Google's nosslsearch a thing of the past?

Showing 1-70 of 70 messages
Google's nosslsearch a thing of the past? bob hosk 9/17/13 9:02 AM
Hi,

Is it now impossible to perform a non-HTTPS search with Google?

It seems that even `nosslsearch.google.com' ultimately redirects
to `https://www.google.com'. As does `http://www.google.co.uk'.

For reference, I'm using Ubuntu 12.04, with Firefox 23, and
I am not logged in to Google when attempting these searches.
I've tried clearing everything in the history, launching in
safe-mode, clean Firefox profiles and even a complete Firefox
reinstall (deleting .mozilla,.adobe,.macromedia etc). I've also
tried a Win 7 PC running Firefox 23.0.

Why does it seem non-SSL searches are no longer supported?
This is going to be a big problem for anyone who uses content filters
that don't function over https (schools, businesses etc).

Re: Google's nosslsearch a thing of the past? bluequoll 9/17/13 5:01 PM
I've flagged this for Google's attention.
Re: Google's nosslsearch a thing of the past? Lee-J 9/19/13 2:47 PM
We supply filtered internet to a number of schools, essentially this has rendered our filtering useless.

Looking at other education providers they have now blocked google images completely as we have and some have even gone as far as blocking google completely and redirecting requests to bing.

Surely google will have to offer something here as an alternative?

Re: Google's nosslsearch a thing of the past? I.Am.The.Jones 9/20/13 2:30 AM
We also look after schools and this has been a pain.

Without SSL decryption on the proxy, Safe Search (over the https channel) is not enforced. However SSL decryption creates a load of problems for lightly managed or unmanaged devices.
We've had problems that have been in the news due to our web filter not enforcing Safe Search over https.
Google should provide all web filter vendors a better option than DNS redirect (which is nigh on impossible to implement without creating DNS black holes), even go as far as enforcing SafeSearch at their end based on the source IP address.
If we're behind a proxy, we NAT the outbnbound schools' traffic, so this should be quite easy.
We had problems before, where if you logged into Google, everything became https, over the last couple of weeks, this is now the default.

I think Google should take responsibility for the content of the search terms to enforce SafeSearch before rolling out things like this, rather than react to problems that it's created.

We're now in a position where our Web Filter is under severe scrutiny, due to the problems this has created.

Re: Google's nosslsearch a thing of the past? Dinesh CGB 9/25/13 2:19 AM
I sit behind a gateway firewall in an organisation where by default HTTP is allowed.
Nowadays all the search quires on google search is getting redirected to HTTPS, due to which firewall is blocking this.
So to over come this i want to disable this redirection, is there a way to do it as HTTPS cannot be allowed in the firewall for everyone.
Re: Google's nosslsearch a thing of the past? Thomas P. 9/25/13 3:53 AM
Unfortunate, but true: Even the http://nosslsearch.google.com/ will force users getting redirected to https://www.google.com/
 
There is currently no known way to search the Web using Google over ordinary plain HTTP, instead of encrypted HTTPS.
The Help Center article: "Google SafeSearch and SSL Search for Schools" (article 186669), is currently not up-to-date.
 
For schools (and more), where traffic filtering is either desired or required (e.g. by law), then: Bing may be the best (or realistically only) choice.
As a small consolation, then Bing's set of operators, supporting more specialised searched - is quite possibly better than Google's.
 
Re: Google's nosslsearch a thing of the past? bluequoll 9/25/13 4:39 AM
It is now being reported that Google have enforced SSL search for all users:
Google Encrypted Search for Everyone
although there is no official Google confirmation to this effect.

It looks like those who rely on non-secure search for filtering, etc., may have to find alternatives.
Re: Google's nosslsearch a thing of the past? Dinesh CGB 9/25/13 5:50 AM
Rightly Said, Thomas.

I have started setting Bing as the home page for all the users in my organisation.
I think its the best option for now. Google will definitely looses its charm if its not coming up with solution for this issue as most of the organisation have the same problem.

