New PC indexing tools such as Google Desktop Search pose security risks to businesses that use SSL remote access because the tools copy material accessed during SSL sessions and make it available to unauthorized people who later use the same PC.

Caches created by PC search tools get around security many SSL vendors have put in place to purge cached data from remote machines as secure sessions shut down. These so-called cache-cleaning agents wipe out temporary files created during SSL sessions, but they don't wipe out the copies made by the search tools.

"You could end up caching and indexing files you don't want cached and indexed on machines outside your control," says Dan Harman, remote access administrator for real estate developer Lewis Group in Upland, Calif., which uses SSL remote-access gear made by Whale Communications.

One touted benefit of SSL remote-access technology is that any machine with a Web browser can be used to access a corporate network securely. The downside is that the PCs might not be owned by the corporation, so any number of unauthorized users could have access to them. "This tends to negate user authentication," says Rick Fleming, CTO of Digital Defense, a vulnerability assessment company.

Besides Google's product, such search engines are made by Blinkx, Copernic, ISYS Search Software and X1. Yahoo and Microsoft are said to be on the verge of having them, too.

SSL VPN vendor Aventail says its Secure Desktop, a virtual desktop for SSL sessions that is destroyed when the session closes, prevents files downloaded during the session from being viewed by Google Desktop Search.

To solve the problem for its customers, Whale has a software upgrade that detects whether Google Desktop Search is running on a remote PC. If so, access to the corporate network is denied or restricted. The company is developing similar upgrades to address nine other desktop search engines, says Whale CTO Noam Ben-Yochanan.

Google Desktop Search makes it easier to find data on PC hard drives and doesn't address these security concerns, a Google spokesman says. Customers can manually turn off Desktop Search or put it on pause during SSL remote-access sessions to avoid having the sessions cached by the search engine, he says.