|Google's nosslsearch a thing of the past?||bob hosk||9/17/13 9:02 AM|
Is it now impossible to perform a non-HTTPS search with Google?
For reference, I'm using Ubuntu 12.04, with Firefox 23, and
Why does it seem non-SSL searches are no longer supported?
|Re: Google's nosslsearch a thing of the past?||bluequoll||9/17/13 5:01 PM|
I've flagged this for Google's attention.
|Re: Google's nosslsearch a thing of the past?||Lee-J||9/19/13 2:47 PM|
We supply filtered internet to a number of schools, essentially this has rendered our filtering useless.
Looking at other education providers they have now blocked google images completely as we have and some have even gone as far as blocking google completely and redirecting requests to bing.
Surely google will have to offer something here as an alternative?
|Re: Google's nosslsearch a thing of the past?||I.Am.The.Jones||9/20/13 2:30 AM|
We also look after schools and this has been a pain.
Without SSL decryption on the proxy, Safe Search (over the https channel) is not enforced. However SSL decryption creates a load of problems for lightly managed or unmanaged devices.
I think Google should take responsibility for the content of the search terms to enforce SafeSearch before rolling out things like this, rather than react to problems that it's created.
We're now in a position where our Web Filter is under severe scrutiny, due to the problems this has created.
|Re: Google's nosslsearch a thing of the past?||Dinesh CGB||9/25/13 2:19 AM|
I sit behind a gateway firewall in an organisation where by default HTTP is allowed.
Nowadays all the search quires on google search is getting redirected to HTTPS, due to which firewall is blocking this.
So to over come this i want to disable this redirection, is there a way to do it as HTTPS cannot be allowed in the firewall for everyone.
|Re: Google's nosslsearch a thing of the past?||Thomas P.||9/25/13 3:53 AM|
Unfortunate, but true: Even the http://nosslsearch.google.com/ will force users getting redirected to https://www.google.com/
There is currently no known way to search the Web using Google over ordinary plain HTTP, instead of encrypted HTTPS.
The Help Center article: "Google SafeSearch and SSL Search for Schools" (article 186669), is currently not up-to-date.
For schools (and more), where traffic filtering is either desired or required (e.g. by law), then: Bing may be the best (or realistically only) choice.
As a small consolation, then Bing's set of operators, supporting more specialised searched - is quite possibly better than Google's.
|Re: Google's nosslsearch a thing of the past?||bluequoll||9/25/13 4:39 AM|
It is now being reported that Google have enforced SSL search for all users:
Google Encrypted Search for Everyone
although there is no official Google confirmation to this effect.
It looks like those who rely on non-secure search for filtering, etc., may have to find alternatives.
|Re: Google's nosslsearch a thing of the past?||Dinesh CGB||9/25/13 5:50 AM|
Rightly Said, Thomas.
I have started setting Bing as the home page for all the users in my organisation.
|Re: Google's nosslsearch a thing of the past?||Jessica Schwartz||10/1/13 4:23 PM|
We added SSL encryption for our signed-in search users in 2011, as well as searches from the Chrome omnibox earlier this year. We’re now working to bring this extra protection to more users who are not signed in. For schools, there is an option for No-SSL that I've detailed below taken from this page. If you try this solution and it does not work, please return here and let us know.
When searching over Secure Sockets Layer (SSL), the connection between the user and Google is encrypted. Because the connection is encrypted, the query rewriting techniques described in the Enforce SafeSearch section will not work. As a workaround, you may disable SSL using our No-SSL option (described in greater detail below). Note: SafeSearch Lock works with SSL and doesn’t require the No-SSL option to function.
If the scenario described above is problematic for your school, Google provides a NoSSLSearch option. The network administrator can adjust the DNS configuration for www.google.com to point to our NoSSLSearch end point. For regular http traffic, the user will see no difference.
|Re: Google's nosslsearch a thing of the past?||Chaniska Silva||10/2/13 1:04 AM|
|Re: Google's nosslsearch a thing of the past?||Josh C.||10/4/13 1:58 PM|
This does not work and the page you linked to seems to be outdated; See Thomas P.'s post above. We are now scrambling to deal with children being exposed to more explicit content using google search. It's a bummer.
|Re: Google's nosslsearch a thing of the past?||jerry.||10/4/13 6:07 PM|
This does not work. Our Library system web filter is now useless. Even after making changes to DNS server. Come on Google you have got to better than that.
Our only option is to switch to bing and blocking ssl search with the filter. By the way when enabling the block ssl feature it blocks https://www.google.com. As a result you can not access gmail or google apps as they rely on services from https://www.google.com.
So now we can't use google apps or gmail at work!! Not very productive if I have to use my email on my phone only since I can't login at work on the computer anymore until Google fixes the no ssl search option for schools.
|Re: Google's nosslsearch a thing of the past?||Matt Storms||10/4/13 7:11 PM|
There are fixes in for Libraries and such coming out. Please be patient.
|Re: Google's nosslsearch a thing of the past?||Thomas P.||10/4/13 8:42 PM|
Yeah, just a quick update on this (I'm travelling, and may not be back for quite a few days)
I've had a pretty solid indication that the current situation is in fact an error, i.e. not truly a severe case of an outdated article, but a case of unintentional too far reaching HTTPS spreading for the different google access ways (most prominently here obviously being the http://nosslsearch.google.com/ )
|Re: Google's nosslsearch a thing of the past?||Dream Dancer||10/6/13 8:59 PM|
Jessica, someone's blowing smoke up someplace it shouldn't go.
Also, interesting fact, I have not had to sign into google for several months now. Signed out many times, but never had to sign in, every time I needed to use a google property, I'm signed in already.
Doesn't happen if I force the browser to use http instead of https
And doesn't matter if I totally destroy my browser history down to removing the cache folders and cookies.
|Re: Google's nosslsearch a thing of the past?||stappinuk||10/7/13 12:09 PM|
I can confirm the no SSL DNS name is NOT working. Our users are redirected to the https version of google so we have had to block it.
Google is this a bug or something that you are going to fix?
If you don't fix it soon I can imagine every network admin who realises this issue will block google and redirect their users to other search engines.
This effects anyone who has to filter searches at a network level.
|Re: Google's nosslsearch a thing of the past?||Andrea Niedbala||10/9/13 2:49 PM|
Has there been any update to this issue? I can also confirm that the nossl DNS is not working.
We have had to shut down access to google because of the SSL encryption that it is using which is an absolutely nightmare especially since we use Google Student Email for 20,000+ accounts!
|Re: Google's nosslsearch a thing of the past?||Andrea Niedbala-Williams||10/9/13 8:34 PM|
Instead of following google's directions if you add an A record to the www.google.com zone pointing to 22.214.171.124 the SSL search will be turned off while still keeping your logins secure. Not really a permanent solution because if the IP address changes you are hucked but at least its an interim solution until google gets this fixed.
|Re: Google's nosslsearch a thing of the past?||Michael Dean||10/11/13 3:27 AM|
|Re: Google's nosslsearch a thing of the past?||Patrick Brickey||10/14/13 9:10 AM|
Your record must include the www. or it will break other google services. The goal is to make it only apply to searches.
|Re: Google's nosslsearch a thing of the past?||Chaniska Silva||10/14/13 9:28 AM|
How do you add a record like that in a active Director DNS server? :-(
|Re: Google's nosslsearch a thing of the past?||Michael Dean||10/15/13 12:45 AM|
That makes sense, thank you.
|Re: Google's nosslsearch a thing of the past?||Michael Dean||10/15/13 12:51 AM|
To create the DNS record, open DNS management on your server in administrative tools. Expand servername and right click on forward lookup zones. Create two new zones www.google.co.uk and www.google.com. On your new zones right click and choose 'new host (a)'. Leave the name blank as it will pick this up from the zone name, and enter the IP address 126.96.36.199 and click 'add host'. It will take a few minutes to propagate, but this should work fine.
|Re: Google's nosslsearch a thing of the past?||Chaniska Silva||10/15/13 3:23 AM|
Thanks, hope no issues to the Internal Domain and DNS setup. ;-)
Since google has a large IP range not sure how long this will be effective...
|Re: Google's nosslsearch a thing of the past?||Jessica Schwartz||10/16/13 1:13 PM|
Seems like there's some confusion around how the nossl mechanism is supposed to work. In a network's DNS server, you are supposed to CNAME or nosslsearch.google.com's IP Address to www.google.com (and www.google.* any cctld). When you access www.google.com you will use the IP address of nosslsearch.google.com and Google will keep you on HTTP.
The problem is that instead, it sounds like people are just typing in nosslsearch.google.com into the browser and then getting redirected to https. If you do the CNAME procedure then it should work, just like Michael Dean advised.
|Re: Google's nosslsearch a thing of the past?||Chaniska Silva||10/17/13 1:55 AM|
I think it works Just tested and seems to be fine.
But will that nossl IP chnage time to time? is there a way to know if there are any changes to that IP?
|Re: Google's nosslsearch a thing of the past?||HoTiCE_||10/22/13 2:07 PM|
I could be mistaken but if you add a CNAME type record and input nosslsearch.google.com, it will dynamically resolve it and any IP change would be reflected.
In short, instead of creating an A record and input the 188.8.131.52 IP directly, you would create a CNAME record and input "nosslsearch.google.com" into the field.
|Re: Google's nosslsearch a thing of the past?||HoTiCE_||10/22/13 2:08 PM|
If you add a CNAME record and point it to nosslsearch.google.com, it should work and any IP change would be reflected as it is being resolved dynamically.
|Re: Google's nosslsearch a thing of the past?||Tom Nitzschner||10/22/13 3:25 PM|
If we create a DNS zone in our DNS server for google.com and add the CNAME as described, it does fix that specific problem, but does seem to break all other Google resources, such as news.google.com, mail...., maps...., drive....
if you could please provide a detailed 'step-by-step" process that would be most appreciated by everyone here.
|Re: Google's nosslsearch a thing of the past?||Shane Farmer||10/22/13 4:20 PM|
|Re: Google's nosslsearch a thing of the past?||Tom Nitzschner||10/22/13 5:07 PM|
Created a www.google.com zone as per Michael Dean's instructionsn, pointing at the IP address of that server and it seems to work fine. it does leave all the other Google resources alone and they continue to work, but the one worry I do have is if that IP address will every change.
|Re: Google's nosslsearch a thing of the past?||Rich Raymont||10/23/13 7:55 PM|
Adding a CNAME record to a Windows 2008R2 functional level DNS server does not work so you have to add an A record with the IP address. You could alternatively build a 2003 or pre R2 2008 server and run DNS on it and synchronise it with your R2 DNS server but that is getting real messy. From what I can tell the IP address for NOSSL searching has not changed in the last 2 years so I think google must have realised their cock up and will not be changing it anytime soon ( or they will have some very cranky sys admins to answer to).
|Re: Google's nosslsearch a thing of the past?||Paul Larwood||10/24/13 10:42 PM|
I tested yesterday (24/10/13) using the following methods and all browser requests to http://www.google.com were redirected to the ssl (https) search page.
* windows 2008r2 server, zone: www.google.com, A record: 184.108.40.206
I would have to agree with the original post, that this solution is not working.
|Re: Google's nosslsearch a thing of the past?||Joy Rousseau||10/25/13 10:03 AM|
We MUST have CIPA compliant searches and images. Yesterday after initiating Safe Search for my district I logged onto a 6th graders machine. I could find pictures of people having sex when typing in the word "sex". But was blocked for the word "fuck". STUPID and INNANE! If you would led school districts with their own Google domain HONE their own searches....we could solve some of these issues. Who makes up the rules for what is a "Safe Search" and what is not. If you don't want to do that kind of service, then take us back to http searches and we can take care of this ourselves.
School districts trusted Google and now we are not CIPA compliant.
|Re: Google's nosslsearch a thing of the past?||Wild Rose Public Schools - Admin||10/30/13 11:02 AM|
I implemented this and got it working like a charm. A significant failure however, is that searches from home page of Android no longer work. I am successfully able to have redirection from any machine within my edge to have proper redirection from SSL to nosslsearch. Again, its all working except for Android searches from the home page. If I open Chrome on the Android device and do searches from there, it works. However, this has made Google look a little silly in that, by implementing nosslsearch, we have in fact broken search.
This really is a paltry solution from Google. Could we not just start with a real simple FQDN registration through GAFE or something? ie) If IP resolves back to a DNS record indicating a GAFE k12 domain, then only return safesearch options. It seems pretty weak that Securly can do this for us, and Google has the safesearch available, we just have no way to enforce it. What a waste of even offering the safesearch options when we have no 100% successful way to implement it.
