Google has made a major change in the security if its main search page, turning on a feature that forces encrypted connections between Google’s servers and visitors.
The move ensures that users will only communicate with Google.com over an SSL connection, even if they initially sent the request over plaintext HTTP. The company on Friday announced that it has enabled HSTS (HTTP Strict Transport Security) for its main page, something that Google has been working on for some time now. HSTS is a feature that pushes users to a secure connection with a target site.
“HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites,” Jay Brown, a senior technical program manager in security at Google said.
“HSTS prevents people from accidentally navigating to HTTP URLs.”
Google has had HSTS enabled on some of its other services, such as Gmail, for several years. But the move to implement it on Google search provides an important layer of security for a massive number of visitors and their information. Search terms and results can reveal sensitive information about users and their interests, information that can be used to build profiles of users and track them around the web. Encrypted connections protect those searches from eavesdropping.
Brown said that Google still has some work ahead of it to complete the rollout process for HSTS.
“In the immediate term, we’re focused on increasing the duration that the header is active (‘max-age’). We’ve initially set the header’s max-age to one day; the short duration helps mitigate the risk of any potential problems with this roll-out. By increasing the max-age, however, we reduce the likelihood that an initial request to www.google.comhappens over HTTP. Over the next few months, we will ramp up the max-age of the header to at least one year,” he said.