1) It's encrypted, but most of everything has a vulnerability somewhere

2) This is a great question, of the kind more people should regularly be asking

3) Don't stop!

There are a lot of strings of text that it would not make sense to translate and not be wise to send to a remote translation service, like strings of digits, blocks of base 64 encoded text like ssh keys, digits and letters separated by punctuation like phone numbers and bank account numbers, etc.

Perhaps Google Translate should filter out non-word private tokens from the original text (replacing them with opaque identifiers that aren't translated but are left alone, and substituting the originals back into the translated text).

(PS: Are you still in the shower, posting on one of those new-fangled waterproof phones? Hopefully not a Google Glass!)

It might be fun for you try this yourself.

Connect two computers to the same network. On one, use some MITM proxy software. On the other, set all the traffic to go via this proxy, either transparently (via default gateway) or explicitly via proxy settings.

Then see if you can intercept the info being sent from your browser to Google translate.

I'm not at a computer right now, but I guess that:

1. The auto-translate feature uses https, so that the traffic between you and Google is not available via network-level MITM.

2. The page contents are not sent to Google at all, but only the URL

You don't even need a proxy--just open up your dev tools and watch the network.

1. It does use HTTPS. It'd be insane if it didn't.

2. Individual strings from the page get sent to the translate API:

https://i.imgur.com/2nAlbp4.png

How could google not have the page contents? The content generated from the URL as requested by google may not have the same content that you currently have.

how would 2. work for pages that are behind authentication?

End to end encryption seems to be less understood by many people, even some professionals I know. HTTPS is completely secure, check this out, it's a fun read: https://en.m.wikipedia.org/wiki/Public-key_cryptography

The real question is perhaps, are we okay with Google having their eyes on everything?

Is that even the real question? If you are using chrome to visit your bank you are already assuming that Google isn't behaving badly. Your threat model changes very little when sending page contents to be translated.

You can track what comes and goes on your network, if chrome sends information about random pages back snoop on, then I think that quite certainly would have been whistleblown by now.

Sending a webpage ourselves directly to google is a completely different story. We have no idea what goes on with your data behind their servers. But we can monitor what goes on in our own machines.

Also, funny how we've come to the point that we're using the term threat model to describe our relationship with the beloved Google.

Google translate refuses to work on private pages. It's actually kind of annoying, but yeah, anything past a login it refuses to do. At least for my bank and anything bill related.

As another data point, Google happily translates my bank account.

It depends how Chrome is programmed to detect languages. The language detection could be all done in the browser, and it would only send data to google if you want to translate. The translation could be intercepted, but it could also (hopefully) be encrypted.

To get a definite answer you would need to look at the source code and go from there.

Or save yourself a ton of time and just capture the network traffic.

Not directly answering your question but stil relevant. At a fairly big company I worked at as a student I was able to circumvent the website blocker of the company by just applying google translate to the site. Formatting and images etc. were lost but it enabled me to browse reddit.

1.) I don't know, but that's fucking cool.

2.) You should follow rahimmathwani's advice and set up a man in the middle attack. You'll learn a lot.

3.) Have I mentioned that is fucking cool???

Good work! This is the exact kind of question that everyone should ask.

PS - That is fucking cool!

If you ask a person or a service to translate things that person can of course see these things.

If your connection to that service is not secured others may be able to intercept it. Chances are that it is though. Google Translate uses secure connections.