If Google was to allow us to register as k12, and return safesearch only, we wouldnt even need the nosslsearch option and we could continue all searches over SSL (which is still the preference for both my jurisdiction and Google).
This makes me growl at nights...
|Piper Wray||10/31/13 5:53 AM||<This message has been deleted.>|
|Re: Google's nosslsearch a thing of the past?||david.king||11/1/13 9:14 AM|
Coming back to this... there is a workaround to "disable" secure search, just use this address:
(Or add "?nord=1" to a Google search URL after "www.google.com/", while replacing "https" with "http".).
|Re: Google's nosslsearch a thing of the past?||Brett Reynolds||11/10/13 7:05 AM|
Since the modification to no filtering in google and ssl default we had to do several steps. Ultimataly we had to use the nossl option, block encrypted.google.com AND enforce a filtering rule (Appliance) to read the URI and determine if safe is set to Off or Moderate in querystring.
Essentially if anyone tries to go to Google and perform a search they get no response or blank page. They have to go to settings and set safe search strict and then do their search.
We also found a hole in explicit.bing.net, even with this blocked you can get porn images served off of ts*.mm.bing.net when you select alternative image sizes. We had to create a similiar filtering rule like google above, so if you try to do any bing search with safesearch off you get nothing.
We have 70,000 teachers/students in our district, they were not happy to have to set a setting everytime they logged in to do a search.
We signed up for Bing safe school beta, see how that goes.
|Re: Google's nosslsearch a thing of the past?||Russell T. Moore||11/17/13 7:01 PM|
I hope google gets the message soon. I guess im a little late to the party as we only realized a week ago that kids could turn safe search off and watch youtube by putting an https in front. As of now, all google services are blocked in my school district of 30,000.
We need the ability to monitor searches, and the ability to block students from using some services. Right now its all or nothig
|Re: Google's nosslsearch a thing of the past?||christianredhat||11/18/13 8:37 AM|
I too am a little (very) late on this one, the kids at my School started searching Google images and finding some inappropriate stuff last week!!
I have now blocked Yahoo, Bing and everyone else I can find or think off except Google and have managed to force Google safe search via Dansguardian's Urlreglist using ClearOs 5.2 and forcing a non standard Google home page onto Chrome via MS active directory GPO template for the childrens logon. Phew resting a bit easier now...... Although plenty to still do.
|Re: Google's nosslsearch a thing of the past?||Haler_BESD53||11/20/13 9:37 AM|
Okay, I'm arriving to this party late also! We just started seeing this issue with kids from our school searching Google images and coming up with inappropriate images. I was then asked by the Principal of the school this happened at, as to why I hadn't notified him of these violations of our policy. I then had to go through and explain to him that because Google is forcing the searches through SSL, our content filter is not decrypting them, and therefore, the students are definitely getting an "education."
Neither of those have made a difference.
Thankfully, if the kids are logged into their GAFE account, Google SafeSearch is enforced, but it's definitely not catching everything (though it is filtering out some of the worst)! If the searches were being sent through HTTP, our content filter would be catching the ones that Google SafeSearch isn't.
Is there ANY indication that this is going to be changed????
|Re: Google's nosslsearch a thing of the past?||D.Dancer||11/20/13 5:06 PM|
I suspect it's because the kids home page is also google.com, hence the browser has the IP address cached and will not preform a DNS lookup when it already knows the IP address it needs to reach.
Changing the home page to something non-google and the problem should resolve.
Personally, I forced my network to using search dot yahoo dot com as the home page, and the issue has gone away for me.
|Re: Google's nosslsearch a thing of the past?||Russell T. Moore||11/21/13 6:03 AM|
We gave up, and this morning we have https inspection proxy running on all the kids traffic. it will proabbly break a ton of other things, but were able to turn google back on.
|Re: Google's nosslsearch a thing of the past?||Haler_BESD53||11/21/13 6:40 AM|
Okay. I have to eat some crow here. Our issue ended up being with our content filter. On a previous Google vs. Content Filter issue, we had been given a list of URLs by Google that should be allowed on the filter because our filtering was being "too restrictive."
