0

If I go to the homepage of the search engine I use, I can see the green lock to the left of the URL bar which indicates that I use HTTPS. Then when I input a search query in the box on the homepage, I get results, still over HTTPS. But I also set it as my default search engine in Firefox, which means I can use the URL bar to search - the way it works is, of course, when the string doesn't look like a valid URL, Firefox uses the default search engine to search for the query.

My concern is that I'm not sure if I use HTTPS throughout the whole time when I search from the URL bar. The results page for the query is served with HTTPS, but when I send my query, is it also over HTTPS? In other words, I'm not already on the homepage of that search engine but I pressed enter after entering my string to search for. So is that query string send unencrypted to my search engine of choice which THEN establishes a HTTPS connection (and that would be bad because it was send over plain HTTP), or does Firefox waits with my search query, then establishes a HTTPS connection and only then sends my query over HTTPS (obviously I hope this one is true because then what I'm searching for is send encrypted the whole time)?

user136370
  • 41
  • 2

1 Answers1

2

It depends of your Firefox's default search engine. As you can see here, Duck Duck Go has SSL addon. I guess nowadays almost all "serious" search engines like Google do searches over SSL. Not always been over SSL, in very old versions it was in plain. You can check here an article to force SSL search on Google search. The article is an old one (2012).

Anyway, you can do a Proof of Concept (PoC). Start sniffing with a Man in the Middle (MITM) to your computer which is going to do the search.... and you'll see if search is in plain or not on your Firefox's search engine addon (you didn't said which one you are using).

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48