Re: Google's nosslsearch a thing of the past? Jessica Schwartz 10/1/13 4:23 PM
Hi everyone,

We added SSL encryption for our signed-in search users in 2011, as well as searches from the Chrome omnibox earlier this year. We’re now working to bring this extra protection to more users who are not signed in. For schools, there is an option for No-SSL that I've detailed below taken from this page.  If you try this solution and it does not work, please return here and let us know.

Thanks,
Jessica 

When searching over Secure Sockets Layer (SSL), the connection between the user and Google is encrypted. Because the connection is encrypted, the query rewriting techniques described in the Enforce SafeSearch section will not work. As a workaround, you may disable SSL using our No-SSL option (described in greater detail below). Note: SafeSearch Lock works with SSL and doesn’t require the No-SSL option to function.

If the scenario described above is problematic for your school, Google provides a NoSSLSearch option. The network administrator can adjust the DNS configuration for www.google.com to point to our NoSSLSearch end point. For regular http traffic, the user will see no difference.

To utilize the no SSL option for your network, configure the DNS entry for www.google.com to be a CNAME for nosslsearch.google.com.

We will not serve SSL search results for requests that we receive on this VIP. If we receive a search request over port 443, the certificate handshake will complete successfully, but we will then redirect the user to a non-SSL search experience. The first time a user is redirected, they will be shown a notice that SSL has been disabled by the network administrator.

Customization and personalization is dependent on SSL availability, thus some features may be affected. Utilizing the NoSSLSearch VIP will not affect other Google services outside of Search. Logging into Google Apps and authenticating to different services will continue to work (and will occur over SSL).

Re: Google's nosslsearch a thing of the past? Chaniska Silva 10/2/13 1:04 AM
It doesnt work. in that it says to block https://encrypted.google.com but problem is when a user type just google.com and press enter it still taking them to the HTTPS site...

:(

Re: Google's nosslsearch a thing of the past? Josh C. 10/4/13 1:58 PM
Jessica,

This does not work and the page you linked to seems to be outdated; See Thomas P.'s post above. We are now scrambling to deal with children being exposed to more explicit content using google search. It's a bummer.

Re: Google's nosslsearch a thing of the past? jerry. 10/4/13 6:07 PM
This does not work. Our Library system web filter is now useless. Even after making changes to DNS server. Come on Google you have got to better than that.
Our only option is to switch to bing and blocking ssl search with the filter. By the way when enabling the block ssl feature it blocks https://www.google.com. As a result you can not access gmail or google apps as they rely on services from https://www.google.com.

So now we can't use google apps or gmail at work!! Not very productive if I have to use my email on my phone only since I can't login at work on the computer anymore until Google fixes the no ssl search option for schools.

Re: Google's nosslsearch a thing of the past? Matt Storms 10/4/13 7:11 PM
Jerry,

There are fixes in for Libraries and such coming out. Please be patient. 
Re: Google's nosslsearch a thing of the past? Thomas P. 10/4/13 8:42 PM
Yeah, just a quick update on this (I'm travelling, and may not be back for quite a few days) 
I've had a pretty solid indication that the current situation is in fact an error, i.e. not truly a severe case of an outdated article, but a case of unintentional too far reaching HTTPS spreading for the different google access ways (most prominently here obviously being the http://nosslsearch.google.com/ )
Re: Google's nosslsearch a thing of the past? Dream Dancer 10/6/13 8:59 PM
Jessica, someone's blowing smoke up someplace it shouldn't go.

http://nosslsearch.google.com/ redirects to https://www.google.com

Also, interesting fact, I have not had to sign into google for several months now. Signed out many times, but never had to sign in, every time I needed to use a google property, I'm signed in already.

Doesn't happen if I force the browser to use http instead of https

And doesn't matter if I totally destroy my browser history down to removing the cache folders and cookies.

Re: Google's nosslsearch a thing of the past? stappinuk 10/7/13 12:09 PM
I can confirm the no SSL DNS name is NOT working. Our users are redirected to the https version of google so we have had to block it.

Google is this a bug or something that you are going to fix?

If you don't fix it soon I can imagine every network admin who realises this issue will block google and redirect their users to other search engines.

