Hacker News new | comments | ask | show | jobs | submit login

Does this mean that "nosslsearch" is now no longer supported?




That's always how it worked. nosslsearch only responds if you access it as "www.google.com" not as "nosslsearch.google.com".]

(As of writing it still works if you do it on a new browser. However once you have HSTS info it will always attempt to do an HTTPS connection I suppose)


I believe nossl was intended as a concession for schools that believe in censorship. It makes it relatively easy to configure things so Google doesn't go over SSL so that your existing MITM boxes which censor continue to function as before.

If they continue to support this use case, it may be hard to do without introducing bugs - one exposure to a 'real' service which spits out an HSTS header (or the preload list), and the machine loses the ability to conduct Google searches.

I think they'll either have to use some nasty workarounds, or they'll need to use a different domain - which isn't necessarily something you want to do when you are trying to provide simple rules which allow users to identify phishing.

More likely they'll simply force sites that want to continue to MITM to load their own CA roots.

Although I don't think this is their motivation, it also has the neat side-effect of making Google's Chromebook & device management services more useful.


> If they continue to support this use case, it may be hard to do without introducing bugs - one exposure to a 'real' service which spits out an HSTS header (or the preload list), and the machine loses the ability to conduct Google searches.

Those wishing to spy on their users with nossl could just disable HSTS in the browsers they provide.


Google has changed this almost a year ago

> Turn on SafeSearch VIP To force SafeSearch for your network, you’ll need to update your DNS configuration. Set the DNS entry for www.google.com (and any other Google ccTLD country subdomains your users may use) to be a CNAME for forcesafesearch.google.com.

>We will serve SafeSearch Search and Image Search results for requests that we receive on this VIP.

You can enforce safe search over https now https://support.google.com/websearch/answer/186669?hl=en


I used to work at Google, and I confirm the parent is correct. Things work this way so that schools can force safe search, while keeping HTTPS.


However, this means that schools can't see what pupils search for, and that any network operator can force safe search.


Schools almost ubiquitously use SSL -decrypting dpi devices with the device root installed on endpoints, bypassing both HSTS and HPKP.


K12 schools are increasingly embracing BYOD and BYOD devices are sometimes resistant to this kind of meddling (iPads, Chromebooks).

In the US, they still have a legal obligation to censor the Internet or they lose federal funding.


Do you know how much funding is at stake nationwide? (It's E-Rate, as I recall.) How credible is it that an organization or wealthy individual or crowdfunding effort could offer a wholesale alternative? In San Francisco, SFPL chose to give up this funding several years ago in order to decline to install censorware.

Edit: a whole lot of money! https://en.wikipedia.org/wiki/E-Rate#Modernization


Libraries do tend to be bastions of extreme left-wing views on surveillance and censorship, so perhaps on the library side.

School boards, no way. I can't think of an easier way to torpedo a school board career (or indeed a "pillar of the community" parent's status in the neighborhood) than by mentioning that they think children should have easier access to pornography at school.


Libraries do tend to be bastions of extreme left-wing views on surveillance and censorship

By context I can guess what you mean, but by itself it's a very ambiguous statement :)


Eh, I don't think so. Civil Liberties over Family Values and all that.


Call it "Internet Deregulation" and say that you will be able to lower taxes by X percent if you don't have to spend money on expensive internet filter solutions.


Much easier to just load a root CA certificate - this use case is explicitly supported and does not require maintaining a browser fork & compile infrastructure.

But "just" doing either of these things turns out not to be simple for many organizations. It's bad enough needing to update your system image/deployment scripts (if you have any!). You also need to figure out what to do about all the devices you don't own. BYOD is a thing.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: