Google SSL Search

For those that aren’t aware, Google made an announcement earlier this month that seemed to go unnoticed for a little while – an announcement which has fairly serious repercussions for those involved in content filtering and monitoring.  Google have announced that from some point in December, all Google searches will be made over a secure connection.

This change which was dealyed has now been confirmed for the 23rd of June 2015 – Link

Google have been under immense pressure for some time to go extra lengths to protect users privacy – a move I generally believe in.  Where practical we should be able to secure our interaction with a service to ensure our stuff is safe and the organisations we entrust should do everything that is reasonable to ensure that they play their part.  However it’s not always as simple and straight forward as that…

Those of us tasked with the responsibility of ensuring young people’s use of the internet is ‘safe’ (explore my blog for more thoughts on what is safe, and how sometimes we need to expose young people to a small amount of risk) this poses an issue.  If the connection is secure between the service (google search) and the user (a pupil) the technology between the two can’t see what the user is requesting.  This is the same for any secure only site.  So if you allow you users to access twitter for example, you can’t block

padlockYou have to go all the way back to 2011 to find when Google announced that most searches would be completed over a secure connection (SSL).  However at that time they also came up with a fix for those not fully comfortable with Google’s decision.  Through a change in a DNS server, you can force all computers on your network to when the user requests  Many organisations won’t realise this was going on because the end user doesn’t see any difference, except for the lack of an ‘s’ and a padlock.

Using the insecure example search above your filter can see quite a bit of information, and determine whether it is going to allow the result or not (as well as log the request).  They can determine if the domain ( is allowed, they can determine if the query is appropriate (q=google+blog+announce+only+secure+search) and they can also see that safe search is implemented (safe=active). Your filter will use these and numerous other paramators to block or allow the request.

When a user makes a secure search, the information after the domain ( is encrypted, and therefore hidden from the filter.  It’s filtering results are now black or white – is allowed or blocked?  Furthermore, the filter isn’t able to log much either.

Depending on your filter of choice (or the one that someone else chose for you) and how that filter is implemented, there might be more the filter can do and I’ll talk about that a little later in the post.

Googles safe search is unaffected by this change.  There is another DNS trick that you, or your provider can implement to ensure safe search is active.  However those of us who regularly scrutinise google results probably won’t find too much comfort in that.  Which brings me onto google images…

When a user searches for a google image most filters are able to examine the URL where the image comes from – not because the image is displayed directly from the host site, but because of the way google shows the originating URL in the google URL.  In the case the image is hosted on and your filter can probably determine whether this domain is blocked or not and whether the image should be shown.


Schools need to decide how comfortable they are with the google changes, and come to their own decisions.  Some will have local authority or commerical suppliers who will make that decision for them.  If you are the decision maker, here are a few options…

You can assume that Google’s own safe search is doing enough to safeguard your users.  Review regularly and be prepared to reassess that decision.

Full proxy based filters can probably view the secure traffic as it is.  Clients configured to use a proxy expect that the encryption is not as it should be and therefore don’t flag a security risk to the end user.  This however isn’t easy to implement to none owned devices, I’ve blogged before on mobile devices and proxies.

Transparent proxies sit (supposedly silently) between the user and the service.  However the device is expecting a secure connection, and the certificate meant to secure the connection gets mangled by the proxy. The device throws up it’s hands and warns the user that the connection may not be as secure as they thought it was – which of cause, it isn’t.  To rectify this issue, you can get your own secure certificate, and install it to your filter – unfortunately it will still need to be trusted by your devices – easier on devices you own, much harder on others you don’t.

You might decide to proxy just google traffic, and leave other traffic to go via your normal route.  A wpad.dat file would help here, but again it’s no magic bullet.

Or you could block Google search…

I think Google need to offer more of a solution for those of us tasked with safeguarding.  I’d like to see a Youtube for Schools type solution personally.  Allow schools to register and enable us to make an informed choice for ourselves, with the best interest of our users at heart and adaptable to our current technology.

Further reading

Padlock image licensed under Creative Commons 2.0  – Attribution 2.0 Generic

You may also like...

4 Responses

  1. Grant G says:

    Hi Adam,

    A great read, hopefully Google can begin to offer a solution to schools that will allow HTTP searches to be enforced like before which will make a lot of IT Admins in schools jobs a lot easier.


  2. James says:

    Interesting article, and really helped me understand the https and filtering issue.

    Also interesting is that Microsoft have introduced Bing for schools which does exactly what we’re after (a safe, school designed search engine) but it’s for American schools only… Something I’m going to talk to Microsoft about at BETT.

    Thanks for the blog post, really helpful stuff.

Leave a Reply

Your email address will not be published. Required fields are marked *