Google Switching to SSL By Default For Logged-In Users

nonprofiteer writes "Google plans to encrypt search for signed-in users, so that websites will no longer get to see the search terms that led a user to their site, though they will get aggregated reports on the top 1000 search terms that led traffic to their sites."

the top 1000 search terms

[treeves]

That should be good enough, right?
Is this a good for Google, doing the right thing story, or is there more to it than meets the eye?

Re:the top 1000 search terms

[ackthpt]

That should be good enough, right?
Is this a good for Google, doing the right thing story, or is there more to it than meets the eye?

Good or bad, doesn't matter. Microsoft will try to roll out the same thing in about 18 months to much ballyhoo and fanfare.

Re:the top 1000 search terms

[hawguy]

That should be good enough, right?
Is this a good for Google, doing the right thing story, or is there more to it than meets the eye?

It's better than nothing, which is all that Google is obligated to give them.

Re:the top 1000 search terms

[X0563511]

I think it's more good for everyone. it's not like you couldn't search via SSL before.

Re:the top 1000 search terms

http://web-ngram.research.microsoft.com/info/bingbodyjun09_top100kwords.txt

Re:the top 1000 search terms

[TechLA]

Google isn't doing it offer better privacy. It's doing it cause trouble for competing services. It basically requires all website owners to sign up with Google to access Analytics and Webmaster Tools. It's purely an anti-competitive thing and intented to destroy their compteitors. I'd be surprised if FCC doesn't start to crack on Google's monopoly tactics soon. Google is the new Microsoft.

Re:the top 1000 search terms

[Threni]

In which field is Google a monopoly?

Pretty much all actions performed by a company are designed to destroy their competitors. That's the nature of the game.

Re:the top 1000 search terms

[modmans2ndcoming]

Right.....so to protect the market and consumers the ftc needs to force Google to open up its database of user information to the public and prevent users from having encrypted connections to the Google servers.......you show 'em!

Re:the top 1000 search terms

[epine]

Google is the new Microsoft.

Every public company is required by law to become the next Microsoft if the business opportunity presents itself in order to provide maximum return to shareholders.

But then, you can take it to a whole new level by submitting falsified video tapes to the DOJ.

The government produced its own videotape of the same process, revealing that Microsoft's videotape had conveniently removed a long and complex part of the procedure and that the Netscape icon was not placed on the desktop, requiring a user to search for it. Brad Chase, a Microsoft vice president, verified the government's tape and conceded that Microsoft's own tape was falsified.

So yes, Google is getting grubbier, but it has yet to descend to flinging feces around like chocolate bon bons.

Re:the top 1000 search terms

[daath93]

They are doing it so sites can't get the information without using their service, "Google Insights for Search".

Re:the top 1000 search terms

What owner of any website that has significant traffic (and cares about traffic) isn't using Google webmaster tools already? Its not like they charge for signing up.

Re:the top 1000 search terms

[dririan]

I'd be surprised if FCC doesn't start to crack on Google's monopoly tactics soon.

I'd be surprised if the FCC considered using HTTPS a monopolistic practice. I'd be even more surprised if the FCC told Google "Encryption is good for security, but you can't use it, because it stops Referrer headers from being sent. Your users will just have to go without crypto."

Re:the top 1000 search terms

[skids]

Well, really, using HTTPS and providing the linked site with a referer URL are two different things entirely, the OP makes them sound like the former necessitates the latter. The latter has more downside than the former, but both are defensible privacy measures.

Re:the top 1000 search terms

[physburn]

That really a lot of internet marketers and SEO specialists having to change there jobs completely. Marketers will no longer to owning the top buzzwords, and people creating for hobbies, work or leisure will get nearer the top of the pile. Should be good for readers, and might lead to more advertising spending and link gaming. So sound good to me.

Re:the top 1000 search terms

I wonder if the fact alot of ad blockers don't work on ssl content has anything to do with it?

Re:the top 1000 search terms

[physburn]

Correction, that should read, and might lead to more advertising spending less spent on changing content to get the ranking.

Re:the top 1000 search terms

[cdrudge]

It basically requires all website owners to sign up with Google to access Analytics and Webmaster Tools.

If they don't already have an analytics package, or a Google account to access the webmaster tools for their search engine, the site maintainer either doesn't care about their site's SE performance, or is a complete idiot, or both.

Re:the top 1000 search terms

[Shihar]

If using encryption is a monopoly tactic, I'll take more monopolies plz. We should "monopoly" the entire web.

Re:the top 1000 search terms

[Confusador]

Every public company is required by law to follow their Articles of Incorporation

You can set up a corporation with whatever goals you want, maximizing shareholder profit doesn't have to even be on the list. For most corporations it is, de facto, but don't make the mistake of thinking that it has to be.

Re:the top 1000 search terms

[Omestes]

Sure, its bad for sites and webmasters... But its good for me, so I don't care. As a normal person, how is this bad for me? Where is my downside? I don't give a rat's ass if someone gets one less bit of information off of me.

So, Google is helping their bottom line, and their helping me with privacy. Sounds like the definition of "win-win" to me.

Also, you realize you could already use Google as an encrypted service, right? This just makes it the default. Should we ban the use of secure connections now, since it impedes snooping?

Re:the top 1000 search terms

[datavirtue]

When does the algorithm come out of patent protection anyway?

Re:the top 1000 search terms

[datavirtue]

Slowly, people are realizing that stability and profits are maximized by being a service to your customers, employees, and the world--profit is a consequence of these priorities. Henry Ford spoke of this when he was building Ford Motor Company.

Re:the top 1000 search terms

[datavirtue]

Engaging Webmaster Tools is just part of maintaining an active website. Google analytics just slows your site and is not any better than your own server logs.

Re:the top 1000 search terms

[datavirtue]

For users who are logged in; an extremely small fraction of users.

Re:the top 1000 search terms

[Omestes]

Is it? Almost everyone I know searches while logged in, at least on PCs.

Re:the top 1000 search terms

[rufty_tufty]

"Every public company is required by law to become the next Microsoft if the business opportunity presents itself in order to provide maximum return to shareholders."
Show me the law.
I know there are laws that say they are required to follow the votes of your shareholders and hold AGMs and suchlike but show me where it says companies must maximise profits/share price at the expense of everything else.

Re:the top 1000 search terms

[Caratted]

Guess you haven't used AdWords much. Google has no qualms letting you know they own 90+% of online advertising/SEM and that if you wish for your paid inclusion to use the best demographics and get your product in front of a target audience, it simply must be through them.

Refreshing

This will break those sites that automatically generate content based on your search query.

Re:Refreshing

[Moheeheeko]

Its always fun to mess with those sites just a bit. "find 'weapons grade uranium' for sale here!"

Re:Refreshing

I've always wondered this: how did those sites GET my search terms?

Well, I stopped using google some time ago, but back when I was, how did they get it? I enter some terms to google.com - how does sleazywebsite.com even know that I did a search? Google knows obviously and returns the sites from its map of keywords to domains. But presumably it doesn't notify every site on the internet that matches my search that I just did one, and I've seen this happen for search terms that I'm pretty sure are unique, and nobody in the history of the internet had ever searched for in that combination before.

Re:Refreshing

[Qwell]

referer

Re:Refreshing

[dead_user]

Yay!

Re:Refreshing

[blair1q]

Since the link you follow is a result of the search, it's got the content baked-in.

Those sites that were spying on search results to decide what to do were trying to be too smart.

Hopefully what this really fixes is the massive disconnect between prices reported by Google Shopping and the price shown on the click-through, which happens so often that it must be the result of futzing with what Google sees and what the user sees for the same search term.

Re:Refreshing

[MobyDisk]

I would love to find a site that does that and change my user-agent string to Googlebot. Would they actually let me check-out at the lower price?

Re:Refreshing

[D'Sphitz]

when you click a link the referring url is sent in a header. with google and most other search engines your query is in that url.

Re:Refreshing

But I never clicked the link, and I spoof the referrer. Doesn't add up. You see those sites and results even if you don't click on them.

Re:Refreshing

Maybe I'm missing something, but if it's generating the content based on the search data in the referrer, how does it rank for the term in the first place? It doesn't get the referrer information until I actually click through to the site. Seems to me it's a chicken and egg scenario...

Re:Refreshing

The referer is not set when you come from HTTPS.

Re:Refreshing

"referer"

Doesn't make sense. These are shown in the results even for things you don't click on, and for ones you do, they are present BEFORE you visit the site. There is no referrer.

Re:Refreshing

[kabloom]

And I should point out (since the GP doesn't know about referers, he probably needs more than a one word answer) that the Referer is a field in your HTTP request that's automatically sent by your browser telling it the address of the website that you came from. Since Google (and other search engines) put the query string in the URL of the search results page (like they should), the website can read the results out of the URL and know what your search terms were.

Google didn't invent this as a way to invade your privacy -- it's been a feature of the web since the early days.

Re:Refreshing

[The+Archon+V2.0]

Its always fun to mess with those sites just a bit. "find 'weapons grade uranium' for sale here!"