This effects anyone who has to filter searches at a network level.

Re: Google's nosslsearch a thing of the past? Andrea Niedbala 10/9/13 2:49 PM
Has there been any update to this issue? I can also confirm that the nossl DNS is not working.

We have had to shut down access to google because of the SSL encryption that it is using which is an absolutely nightmare especially since we use Google Student Email for 20,000+ accounts!

Re: Google's nosslsearch a thing of the past? Andrea Niedbala-Williams 10/9/13 8:34 PM
Instead of following google's directions if you add an A record to the www.google.com zone pointing to 216.239.32.20 the SSL search will be turned off while still keeping your logins secure.  Not really a permanent solution because if the IP address changes you are hucked but at least its an interim solution until google gets this fixed.


Thanks.

Re: Google's nosslsearch a thing of the past? Michael Dean 10/11/13 3:27 AM
I added DNS record for google.co.uk and google.com to point to 212.239.32.20 as suggested above, and it worked a treat.  However doing so stopped youtube from being accessible!  Rock and Hard place spring to mind, as youtube is used widely as a valuable teaching resource.
Re: Google's nosslsearch a thing of the past? Patrick Brickey 10/14/13 9:10 AM
Your record must include the www. or it will break other google services. The goal is to make it only apply to searches.
Re: Google's nosslsearch a thing of the past? Chaniska Silva 10/14/13 9:28 AM
How do you add a record like that in a active Director DNS server? :-(
Re: Google's nosslsearch a thing of the past? Michael Dean 10/15/13 12:45 AM
That makes sense, thank you.
Re: Google's nosslsearch a thing of the past? Michael Dean 10/15/13 12:51 AM
To create the DNS record, open DNS management on your server in administrative tools. Expand servername and right click on forward lookup zones.  Create two new zones www.google.co.uk and www.google.com.  On your new zones right click and choose 'new host (a)'.  Leave the name blank as it will pick this up from the zone name, and enter the IP address 216.239.32.20 and click 'add host'. It will take a few minutes to propagate, but this should work fine.
Re: Google's nosslsearch a thing of the past? Chaniska Silva 10/15/13 3:23 AM
Thanks, hope no issues to the Internal Domain and DNS setup. ;-)
Since google has a large IP range not sure how long this will be effective...
Re: Google's nosslsearch a thing of the past? Jessica Schwartz 10/16/13 1:13 PM
Hi everyone,

Seems like there's some confusion around how the nossl mechanism is supposed to work.  In a network's DNS server, you are supposed to CNAME or nosslsearch.google.com's IP Address to www.google.com (and www.google.* any cctld).  When you access www.google.com you will use the IP address of nosslsearch.google.com and Google will keep you on HTTP.  

The problem is that instead, it sounds like people are just typing in nosslsearch.google.com into the browser and then getting redirected to https.  If you do the CNAME procedure then it should work, just like Michael Dean advised.

Thanks,
Jessica
Re: Google's nosslsearch a thing of the past? Chaniska Silva 10/17/13 1:55 AM
I think it works Just tested and seems to be fine.
But will that nossl IP chnage time to time? is there a way to know if there are any changes to that IP?
Re: Google's nosslsearch a thing of the past? HoTiCE_ 10/22/13 2:07 PM
I could be mistaken but if you add a CNAME type record and input nosslsearch.google.com, it will dynamically resolve it and any IP change would be reflected.

In short, instead of creating an A record and input the 216.239.32.20 IP directly, you would create a CNAME record and input "nosslsearch.google.com" into the field.

Re: Google's nosslsearch a thing of the past? HoTiCE_ 10/22/13 2:08 PM
If you add a CNAME record and point it to nosslsearch.google.com, it should work and any IP change would be reflected as it is being resolved dynamically.
Re: Google's nosslsearch a thing of the past? Tom Nitzschner 10/22/13 3:25 PM
Hi Jessica,

If we create a DNS zone in our DNS server for google.com and add the CNAME as described, it does fix that specific problem, but does seem to break all other Google resources, such as news.google.com, mail...., maps...., drive....
How can we create this search work-around AND keep all other google resources working as well.

if you could please provide a detailed 'step-by-step" process that would be most appreciated by everyone here.

