1

With ISPs getting license to record and sell customer's traffic data, why doesn't Google switch to POST method for search queries to provide better security to the users, while HTTPS is already used?

DDC
  • 113
  • 4
  • 3
    Can you explain why you think POST would be more secure? – Sjoerd May 26 '17 at 15:21
  • 2
    Because that would be pointless? As you said, Google already encrypts search queries using HTTPS; submitting queries over POST wouldn't provide any additional protection. – Ajedi32 May 26 '17 at 15:26

2 Answers2

2

ISPs will either be able to record/sell queries such as DNS, which leaks no information about content other than domain name.

If ISPs record traffic then POST/GET data is equally easy to capture. If the traffic is sent over HTTPS its equally as difficult to capture. The SSL/TLS tunnel is secure end-to-end regardless of the content being transferred.

The only way ISPs could see the secure communications is by man in the middling the traffic, such as getting you to install their own ROOT CA to allow them to proxy your communications. But again then they would see all POST/GETs anyway.

ISMSDEV
  • 3,272
  • 12
  • 22
  • If a Google search query was not included in the URL parameters but rather in the POST data (ie. in the body of the message instead of in the header), then wouldn't an HTTPS connection encrypt your query string data better than if the query was in the URL string? Am I missing something? – SecretSasquatch May 26 '17 at 15:30
  • 2
    @SecretSasquatch: [Can URLs be sniffed when using SSL?](https://security.stackexchange.com/questions/30976/can-urls-be-sniffed-when-using-ssl). – Steffen Ullrich May 26 '17 at 15:36
  • No, that's the point of SSL - You can't see within the tunnel at all. – ISMSDEV May 26 '17 at 16:01
  • 1
    @SteffenUllrich Thanks. I was under the impression that the data in the URL parameters was exposed over HTTPS and only the body of the request was encrypted. Thanks for the clarification. – SecretSasquatch May 26 '17 at 16:11
0

Yes, you are missing something. The HTTPS channel is openned first then the GET request is sent over the tunnel. It is not exposed at all.

Its like this: https://google.com/search?q=...

  1. get IP from hostname - its google.com (using DNS - this can be captured by ISP)
  2. check the protocol - its HTTPS
  3. Open encrypted channel and validate certificate - ISP knows you are connecting to google.com
  4. Send HTTP request over encrypted channel - Can't (or can be very hardly) captured by ISP as traffic is encrypted.

There is no way ISP can capture anything behind the https://google.com/... Everything in the HTTP protocol, including the request and headers is encrypted and it does not matter if it is get or post. the encryped data is:

GET /search?q=... HTTP/1.1
Host: google.com
....

in case of post:

POST /search HTTP/1.1
Host: google.com
...
\n
q=....
Fis
  • 1,200
  • 7
  • 10