Free Wireshark Training Course Online

Take a free Wireshark Jumpstart training class online at

Wednesday, June 2, 2010

Google's Secure Search... Not So Secure?

Watch two new videos examining Google searches using HTTP and HTTPS - now
available at Note that the trace files used in the
video are in the download section of that site.

As a follow-up to last week's "Peeking at Google's Secure Search Beta Traffic"
blog, I did a bit more poking around in the secure search traffic after getting this
question via Twitter.

Here are the steps seen in the trace file called google-https-
cachedlink_plus_sitelink.pcap over at the
download page.

1. Access
2. Search for "hacking cisco ip phones"
3. Click on the cached link for one result (a blog page)
4. Click on one of the links on that blog page

In analyzing the traffic, I noticed the following:

  • It takes 3 TLS/SSL connections just to load the Google secure search
  • When I clicked on the cached link I connected to Google's web cache site
    ( CNAME
  • My original search terms were contained in clear text in the GET query to
    Google's cache server.
  • My original search terms were also contained in the packets generated to
    the Symantec secure browsing server.
  • When I clicked one of the links on the cached page, I connected to the
    target website and provided my referral information (including my search

This is NOT secure searching if you click a cached link in
Google's "secure" search beta.

Heck - apply the display filter http.request.method == "GET" && frame
contains "hacking"
and see how many times my search term showed up in
the traffic.

So... what's the point of Google's secure search? Google states the following:

"With Google search over SSL, you can have an end-to-end encrypted search
solution between your computer and Google. This secured channel helps protect
your search terms and your search results pages from being intercepted by a
third party. This provides you with a more secure and private search experience."

Wow - that's as misleading as my son saying his homework is "mostly finished."
Am I not a third-party? Maybe a bit of clarity is warranted here, Googlites!

Google - I suggest you kill the cached link feature on your secure search page.
Otherwise you aren't offering any secrecy to unsuspecting folks who might click
on those links.

Enjoy life... one bit at a time!