Cheers,
Tom

Re: Google's nosslsearch a thing of the past? Shane Farmer 10/22/13 4:20 PM
Tom, make sure it's www.google.com, not google.com.
Re: Google's nosslsearch a thing of the past? Tom Nitzschner 10/22/13 5:07 PM
Hi Shane,

Created a www.google.com zone as per Michael Dean's instructionsn, pointing at the IP address of that server and it seems to work fine. it does leave all the other Google resources alone and they continue to work, but the one worry I do have is if that IP address will every change.

Re: Google's nosslsearch a thing of the past? Rich Raymont 10/23/13 7:55 PM
Adding a CNAME record to a Windows 2008R2 functional level DNS server does not work so you have to add an A record with the IP address. You could alternatively build a 2003 or pre R2 2008 server and run DNS on it and synchronise it with your R2 DNS server but that is getting real messy. From what I can tell the IP address for NOSSL searching has not changed in the last 2 years so I think google must have realised their cock up and will not be changing it anytime soon ( or they will have some very cranky sys admins to answer to).
Re: Google's nosslsearch a thing of the past? Paul Larwood 10/24/13 10:42 PM
I tested yesterday (24/10/13) using the following methods and all browser requests to http://www.google.com were redirected to the ssl (https) search page.

* windows 2008r2 server, zone: www.google.com, A record: 216.239.32.20
* linux bind server, zone: www.google.com, A record: 216.239.32.20
* windows 2003 server, zone: www.google.com, CNAME record: nosslsearch.google.com

I would have to agree with the original post, that this solution is not working.

Re: Google's nosslsearch a thing of the past? Joy Rousseau 10/25/13 10:03 AM
We MUST have CIPA compliant searches and images. Yesterday after initiating Safe Search for my district I logged onto a 6th graders machine. I could find pictures of people having sex when typing in the word "sex". But was blocked for the word "fuck". STUPID and INNANE! If you would led school districts with their own Google domain HONE their own searches....we could solve some of these issues. Who makes up the rules for what is a "Safe Search" and what is not. If you don't want to do that kind of service, then take us back to http searches and we can take care of this ourselves.

School districts trusted Google and now we are not CIPA compliant.

Re: Google's nosslsearch a thing of the past? Wild Rose Public Schools - Admin 10/30/13 11:02 AM
Jessica,

I implemented this and got it working like a charm.  A significant failure however, is that searches from home page of Android no longer work.  I am successfully able to have redirection from any machine within my edge to have proper redirection from SSL to nosslsearch.  Again, its all working except for Android searches from the home page.  If I open Chrome on the Android device and do searches from there, it works.  However, this has made Google look a little silly in that, by implementing nosslsearch, we have in fact broken search.

This really is a paltry solution from Google.  Could we not just start with a real simple FQDN registration through GAFE or something?  ie)  If IP resolves back to a DNS record indicating a GAFE k12 domain, then only return safesearch options.  It seems pretty weak that Securly can do this for us, and Google has the safesearch available, we just have no way to enforce it.  What a waste of even offering the safesearch options when we have no 100% successful way to implement it.

If Google was to allow us to register as k12, and return safesearch only, we wouldnt even need the nosslsearch option and we could continue all searches over SSL (which is still the preference for both my jurisdiction and Google).

This makes me growl at nights...

;-)

Piper Wray 10/31/13 5:53 AM <This message has been deleted.>
Re: Google's nosslsearch a thing of the past? david.king 11/1/13 9:14 AM
Coming back to this... there is a workaround to "disable" secure search, just use this address:

http://www.google.com/webhp?nord=1

(Or add "?nord=1" to a Google search URL after "www.google.com/", while replacing "https" with "http".).

Cheers
David

--

David King | Google TC: Chrome and Search | +DavidKing | @derpenxyne
Re: Google's nosslsearch a thing of the past? Brett Reynolds 11/10/13 7:05 AM
Since the modification to no filtering in google and ssl default we had to do several steps.  Ultimataly we had to use the nossl option, block encrypted.google.com AND enforce a filtering rule (Appliance) to read the URI and determine if safe is set to Off or Moderate in querystring.  

