25 comments

[ 4.3 ms ] story [ 66.8 ms ] thread
If I understand this correctly, https://www.google.com should redirect to https://encrypted.google.com - except it doesn't.

So I don't really understand what they did here.

Apparently, the login for Google Docs is within https://www.google.com/, so they can't simply redirect the entire domain.
I figured they would just redirect the homepage and the search pages. (The search pages actually are redirected.)
It sounds to me from the blog post that the change hasn't been made yet.

We’re working hard to address this issue as quickly as possible and in a few weeks we will move encrypted search to a new hostname – so schools can limit access to SSL search without disrupting other Google services, like Google Apps for Education.

So Google made this change to accommodate the schools' inability to filter based on host and https mode. And some of the schools' solution was to block https all together. Basically the schools' filtering is lame, so Google (in the interest of doing things right) solves this by tweaking their side.
Unfortunately, Google didn't have much of a choice. However incompetent or misguided the schools' reaction to blocking encrypted search, it immediately broke Google Docs (and possibly other resources) for many of them. Google probably can't afford to give up this foothold, or to appear unreliable. The schools aren't upset at the existence of encrypted search, they just want a dead easy way to block it on their networks.
Schools block ALL encrypted traffic. Not to do so makes the firewall almost totally pointless.

Presumably schools whitelisted specific sites to allow https, and google was one of them, until it became a problem.

Not ssh.

  *Dr Evil pinky smile*
It does seem pretty weird that Google would make a change like this that effects everyone just to appease some schools that can't figure out how to properly configure their firewalls.
And how exactly should they configure their firewalls?

It's not possible to do that. The firewall has no idea what's being communicated because it's encrypted!

They did it because it was the easiest way for google to make it easy to filter out encrypted search without breaking their other services. A very simple change for google -vs- a very difficult firewall configuration for a network administrator. (You can't just block https://www.google.com/ without breaking a whole bunch of other services you may want to be using) (and you probably don't have the budget & manpower to deploy the type of network you would need to scan & filter HTTPS traffic as an organization if you are a school, either)
How exactly would you scan and filter https? It's encrypted.
It's trivial (but evil) for an organization like a school to set up a proxy for https, since they are in a position to install the necessary root certificates in browsers (classic MITM attack). Devices are already on the market to make this easy to deploy (shudder).
Meet the new CISCO MITM 5505, trust CISCO for all your net appliance needs.
Maybe the schools should filter the content instead of the searches.
I don't understand - why do some schools block encrypted search?
Schools wish to prevent students from accessing certain information. Encrypted search could allow such students to escape detection/punishment if they access that information anyway.
because students try and access blocked content using https, and it is not just for Google. Most blocked websites can be accessed thorough https if supported.
Wow, this seems really stupid! You're telling me that students shouldn't have encrypted search available? School FAIL.
This is the exact reason I hate blacklisting and sense technologies they use in schools and companies. Why not use a proper Firewall else that messing up with DNS entries!