The steady roll-out of SSL for the world’s most popular websites continues with the news that Google’s global search domains (like google.co.uk) are finally going to enable HTTPS encryption by default over the coming weeks.
The company turned on HTTPS by default for its global .com domain in October, which now works for all users while signed into Google services, before which secure searching had to be conducted through a special site few would have heard of, https://encrypted.google.com.
Even once turned on, users outside the US wanting to access the HTTPS feature would have had to manually specify the .com domain (which some know is encrypted), or the equivalent local domain (which many don’t) or change the default search engine in their browser, which few do.
Once implemented, the new setting will make that unnecessary, although all users will still need to be signed into a Google service to access HTTPS search.
Twitter turned on HTTPS by default only three weeks ago after making the security an opt-in option last year. Facebook offers HTTPS in its security settings, but it is not engaged by default.
If SSL offers an important layer of security, why would companies not turn it on by default?
The main reason is that HTTPS requires that the company can handle the encryption overhead at the data center level, no mean feat when millions of concurrent users are accessing a service. That adds complexity and expense, hence HTTPS’s slow journey towards being becoming standard.
For Google users, encrypted search means that visited sites can see that a user has landed from Google, but not the search term entered. It also shields this data while using unsecured Wi-Fi.
The impetus to get HTTPS turned on without the need for user interaction dates from the appearance of easy-to-use sniffing software such as Firesheep, a proof-of-concept research tool used to point out the weakness of Twitter and Google to eavesdropping when used on open wireless connections without SSL turned on.