Evidently, it was a couple of those whitelisted URLs that were allowing the searches to go through SSL instead of via HTTP. After working with our content filter vendor for a good portion of the day yesterday, we were able to resolve the issue.
For those that are interested, here is a list of the URLs Google originally told us to open on our filter:
To fix our issue yesterday, we removed the following from the whitelist:
|Re: Google's nosslsearch a thing of the past?||Tom Newton, Smoothwall||11/21/13 8:10 AM|
There's another way to do this that's a bit easier if your filter supports connect header rewriting, and that's to rewrite a connect header to www.google.com to nosslsearch.google.com - this is a bit less intrusive than the DNS method, as it allows other services to work more easily, and you can do it on a per-user basis.
Smoothwall's content filter supports this - I honestly don't know about any others (but it will generally only be proxy-type filters, rather than pass-by types).
Have to agree with the sentiments of the post however: Google do make it hard for education customers to keep a modicum of control. They're not the only company to be pushing hard in education whilst simultaneously doing things which break filters/control though (i'm looking at you, Apple, Skype).
|Re: Google's nosslsearch a thing of the past?||Tom Vivian||11/21/13 9:29 AM|
I too have joined the party a little late.
I implemented the DNS fix which seems to work fine. By adding 2 new zones to our DNS server, www.google.co.uk & www.google.com, and pointing them to 220.127.116.11 allows our Fortinet appliance to still use safe search. This does seem a bit overkill & unnecessary, but better than potentially exposing the kids to inappropriate content. This method is all well and good until the IP address changes!
I will investigate the connect header rewriting as per the Smoothwall appliances, however I do think that Google should come up with something as well.
I'm glad I found this post and thanks to all the contributors.
Registered Charity No. 529538 (England)
Company Number: 898078
Registered Office: Aysgarth School Trust Limited, Newton le Willows,
Bedale, North Yorkshire, DL8 1TF
Telephone - 01677 450240
|Re: Google's nosslsearch a thing of the past?||Jarrod S||11/22/13 5:26 AM|
We are having issues with the nosslsearch feature as well. We have it redirecting properly, but a lot of times it is very slow. It almost seems like the redirector keeps trying to switch back and forth between ssl. Teachers and Students are really noticing this on the Chromebooks. We are currently in the process of testing an iBoss filter and have a Sonicwall as well. I was able to prove this is happening in both of those environments. Has anyone else experienced anything similar?
|Re: Google's nosslsearch a thing of the past?||Tom Steele||11/27/13 6:39 PM|
|Re: Google's nosslsearch a thing of the past?||D.Dancer||11/27/13 10:01 PM|
Use a search engine for the following terms:
"Nielsen NetRatings Search Engine Ratings"
And look at the pie chart.
They're not going to bother changing their behavior with that large a share of the pie. As far as they're concerned, they own the internet and you will use it as they see fit.
This is why I've removed them as being the home page on all machines in my network and removed them from the search engine providers in all browsers.
My home page is now the second largest search provider using
Gotta be careful mentioning their name, have had posts deleted because of this recommendation, apparently it's not kosher to mention them.
|Re: Google's nosslsearch a thing of the past?||nealeigh||12/16/13 9:54 AM|
Simply visiting nosslsearch.google.com has never been a supported option for searching unencrypted and does not work, because the "Host:" header must continue to send "www.google.com" (or one of our other supported search domains) as per normal. You can do this by making "www.google.com" a CNAME for "nosslsearch.google.com" and then visiting "www.google.com" in the browser (you can also test this by editing /etc/hosts and making "www.google.com" resolve to 18.104.22.168, thenosslsearch.google.com IP address).
If you're having problems with DNS servers that don't allow for single names to be overriden (and you're selling products), the filter vendors should be taking care of that, not the schools.
|Re: Google's nosslsearch a thing of the past?||Michael Dean||12/16/13 10:42 AM|
What about the schools / education establishments that do their own filtering? What about parents at home that do their own filtering? Suddenly Google's naivety and narrow mindedness has left potentially millions of young people / children vulnerable to images / websites on the Internet. Not only that, you've made it very difficult for the people that protect those young people / children, to manage their filtering services and provide the right levels of protection. Why doesn't google run a www.google.edu domain that doesn't use SSL and has a higher level of filtering employed?
|Re: Google's nosslsearch a thing of the past?||D.Dancer||12/16/13 5:29 PM|
Look at my answer above, they don't care, and will never change as long as they think they own the internet.
|Re: Google's nosslsearch a thing of the past?||Tom Newton, Smoothwall||12/17/13 12:25 AM|
However, rewriting the SNI host header *does* seem to work, as the internal HTTP host header remains "correct". I hope google don't change this functionality as a lot of Smoothwall customers use it.