I recall one fake wiki that was supposedly a fix-your-computer site but every "wiki" page was a template using search terms to personalize the page, and they all suggested running the same EXE. Could make for some amusing pages by feeding it really disturbing strings for errors. Was loads of laughs for about 2 minutes.

Re:Refreshing

[Pseudonym+Authority]

Any sites doing such shady, and illegal, bait-and-switch tactics probably aren't ones that you really want to be buying from.

Re:Refreshing

[antdude]

And that can be blocked/disabled in clients like web browsers. However, some sites require them. I always block my referrers that get sent if possible.

Re:Refreshing

[williamhb]

And I should point out (since the GP doesn't know about referers, he probably needs more than a one word answer) that the Referer is a field in your HTTP request that's automatically sent by your browser telling it the address of the website that you came from. Since Google (and other search engines) put the query string in the URL of the search results page (like they should), the website can read the results out of the URL and know what your search terms were.

Google didn't invent this as a way to invade your privacy -- it's been a feature of the web since the early days.

It's also what was behind the "Bing copies Google" ridiculousness some time ago. For Bing toolbar users, the HTTP request when you visit any site is also sent to Microsoft (if you have "suggested sites" turned on), so they get the traffic stats. Bing also used the Referer that brought a user to a page as one of its minor indexing terms. By clicking a link on a page, the user has indicated they think the link is relevant to what they are looking for -- so the Referer, and especially any query contained within it, is pretty good information. And it's the user's information -- the user both typed the search query, and chose to click the link. Google's experiment spammed the signal by ordering employees to visit a page for a made-up search query (non-existent words) so that those paid click-throughs would be the only information Bing could receive for those made-up words. The words didn't exist, so Bing couldn't index them off the web -- so it doesn't matter what algorithms Bing uses, that forced the paid click-throughs to be the only results because there was no other source of data in the world for those words. Google then spun it that it was Google's information that Bing was using (Google own their generated results page, most of which was not clicked on and did not appear in Bing) rather than the human user's information (what sites the user chooses to visit). The difference being that if it's the human user's information (if your clicks belong to you not Google), then the human user within his rights to give that information to whomever he likes, including Microsoft, and Microsoft are within their rights to use it as an index signal, albeit according to them it was a very minor one.

There is a current relevance to this history. That Referer information from the user's browser is valuable data. By making this change, Google is ensuring that they get this valuable data and other's don't. They get to see the full details of both where you came from and where you went; others only get the full details of where you went, and no longer get full details on where you came from. That's a straightforward business advantage. They can then sell more detailed stats to companies (in a freemium model), sell tools that let you access the Referer information that users used to give you for free, etc. While there's a privacy angle to this story (your data is now sent to fewer places), there's also money in this decision.

Re:Refreshing

[Yaur]

what you see is not what google bot sees. They generate a page with a bunch of phrases for the crawlers (through UA sniffing and/or IP address) and another for normal users.

Re:Refreshing

[TheInternetGuy]

They don't even need to look in the referer, the search terms are encoded in the outgoing URL from google.

Look here, I did a search for slashdot anonymous coward on google.

The outgoing URL of the first result looks like this (notice the 'q=slashdot+anonymous+coward'):

http://www.google.com/#sclient=psy-ab&hl=en&source=hp&q=slashdot+anonymous+coward&pbx=1&oq=slashdot+ano&aq=1&aqi=g3g-v1&aql=1&gs_sm=e&gs_upl=0l0l2l80l0l0l0l0l0l0l0l0ll0l0&bav=on.2,or.r_gc.r_pw.r_cp.,cf.osb&fp=83772172fe6f82d1&biw=1840&bih=990

So technically I don't see how this would be affected by changing to https.

Re:Refreshing

[datavirtue]

Reminds me of those driver websites that embed Google ad links into download buttons. Complete violation of Google TOS yet the whole site is based on that technique and returns on the top of search results.

Re:Refreshing

[MobyDisk]

true!

Javascript on links...

Good, but how about getting rid of the javascript embeded on de search result links? Not only makes them slower, but it also send all the information to your servers.

Now im using duckduckgo.com

Re:Javascript on links...

[I(rispee_I(reme]

Also, they moved the "cached" search results inside the website preview.

Now you can't get cached results if you have javascript disabled, and you still have to wait for that lame thumbnail to pop up in order to hit google's cache.

Re:Javascript on links...

[hawguy]

Also, they moved the "cached" search results inside the website preview.

Now you can't get cached results if you have javascript disabled, and you still have to wait for that lame thumbnail to pop up in order to hit google's cache.

So that's where the cache link went! I assumed they stopped providing cached pages at all.

