617.938.6200
by: Ben Howard - IT Services Manager, CISSP
Google has recently released SSL for searches. It is on by default with Chrome, and you can access it at https://www.google.com. While this is not monumental security, earth shattering news, given the option for web traffic to use SSL, you should always, always use SSL. SSL encrypts the communication between your PC and the server to which you send a request adding another layer of data security. In this case, it means that your searches and search results will be encrypted. No one will be able to see what you searched for or what results you received without direct access to your PC. Sounds good, but this doesn’t mean no one can have any clue about your searches. While your searches and results are encrypted, if you click on a link, you will be redirected to another website. That website may or may not support SSL. So, while your ISP may not know that you searched for “free music download”, they will see that you accessed websites that allow you to illegally download music.
Additionally, Google now offers two-factor authentication. Two-factor authentication requires at least two things to login. In many cases, this is a password and a key fob (RSA token) or card. For Google, the two-factor authentication is achieved using your password plus an ever rotating one-time password using the Google Authenticator app for your smart phone. This allows your smart phone to double as a key fob (RSA token). Once enabled, you have to know both your password and the one-time password that is displayed only on your smart phone in order to log in. If someone found your password, they wouldn't be able to log in without your phone. If they stole your phone, they would still need your password. You also issue special keys to each device or application that accesses your Google accounts. This means that were someone to steal the key in use for a given application, it wouldn't work for any other application or any other device. The system isn't perfect, as there are weak links such as having your gmail account linked to your phone - if someone stole your phone, they'd still have direct access into your gmail account as well as the phone you have setup with Google to use in the event your password was lost or stolen. But, given that this is a free service offered by Google, it offers vastly superior security over single-factor authentication (password only).
