Google Changes SafeSearch Option for Administrators

2014-10-03T10:07:37
ID THREATPOST:77937FF73672334D9FF0CD9B0EEA7B46
Type threatpost
Reporter Dennis Fisher
Modified 2014-10-07T13:53:24

Description

Google is removing a feature that allowed administrator to require their users to employ a search option that removes explicit content from search results. The decision is tied to the fact that the option required the use of an unsecured connection to Google, something that the company said allowed it to become a target for attackers.

The Google SafeSearch function allows users to filter potentially offensive or unsuitable content from their search result pages. Any user can enable this option through the settings function on Google search, but the company also has offered a special capability for network administrators that allows them to force the use of SafeSearch in their environments. For technical reasons, this option isn’t available on HTTPS connections, so Google officials decided to remove it altogether.

“For some time, we’ve offered network administrators the ability to require the use of SafeSearch by their users, which filters out explicit content from search results; this is especially important for schools. However, using this functionality has meant that searches were sent over an unencrypted connection to Google. Unfortunately, this has been the target of abuse by other groups looking to snoop on people’s searches, so we will be removing it as of early December,” Brian Fitzpatrick, engineering director at Google, said in a post explaining the move.

There still are ways that administrators can lock the use of SafeSearch, though. This can be done by manually setting the option on each browser in the network or by setting user policies on Chromebooks in a managed environment. Administrators also can accomplish this by turning on SafeSearch virtual IP address, which is a more technical option.

“Going forward, organizations can require SafeSearch on their networks while at the same time ensuring that their users’ connections to Google remain encrypted,” Fitzpatrick said.

This move is part of Google’s broader effort to enable encrypted services across its product line. The company already has made HTTPS the default connection method for Gmail and search. And it has encrypted the links between its massive data centers scattered around the globe, a move that was accelerated in the wake of the revelations that the NSA had found a method to tap those previously unencrypted connections. Yahoo also is moving in this direction. That company earlier this year announced that the links between its data centers are now encrypted and CSO Alex Stamos said at Black Hat in August that Yahoo would release end-to-end encryption for all email users soon.