D.Dancer has a point though - as I said above, there's too many companies clamouring for the education dollar while simultaneously producing products and services that just don't fit right, and are totally consumer oriented.
|Re: Google's nosslsearch a thing of the past?||Vance Kwan||1/21/14 9:13 PM|
I believe a huge part of the problem is that no matter what the google service is, whether it'd be drive, gmail, youtube even!; it is using 1 certificate that has the CN of google.com.
Is there any reason why google chooses to use 1 mega certificate to handle all their HTTPS services?
|Re: Google's nosslsearch a thing of the past?||D.Dancer||1/23/14 5:12 PM|
A 1 MEG certificate?
That would explain why it takes me so long to load goggle pages, browser is busy trying to handle that monster.
|Re: Google's nosslsearch a thing of the past?||(unknown)||1/28/14 2:50 AM|
This solution does not work -- it is easily bypassed by deleting cookies. In Safari and IE you can use parental controls to allow a user to empty history/cookies.
Google Chrome can be installed with no administrator authorizations, and allows you do to anything.
|Re: Google's nosslsearch a thing of the past?||Brett Reynolds||1/28/14 2:12 PM|
We blocked a lot of google and signed up for bing safe schools..... Wish google would follow.
|Re: Google's nosslsearch a thing of the past?||AHelpdesk||1/29/14 10:00 AM|
The nosslsearch.google.com option does still work. The problem is, you need to create a DNS forward lookup zone for your region that google redirects you to.
Still works well - make sure to enforce users to only go to your DNS via the firewall.
|Re: Google's nosslsearch a thing of the past?||Brett Reynolds||1/29/14 12:01 PM|
|Re: Google's nosslsearch a thing of the past?||Nathan Wray||1/29/14 12:22 PM|
It's very poor if you're for example a school IS admin trying to implement filtering yourself. It's completely untenable for a home user without the resources to do URL rewriting to append the safesearch string (on top of cleanly implementing nosslsearch against every possible URL). Contrast that against the explicit.bing.com approach, where you can DNS block a single name.
I'd like to see a guide, produced by Google, that outlines how they think the average home user could reasonably keep their kids from searching for "bears" and getting an eyeful of explicit thumbnails; using nothing more than a home router and tools like opendns.
|Re: Google's nosslsearch a thing of the past?||AHelpdesk||1/29/14 2:39 PM||<This message has been deleted.>|
|Re: Google's nosslsearch a thing of the past?||AHelpdesk||1/29/14 2:53 PM|
It is a terrible solution but at working solution.
You would need to create CNAME records for 200 total domains - listed here: http://en.wikipedia.org/wiki/List_of_Google_domains
This is a quick and dirty script to populate Windows DNS
' Run this script on the Windows DNS server you are wanting to add to
sDNSCMD="dnscmd.exe . /zoneadd " & sGoogleDomain & " /primary /file " & sGoogleDomain
sDNSCMD="dnscmd.exe . /recordadd " & sGoogleDomain & " @ CNAME nosslsearch.google.com"
|Re: Google's nosslsearch a thing of the past?||AHelpdesk||2/3/14 10:30 AM|
This setup appears to affect gmail login. An elegant solution from gmail is definitely required.
|Re: Google's nosslsearch a thing of the past?||joeytmann||2/4/14 1:44 PM|
I've been the DNS option, using an A record instead of CNAME, for about a month now. Recently how ever when a user trys to login to our Google Apps domain, part of the redirect process pushes them to https://www.google.com/..... Now FireFox and IE handle the redirection just fine and eventually they get in. How ever Chrome browsers get a err_connection_reset when they hit https://www.google.com Kinda odd, and not sure where to go from here.
|Re: Google's nosslsearch a thing of the past?||chrisaz87||2/4/14 7:48 PM|
Here is the file with the A record instead of the CNAME with all the current google domains.
This will run on Server 2003 and on (verified working on server 2012 R2)