Essentially if anyone tries to go to Google and perform a search they get no response or blank page.  They have to go to settings and set safe search strict and then do their search.

We also found a hole in explicit.bing.net, even with this blocked you can get porn images served off of ts*.mm.bing.net when you select alternative image sizes.  We had to create a similiar filtering rule like google above, so if you try to do any bing search with safesearch off you get nothing.

We have 70,000 teachers/students in our district, they were not happy to have to set a setting everytime they logged in to do a search.

We signed up for Bing safe school beta, see how that goes.
Re: Google's nosslsearch a thing of the past? Russell T. Moore 11/17/13 7:01 PM
I hope google gets the message soon.  I guess im a little late to the party as we only realized a week ago that kids could turn safe search off and watch youtube by putting an https in front. As of now, all google services are blocked in my school district of 30,000.

We need the ability to monitor searches, and the ability to block students from using some services.  Right now its all or nothig

Re: Google's nosslsearch a thing of the past? christianredhat 11/18/13 8:37 AM
I too am a little (very) late on this one, the kids at my School started searching Google images and finding some inappropriate stuff last week!!

I have now blocked Yahoo, Bing and everyone else I can find or think off except Google and have managed to force Google safe search via Dansguardian's Urlreglist using ClearOs 5.2 and forcing a non standard Google home page onto Chrome via MS active directory GPO template for the childrens logon.  Phew resting a bit easier now......  Although plenty to still do.
I couldnt create a Cname or A record in Windows Server 2008r2 either I just got errors that drove me up the wall..

Re: Google's nosslsearch a thing of the past? Haler_BESD53 11/20/13 9:37 AM
Okay, I'm arriving to this party late also!  We just started seeing this issue with kids from our school searching Google images and coming up with inappropriate images.  I was then asked by the Principal of the school this happened at, as to why I hadn't notified him of these violations of our policy.  I then had to go through and explain to him that because Google is forcing the searches through SSL, our content filter is not decrypting them, and therefore, the students are definitely getting an "education."

I've tried the DNS setting of a new zone for www.google.com with a CNAME record for nosslsearch.google.com.
I've also tried the A record to the IP address mentioned above in this thread.

Neither of those have made a difference.

Thankfully, if the kids are logged into their GAFE account, Google SafeSearch is enforced, but it's definitely not catching everything (though it is filtering out some of the worst)!  If the searches were being sent through HTTP, our content filter would be catching the ones that Google SafeSearch isn't.

Is there ANY indication that this is going to be changed????

Re: Google's nosslsearch a thing of the past? D.Dancer 11/20/13 5:06 PM
I suspect it's because the kids home page is also google.com, hence the browser has the IP address cached and will not preform a DNS lookup when it already knows the IP address it needs to reach.

Changing the home page to something non-google and the problem should resolve.

Personally, I forced my network to using search dot yahoo dot com as the home page, and the issue has gone away for me.

Re: Google's nosslsearch a thing of the past? Russell T. Moore 11/21/13 6:03 AM
We gave up, and this morning we have https inspection proxy running on all the kids traffic.  it will proabbly break a ton of other things, but were able to turn google back on.
Re: Google's nosslsearch a thing of the past? Haler_BESD53 11/21/13 6:40 AM
Okay.  I have to eat some crow here.  Our issue ended up being with our content filter.  On a previous Google vs. Content Filter issue, we had been given a list of URLs by Google that should be allowed on the filter because our filtering was being "too restrictive."

Evidently, it was a couple of those whitelisted URLs that were allowing the searches to go through SSL instead of via HTTP.  After working with our content filter vendor for a good portion of the day yesterday, we were able to resolve the issue.