I really don't care to see the thumbnails that are so tiny that the text is unreadable, I wish they'd bring the cache link back to the search results page.

Re:Javascript on links...

[X0563511]

The preview is sorta-useful.

You can see that a link is obviously link-farm or other trash without sending them a click or giving them an opportunity to rape your browser.

Re:Javascript on links...

> Now im using duckduckgo.com

Yayy! Except... DDG often redirects outbound clicks through duckduckgo.com/l/${URL}

What are you going to do now?

Re:Javascript on links...

[kyz]

Or you could install this Greasemonkey script which brings back the cached and similar links in google search

Some deal

[Hatta]

So I have to sign up with google and let them track me, or they'll divulge my searches to websites who will track me?

Re:Some deal

[Hatta]

Never mind, I should RTFA. For the rest of us who didn't: encrypted.google.com.

Re:Some deal

Or go to https://www.google.com/ without being logged in. It isn't that hard to add an s in there, is it?

Re:Some deal

It's not Google divulging your searches to websites, it's you. Well, it's your web browser to be more precise, see http://en.wikipedia.org/wiki/HTTP_referrer especially the section on Referrer hiding.

Re:Some deal

[blair1q]

Google tracks you plenty without you signing in.

Re:Some deal

[scdeimos]

You are the product.

Re:Some deal

You are the parrot.

Re:Some deal

You are the product.

Common misconception, but no. He is the consumer. If he was the product, the ads would be about him instead of being shown to him. Consumers have money and see ads, products don't and are put on ads. Google doesn't sell your information despite being oft claimed they do, they absolutely don't. Their entire business model revolves around them NOT letting anyone else have your information. Thus no Google user is ever the product, or Google wouldn't be making any money.

Re:Some deal

[Yaur]

note however that https://google.com/ will redirect you to http://www.google.com

Re:Some deal

[scdeimos]

Google doesn't need to sell your information to make you the product.

Google is paid money to put advertising in front of you. By tracking you and your browsing habits they are able to build a better profile on you and are able to put targeted advertising in front of you based on your interests. They are able to charge a premium for that targeted advertising because other people selling products feel they are getting better bang for their buck (as opposed to blanket advertising on television, or spam/UCE) due to the higher conversion rates.

Re:Some deal

[swillden]

They are able to charge a premium for that targeted advertising because other people selling products feel they are getting better bang for their buck (as opposed to blanket advertising on television, or spam/UCE) due to the higher conversion rates.

It's actually more direct than that.

The vast majority of Google's advertising revenue comes from pay-per-click advertising, and the ad that is shown is selected based both on your likely interests and on a real-time auction among advertisers. So, Google's goal is to put in front of you the highest-paying ad that you are likely to find sufficiently interesting that you click on it. More precisely, you can think of each possible ad you could see as having an expected value to Google, which is determined by the amount the advertiser will pay Google if you click on it times the probability that you will click on it, and Google's goal is to display the ads with the highest expected value.

Thus, the more Google knows about who you are and what you're looking for right now, the better job it can do at estimating the click probability function for each ad.

From Google's perspective, this is a win-win-win. It's a win for Google, obviously, because it's the way they make the most money. It's a win for the winning advertiser because the advertiser got an interested (at least enough to click) person to their site, for a price that's a little less than what they offered to pay -- plus Google also provides advertisers with extensive feedback that helps them optimize the effectiveness of their ads and even their site (but doesn't share any user info). Finally, it's a win for the user because it provides ads about things that are interesting and useful to him/her.

In Google's view, if Google shows you an ad that you don't click on, that's a failure. That means Google fails most of the time, but really hard problems are like that. It also means that it's better to display no ads than ads that the user won't care about. If Google were able to do its job perfectly, you'd click on every single ad Google shows you, and proceed to buy from each advertiser -- and you'd be happy about it because in each case you found just what you were looking for.

The perhaps non-obvious implication of all of this is that users are not Google's product. Not from Google's perspective. Rather, advertisers and users are both customers, and Google maximizes its income by serving both effectively, by pointing users towards products they actually want to buy. The service Google sells is a sort of digital matchmaking service, and while it's the advertisers who pay Google, the users are at least as important -- since they're the ones who ultimately pay the bills.

At least that's true for pay-per-click advertising. Google does do some pay-per-impression advertising, and that's different. In the pay-per-impression model the goal is to build brand recognition or to steer consumer perception, and there the user is definitely the product. That's a pretty small piece of Google's business, though.

(Disclaimer: I work for Google, but not in anything ad-related, and everything I've said above is public knowledge.)

