On Wednesday, security and privacy researcher Christopher Soghoian reported that Mozilla’s developers have “quietly enabled Google's HTTPS encrypted search as the default search service for the ‘nightly’ developer trunk of the Firefox browser” and that https by default should reach regular users some time in the next few months.
The move follows a lengthy discussion started by Soghoian himself on bugzilla@mozilla back in February last year. “Mozilla should direct [its] search paths to Google's HTTPS search engine (encrypted.google.com),” he wrote, starting bug 633773: Use Google's HTTPS search by default. Its status now is ‘resolved fixed’.
“This is a big deal for the 25% or so of Internet users who use Firefox to browse the web, bringing major improvements in privacy and security,” he writes in his blog. He sees two primary advantages to users. Firstly, he says, users’ search query information “will be shielded from their Internet service providers and governments who might be using Deep Packet Inspection (DPI) equipment to monitor the activity of users or censor and filter search results.”
Not all security researchers believe this is necessarily or entirely true. It will certainly hide the data en-route between the client and Google, security researcher Robin Wood of RandomStorm told Infosecurity, which will prevent ISPs from doing any tracking. “However,” he said, “governments potentially have access to wildcard SSL certificates, so could act as a man-in-the-middle if they wanted and decrypt, sniff and re-encrypt the traffic.”
The second advantage noted by Soghoian is that it will stop ‘referrer header based data leakage’. Referrer header information tells a website where the connection has come from. If the link comes via Google, it tells the website exactly what search query was employed by the user, information widely used by both marketing and search engine optimisation companies.
Google has been moving in this direction for some time, and its provision of encrypted.google.com is what makes it possible. “The only surprising aspect to this otherwise great bit of good news,” comments Soghoian, “is that the first major browser to use HTTPS search is Firefox and not Chrome. I reasonably assumed that as soon as Google's pro-privacy engineers and lawyers won the internal battle over those in the company sympathetic to needs of the SEO community, that Google's flagship browser would have been the first to ship HTTPS by default.”