For those that are interested, here is a list of the URLs Google originally told us to open on our filter:
I have reviewed your issue, and the issue could be caused by an overly protective firewall.  I would recommend that you add the following list of URLs to your network's whitelist:

accounts.google.com
accounts.youtube.com
client3.google.com
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
cros-omahaproxy.appspot.com
dl-ssl.google.com
dl.google.com
m.google.com
omahaproxy.appspot.com
safebrowsing-cache.google.com
safebrowsing.google.com
ssl.gstatic.com
tools.google.com
pack.google.com
www.gstatic.com
www.google.com ( http only - used for htpdate )
gweb-gettingstartedguide.appspot.com

To fix our issue yesterday, we removed the following from the whitelist:

accounts.google.com
dl-ssl.google.com
dl.google.com
ssl.gstatic.com
www.gstatic.com
www.google.com ( http only - used for htpdate )

Re: Google's nosslsearch a thing of the past? Tom Newton, Smoothwall 11/21/13 8:10 AM
There's another way to do this that's a bit easier if your filter supports connect header rewriting, and that's to rewrite a connect header to www.google.com to nosslsearch.google.com - this is a bit less intrusive than the DNS method, as it allows other services to work more easily, and you can do it on a per-user basis.

Smoothwall's content filter supports this - I honestly don't know about any others (but it will generally only be proxy-type filters, rather than pass-by types).

Have to agree with the sentiments of the post however: Google do make it hard for education customers to keep a modicum of control. They're not the only company to be pushing hard in education whilst simultaneously doing things which break filters/control though (i'm looking at you, Apple, Skype).

Re: Google's nosslsearch a thing of the past? Tom Vivian 11/21/13 9:29 AM
I too have joined the party a little late.
I implemented the DNS fix which seems to work fine. By adding 2 new zones to our DNS server, www.google.co.uk & www.google.com, and pointing them to 216.239.32.20 allows our Fortinet appliance to still use safe search. This does seem a bit overkill & unnecessary, but better than potentially exposing the kids to inappropriate content. This method is all well and good until the IP address changes!
I will investigate the connect header rewriting as per the Smoothwall appliances, however I do think that Google should come up with something as well.
I'm glad I found this post and thanks to all the contributors.
--
Registered Charity No. 529538 (England)
Company Number: 898078
Registered Office: Aysgarth School Trust Limited, Newton le Willows,
Bedale, North Yorkshire, DL8 1TF
Telephone - 01677 450240
Re: Google's nosslsearch a thing of the past? Jarrod S 11/22/13 5:26 AM
We are having issues with the nosslsearch feature as well. We have it redirecting properly, but a lot of times it is very slow. It almost seems like the redirector keeps trying to switch back and forth between ssl. Teachers and Students are really noticing this on the Chromebooks. We are currently in the process of testing an iBoss filter and have a Sonicwall as well. I was able to prove this is happening in both of those environments. Has anyone else experienced anything similar?
Re: Google's nosslsearch a thing of the past? Tom Steele 11/27/13 6:39 PM
Just adding www.google.co.uk and www.google.com is not enough - what about all the other Google search domains such as www.google.ca or www.google.de?  This is not really a solution or even a good, reliable fix.  Google needs to step up to the plate and provide a REAL solution to the problem.  
Re: Google's nosslsearch a thing of the past? D.Dancer 11/27/13 10:01 PM
Use a search engine for the following terms:
"Nielsen NetRatings Search Engine Ratings"
And look at the pie chart.

They're not going to bother changing their behavior with that large a share of the pie. As far as they're concerned, they own the internet and you will use it as they see fit.

This is why I've removed them as being the home page on all machines in my network and removed them from the search engine providers in all browsers.

My home page is now the second largest search provider using
search DOT them DOT com
And I think I get better results with it.

Gotta be careful mentioning their name, have had posts deleted because of this recommendation, apparently it's not kosher to mention them.

Re: Google's nosslsearch a thing of the past? nealeigh 12/16/13 9:54 AM
Hi all,

Simply visiting 
nosslsearch.google.com has never been a supported option for searching unencrypted and does not work, because the "Host:" header must continue to send "www.google.com" (or one of our other supported search domains) as per normal. You can do this by making "www.google.com" a CNAME for "nosslsearch.google.com" and then visiting "www.google.com" in the browser (you can also test this by editing /etc/hosts and making "www.google.com" resolve to 216.239.32.20, thenosslsearch.google.com IP address).

