Why does Google URL now start https://

Just noticed: www.google.com is https://

I am a GMail and Plus user if this matters.

https is a secure connection.


I think the s stands for secure; it is supposed to be a more secure way to search.

Google has been offering more and more integrated services, perhaps it’s just easier to secure all of google’s offerings to make it easier to switch between them.

It’s more a reaction to Firesheep making users consider security and encryption a little more. I believe Facebook started ramping up HTTPS around the same time; it was first a little-known feature, then it became a full-fledged option. Sadly, it doesn’t appear to be the default yet.

If you’re a Firefox user and you are concerned about browser security, the HTTPS Everywhere extension is really, really nice.

I prefer secure via https:// and it appears this is only a good thing. I was concerned something more ominous was going on, and that it might be some browser jacking or browser tracking initiated on my laptop.

Facebook also starts with https://

I thought I’d read somewhere it would make it harder for other companies to use and profit from a user’s Google searches. Does that sound likely?

Not really. What it means is that you’ve established an encrypted tunnel between you and Google, meaning that an attacker positioning himself beside you (on the same network) or between you (intercepting you and Google) can’t listen or intercept your communication, because the data stream is encrypted. Before establishing the encrypted tunnel, the site sent you a cryptographic certificate to authenticate itself. Your browser automatically checked this certificate with a trusted third party (the Certification Authority that issued the certificate for Google, one of many private companies that have that role) and then opened the tunnel.

Nope. There’s already security built into your browser to keep any other site from reading Google cookies, and programs like Firesheep require you to be on the same network as the user, which is unlikely unless you have insecure Wi-Fi, or are using a public network.

Companies that profit from Google searches do so by getting their information straight from Google themselves, or by pretending to be Google.

Any company doing that is going to be using a browser plug-in, and at that level the distinction between HTTP and HTTPS doesn’t matter. (Obviously the browser can unencrypt the content, otherwise it wouldn’t be able to show it on the screen.)

Not necessarily. Such a company could be an ISP and HTTPS does prevent an ISP from doing that.

Or (somewhat less nefariously and more likely) whoever is providing the public wifi you happen to be on. Starbucks could as en example be selling search statistics from its customers to data mining companies, or hijacking Facebook sessions in order to post “Woo, I’ve been to Starbucks! Awsum coffee!” on their walls.

I know that I’m debating semantics (ISP vs free WIFI provider) here, just wanted to point to a more plausible scenario =)

OK, we all know what HTTPS is, but the real question here is why did Google decide to implement it? What is the incentive for them? I don’t buy that they give a shit about protecting the users’ privacy for their own sake - but this snippet from their blog post on the topic has interesting implications:

So they are basically seizing control of that information so that if anyone with a website wants to know what search terms led users there, they have no choice but to get that information directly from Google. Even though the Webmaster Tools are free to access, I’m sure they are profiting off it or plan to profit off it somehow.

Personally, I don’t care much to know why Google has turned their page into a https… all I know is that I used to start my navigation from it and now I switched to a different search engine because I’m sick and tired of landing nowhere when I forget to erase that dumb “s”.

I don’t understand. Google doesn’t work for you with the “s”?

Uhm, either you’re a shill from Bing or you’re really doing it wrong. What browser are you using, and have you updated it in the last five years?

alby54 does not erase the entire address line when he types in a new URL from the home page - s/he just selects (or backspaces) www.google.com and types a new domain name, leaving the existing HTTPS://

If the new target URL does not support HTTPS:// they then have to re-edit to HTTP://

Most people use first click autoselect to overwrite the entire address line and let the browser try http/https, or use the history/favourites so they can select the working URL. Personal preference, I guess, but the HTTPS everywhere campaign is gaining traction. I certainly prefer knowing that no-one (ISP, wifi provider) is snooping my web traffic.


I am using Google Chrome as a browser and it also has a ‘HTTPS everywhere’ addin. Unfortunately it doesn’t always work as I expect. Whenever I go to the website of my cell phone provider, I always get a ‘Certificate error’ and have to select the ‘go anyway’ button. I know that T-Mobile has a secure connection (I don’t have the problem with Firefox) and don’t understand why Chrome can’t find it.