Explain the difference between https://google.com and https://encrypted.google.com/ ?

655    Asked by AntonyBence in SQL Server , Asked on Dec 28, 2021

 Is it there any difference between the encrypted Google search (at https://encrypted.google.com) and the ordinary HTTPS Google search (at https://google.com)? In terms of security what are the benefits of browsing through encrypted Google search?


Answered by Amit verma

From the infrastructure point of view (servers, certificates, TLS parameters), there are no significant differences any more. Although the requests are handled by the same servers (see the end of this answer), there are still some differences between the two domains:


Localized domain redirects encrypted.google.com/ does not redirect to other domains, whereas google.com attempts to redirect to a country-specific domain (ccTLD).

To avoid this redirect, https://google.com/ncr is often proposed. However, that only works if cookies are enabled. To prevent the redirection from happening without requiring cookies, append the gws_rd=cr parameter to the URL.

(for the points below, I won't differentiate between www.google.com and ccTLDs any more)  Google Search branding

  Unlike google.com, encrypted.google.com's UI does not show links to other Google products/apps. E.g. compare the header at google.com (archived) with encrypted.google.com (archived). This is likely because encrypted.google.com was introduced specifically for encrypted search (these days, https support is a well-established default; back then https was introduced as an optional feature).

Referrer leakage and user tracking In both cases, the HTTP referer for normal search results does not contain the original search terms in clear text (though there are many obscure URL parameters that can potentially be used to track the user, which is even more likely if the site uses Google services such as Google Analytics).

This keyword hiding is often (depending on the browser, device, browser features as JavaScript) implemented by not directly linking to the final destination, but by using an intermediate redirection URL as the search result, e.g. [google domain]/url?q=[destination URL] (advertisements are routed through multiple redirection URLs and include the original search terms, regardless of the Google domain).
Sometimes (again, depending on the browser, etc.) Google uses to strip the HTTP referer, and alternative methods for tracking (e.g. beacons or hyperlink auditing).
(At the time of writing, encrypted.google.com uses the former in Google Chrome, and www.google.com uses the latter method. But this does really not mean much. E.g. in Internet Explorer 11, the former method is used for both Google domains.)
To keep the original destination URL without leaking the referrer, my "Don't Track Me Google" browser extension can be used: https://github.com/Rob--W/dont-track-me-google
(Even without any intervention from websites such as Google, the HTTP referer can also be cleaned. For example, when the originator is HTTPS and the destination HTTP, or when Firefox's private browsing mode is used, or if the user is using flags or extensions that disable/strip the referer (example for Chrome, examples for Firefox)).

In the past there was also a difference in information leakage through HTTP Referer, but that is not the case any more. Compare the help pages for SSL Search:

Google Search Help - SSL Search (retrieved April 2013) (many paragraphs of text)
Google Search Help - SSL Search (latest) (almost no text)

The following test shows that the two different Google domains may resolve to different IP addresses, and that these IP addresses are able to handle search queries for any Google search domain.

$ host encrypted.google.com
encrypted.google.com is an alias for www3.l.google.com.
www3.l.google.com has address 172.217.20.78
www3.l.google.com has IPv6 address 2a00:1450:400e:80a::200e
$ host www.google.com
www.google.com has address 172.217.20.68
www.google.com has IPv6 address 2a00:1450:400e:800::2004
$ curl -I https://encrypted.google.com/ --resolve encrypted.google.com:443:172.217.20.68
$ curl -I https://encrypted.google.com/ --resolve encrypted.google.com:443:172.217.20.78
$ curl -I https://www.google.com/?gws_rd=cr --resolve www.google.com:443:172.217.20.68
$ curl -I https://www.google.com/?gws_rd=cr --resolve www.google.com:443:172.217.20.78
$ curl -I https://www.google.nl/?gws_rd=cr --resolve www.google.nl:443:172.217.20.78
The last curl commands all receive the search results without further redirects (I haven't included their output in this answer). To see the SSL details, either replace -I with -vvv or use something like openssl s_client -connect google.com:443.

Your Answer

Interviews

Parent Categories