If you're having problems with DNS servers that don't allow for single names to be overriden (and you're selling products), the filter vendors should be taking care of that, not the schools.

Best,
Nealeigh
Re: Google's nosslsearch a thing of the past? Michael Dean 12/16/13 10:42 AM
Hi Naeleigh,

What about the schools / education establishments that do their own filtering?  What about parents at home that do their own filtering?  Suddenly Google's naivety and narrow mindedness has left potentially millions of young people / children vulnerable to images / websites on the Internet.  Not only that, you've made it very difficult for the people that protect those young people / children, to manage their filtering services and provide the right levels of protection.  Why doesn't google run a www.google.edu domain that doesn't use SSL and has a higher level of filtering employed?

Re: Google's nosslsearch a thing of the past? D.Dancer 12/16/13 5:29 PM
Look at my answer above, they don't care, and will never change as long as they think they own the internet.
Re: Google's nosslsearch a thing of the past? Tom Newton, Smoothwall 12/17/13 12:25 AM
However, rewriting the SNI host header *does* seem to work, as the internal HTTP host header remains "correct". I hope google don't change this functionality as a lot of Smoothwall customers use it.

D.Dancer has a point though - as I said above, there's too many companies clamouring for the education dollar while simultaneously producing products and services that just don't fit right, and are totally consumer oriented.

Re: Google's nosslsearch a thing of the past? Vance Kwan 1/21/14 9:13 PM
I believe a huge part of the problem is that no matter what the google service is, whether it'd be drive, gmail, youtube even!; it is using 1 certificate that has the CN of google.com.

Is there any reason why google chooses to use 1 mega certificate to handle all their HTTPS services?

Re: Google's nosslsearch a thing of the past? D.Dancer 1/23/14 5:12 PM
A 1 MEG certificate?

That would explain why it takes me so long to load goggle pages, browser is busy trying to handle that monster.

Re: Google's nosslsearch a thing of the past? (unknown) 1/28/14 2:50 AM
This solution does not work -- it is easily bypassed by deleting cookies. In Safari and IE you can use parental controls to allow a user to empty history/cookies.
Google Chrome can be installed with no administrator authorizations, and allows you do to anything.
Re: Google's nosslsearch a thing of the past? Brett Reynolds 1/28/14 2:12 PM
We blocked a lot of google and signed up for bing safe schools.....   Wish google would follow.
Re: Google's nosslsearch a thing of the past? AHelpdesk 1/29/14 10:00 AM
SOLUTION FOUND

The nosslsearch.google.com option does still work.   The problem is, you need to create a DNS forward lookup zone for your region that google redirects you to.

When we go to www.google.com, we are redirected to www.google.ca  -> we needed to create a forward lookup zone for "www.google.ca" with a cname of "nosslsearch.google.com"

Still works well - make sure to enforce users to only go to your DNS via the firewall.

Re: Google's nosslsearch a thing of the past? Brett Reynolds 1/29/14 12:01 PM
Yes but unfortunately you must place a CNAME for every single www.googl address.  IE students just navigate to www.google.co.uk and now have HTTPs even though they are in www.google.ca

You would have to block every single Google region address.  Google's solution is very poor.

Re: Google's nosslsearch a thing of the past? Nathan Wray 1/29/14 12:22 PM
It's very poor if you're for example a school IS admin trying to implement filtering yourself.  It's completely untenable for a home user without the resources to do URL rewriting to append the safesearch string (on top of cleanly implementing nosslsearch against every possible URL).  Contrast that against the explicit.bing.com approach, where you can DNS block a single name.

I'd like to see a guide, produced by Google, that outlines how they think the average home user could reasonably keep their kids from searching for "bears" and getting an eyeful of explicit thumbnails; using nothing more than a home router and tools like opendns.

AHelpdesk 1/29/14 2:39 PM <This message has been deleted.>
Re: Google's nosslsearch a thing of the past? AHelpdesk 1/29/14 2:53 PM
It is a terrible solution but at working solution.

