. In fact if it meant the cache became accessible I'm fairly sure they would.

[jbradfor]

It will be an interesting case.

As I understand it, China isn't too aggressive at stopping VPN services, mostly because they are too expensive for most. However, if everyone can get free secure VPN-like google searches, I have to think this will be considered a different case.

While clicking on a search link will take you to the (likely unencrypted) original site, which could be blocked, if they make viewing the cached version also use SSL then one could view a good part of the web that way.

OTOH, it is also interesting that one needs to be logged in to use this, where one presumes google can now track you....

[YuehanHao]

I don't know if it works from China, but some time ago switched to Scroogle SSL for searching. No known reason to fear Google or gov't - maybe I just enjoyed the cartoons.

约翰好

[roddy]

This is now available as a beta - https://www.google.com (note the s on https). Don't have time to play with it at the moment. Apparently it strips referring information when you click though on links (so the webmaster of the target website can't see where you came from). This may be good for surfer privacy, but it's a hell of a pain in the neck if you want to see where your traffic comes from.

[gougou]

This is now available as a beta - https://www.google.com (note the s on https).

It redirects to http://www.google.com.hk for me.

[morpheus]

If the Chinese government (or any, really) wants to start spoofing SSL certificates, I think they would ultimately have no trouble doing it. Modern browsers accept new certificates without alerting the user as long as those certificates are signed by a recognized certificate authority, of which there are many. The Electronic Frontier Foundation has an article about that: http://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl

That isn't the article I was looking for, and lacks some details and analysis I saw in another article. I will keep looking.

Update: I found it: http://www.networkworld.com/community/node/64074