Google HTTPS Security Check

TL;DR

We’ll check Google’s HTTPS setup for common issues like certificate validity, mixed content, and potential redirects that could weaken your cyber security. This guide uses simple tools you can access in a web browser or via the command line.

Checking Google’s HTTPS Security

1. Check the SSL/TLS Certificate:
   • In your web browser, visit https://www.google.com.
   • Click on the padlock icon in the address bar.
   • Select ‘Connection is secure’ (or similar wording).
   • Choose ‘Certificate’. Examine these details:
     • Validity Dates: Ensure it hasn’t expired and is valid for the current date/time.
     • Issued To: Verify it’s issued to Google LLC or a related entity.
     • Issuer: Check who signed the certificate (e.g., Let’s Encrypt, DigiCert). Reputable Certificate Authorities are good.
2. Use an Online SSL Checker:

   Tools like SSL Shopper or DigiCert’s SSL Installation Diagnostics Tool provide a detailed report.

   • Enter google.com into the checker.
   • Look for any warnings about certificate issues, weak protocols, or vulnerabilities.
3. Check for Mixed Content:

   Mixed content happens when a secure HTTPS page loads resources (images, scripts, stylesheets) over insecure HTTP.

   • Open your browser’s developer tools (usually F12). Go to the ‘Console’ tab.
   • Reload https://www.google.com.
   • Look for any errors related to blocked HTTP resources on a HTTPS page. These will usually be red warnings about insecure content. Google should not have mixed content, but it’s good to verify.
4. Check for Redirects:

   Redirects from HTTP to HTTPS are essential, but incorrect redirects can cause problems.

   • Use a command-line tool like curl to trace the redirect chain:

     curl -I http://google.com

     Examine the ‘Location’ header in the output. It should redirect you to an HTTPS URL (e.g., https://www.google.com).

5. Check HSTS Status:

   HSTS (HTTP Strict Transport Security) forces browsers to always use HTTPS.

   • Use an online HSTS checker like hstspreload.org.
   • Enter google.com and check if HSTS is enabled and properly configured. Google should have a strong HSTS policy.
6. Check for Subdomain Coverage:

   Ensure all Google subdomains (e.g., mail.google.com, drive.google.com) also use HTTPS and have valid certificates.

   • Repeat steps 1-5 for common Google subdomains.

If you find any issues, it’s unlikely to be a problem *with* Google’s security itself (they are very good at this). However, it could indicate an issue with your browser configuration or network setup.