You would need to create CNAME records for 200 total domains - listed here: http://en.wikipedia.org/wiki/List_of_Google_domains

This is a quick and dirty script to populate Windows DNS

' Run this script on the Windows DNS server you are wanting to add to
' Ensure you have a copy of the DNSCMD utility (older windows servers can use the utility from the "XP SP2 System Tools" download from microsoft)

Dim oShell
Set oShell = CreateObject("wscript.Shell")

Call AddNoSSLSearchCName("google.ac")
Call AddNoSSLSearchCName("google.co.zm")
Call AddNoSSLSearchCName("google.co.zw")
' REPEAT above lines using all domains from http://en.wikipedia.org/wiki/List_of_Google_domains

Function AddNoSSLSearchCName(sGoogleDomain)

  sDNSCMD="dnscmd.exe . /zoneadd " & sGoogleDomain & " /primary /file " & sGoogleDomain
  oShell.Run "cmd.exe /c " & sDNSCMD,3,True

  sDNSCMD="dnscmd.exe . /recordadd " & sGoogleDomain & " @ CNAME nosslsearch.google.com"
  oShell.Run "cmd.exe /c " & sDNSCMD,3,True

End Function

Re: Google's nosslsearch a thing of the past? AHelpdesk 2/3/14 10:30 AM
This setup appears to affect gmail login.   An elegant solution from gmail is definitely required.
Re: Google's nosslsearch a thing of the past? joeytmann 2/4/14 1:44 PM
I've been the DNS option, using an A record instead of CNAME, for about a month now. Recently how ever when a user trys to login to our Google Apps domain, part of the redirect process pushes them to https://www.google.com/..... Now FireFox and IE handle the redirection just fine and eventually they get in. How ever Chrome browsers get a err_connection_reset when they hit https://www.google.com Kinda odd, and not sure where to go from here.
Re: Google's nosslsearch a thing of the past? chrisaz87 2/4/14 7:48 PM
Here is the file with the A record instead of the CNAME with all  the current google domains.
This will run on Server 2003 and on (verified working on server 2012 R2)
Re: Google's nosslsearch a thing of the past? cartmanspeedzone 3/17/14 10:09 AM
My recommendation as one who manages filtering is going to be no Google access for all students. Ridiculous to think Google would be aware of this issue and not have a solid solution for it.
It will affect close to 100k students, and it may not be approved, but my conscience will be clear.
Re: Google's nosslsearch a thing of the past? Brett Reynolds 3/18/14 6:37 PM <This message has been deleted.>
Re: Google's nosslsearch a thing of the past? Justin Buchanan 3/19/14 10:47 AM
nosslsearch.google.com DOES work.

As per the Google Help Article (https://support.google.com/websearch/answer/186669)

And then followed these directions to set up DNS on my Win 2008 Server:
http://blog.somerandomcompany.com/2012/03/configuring-google-nosslsearch-for.html

I cleared my DNS server cache on all three of my Active Directory DNS servers to force the change immediately.

I would not recommend blocking https://encrypted.google.com as stated in the Google Help Article, that caused all sorts of issues for us.   Just the nosslsearch.google.com DNS settings seem to be doing the trick.
--
Please be advised that the Attorney General has ruled that communication
via electronic mail in the public domain is not confidential and is
considered a matter of public record. Furthermore, all communications
(including this one) will be retained for 10 years.
Re: Google's nosslsearch a thing of the past? Doug Scudder 4/2/14 12:42 PM
Patience is not a luxury we can indulge.  As school network administrators our primary task is to keep our school network CIPA compliant.  Google has managed to defeat all of our efforts.  We looked at a solution today that would have cost six figures. For crying out loud google!  What are you doing!!???
Re: Google's nosslsearch a thing of the past? chrisaz87 4/2/14 3:06 PM
I can confirm that implementing the nosslsearch worked successfully for all google products (this is for a school district that has 60k people on google apps all day).
I wrote a script to add all the records to a microsoft dns server.
rename to .vbs and then run it as as admin locally on each of your dns servers.
https://dl.dropboxusercontent.com/u/2629083/add_google_domains_windows_server.txt
More topics »