Re:Some deal

So I have to sign up with google and let them track me, or they'll divulge my searches to websites who will track me?

google was already tracking you anyways! :)

Mixed Bag

On one hand automatic encription for logged in users. On the other hand google can track you better if your logged in. When your logged in they can build a profile on you based on your search terms. But many people are logged in anyways. So mixed bag.

Re:Mixed Bag

[bhagwad]

To not be "evil" 100%, what do you suggest Google should do?

Re:Mixed Bag

[X0563511]

Such a shame you don't actually have to log in, isn't it?

Re:Mixed Bag

[cheater512]

This does not change or make you log in. It is just changing the default preference.

You can still use it encrypted without logging in. There is no increase in any data collection.

Re:Mixed Bag

[ColdWetDog]

To not be "evil" 100%, what do you suggest Google should do?

Make Richard Stahlman CEO?

Good or bad?

[Daetrin]

Is this going to be considered good because it helps protect our privacy from the websites? Or bad because Google is effectively monetizing the private information by keeping the details to themselves (and using it?) while only handing out aggregate data to everyone else? I can see arguments being made either way.

Re:Good or bad?

[JustSomeProgrammer]

The thing I noticed was that they called out organic searches only. Does this mean the paid links in search will still have access to the search terms used?

Re:Good or bad?

[blair1q]

How is it private information when you presented it to Google for them to do the legwork on finding 1.8 million matching websites?

They're making it a shared secret between you and Google instead of a broadcast message to every link you choose to click.

They're monetizing it because, well, they are the ones who gave you the free advice. 1.8 million times.

Re:Good or bad?

[Pharmboy]

The thing I noticed was that they called out organic searches only. Does this mean the paid links in search will still have access to the search terms used?

You can easily tell which search term was used by using a different address for each search term. (Google allows you to show only the domain name and not the full URL in ads) We have done this for years to a small extent. If you really want to get technical, you make the link for a search term (example: "soap") to be like "www.mydomain.com/myapp.cgi?soap" and have the cgi log and redirect to either the index page, or individual pages based on the term if you like. Just add each search term in the cgi, and a default if nothing matches. Now you automatically know the search term used, their IP and the fact that Google provided it, assuming you also log referring URLs. Simple Perl even for non-programmers like myself, a couple dozen lines of code, plus a line for each term.

The real work is changing your ads up, which is simple if you have 20 keywords, or a bit more difficult if you are like us and have around 300. I don't know if this includes the ads, but this would satisfy most needs.

Re:Good or bad?

[datavirtue]

300 keywords for one site? You're doing it wrong.

Re:Good or bad?

[Pharmboy]

Or you are selling a lot of different products with different brand names....

Google Analytics

Doing this would break 90% of the website traffic tools out there, unless they allow Google Analytics and Webmaster Tools to use this data as they do now. It's the referer [sic] that would be empty in the Apache logs I suppose.

Good with the Bad...

[Bahlzahn+Yuerchin]

Unfortunately, it's a bit of a tradeoff. Instead of third party sites getting more details on how you arrived there, Google gets to build a more detailed profile on you via your user name now instead of simply your IP address. I don't particularly care for it either way.

Re:Good with the Bad...

[canajin56]

Encrypted search works without being signed in. It's also 4 months old. The news is they are making it default for signed in users, not that it exists.

Re:Good with the Bad...

[amRadioHed]

One and a half years old, not 4 months old. They said the encrypted search was introduced 4 months after encrypted Gmail was standardized, back in January last year.

Re:Good with the Bad...

[Baloroth]

It's more than 4 months old. I've been using Google SSL searches since last summer some time. Basically, all this news means is that Google feels their SSL search is ready for wider deployment.

Re:Good with the Bad...

[canajin56]

Well, at least I got that number from somewhere, right? :(

Re:Good with the Bad...

[DragonWriter]

Unfortunately, it's a bit of a tradeoff. Instead of third party sites getting more details on how you arrived there, Google gets to build a more detailed profile on you via your user name now instead of simply your IP address.

That would be a "tradeoff", if non-logged-in users couldn't also use encrypted Google search with the same features: https://encrypted.google.com/

Re:Google Analytics - SEO's will be upset

[xmas2003]

Yep - referrer will show as NONE ... so similar to if a user is coming to the site by typing the URL. Since you don't have the keywords in the weblogs, those tools don't have anything to parse ... and the Search Engine Optimization people aren't going to be happy about.

What a pity

I loved trolling webmasters with crazy referrer search terms.

Re:What a pity

[irventu]

There are actually websites that "spam" the referer [sic] since when using Google Analytics, usually one visits these websites to see where the link is/was.

Re:Google Analytics - SEO's will be upset

[mr1911]

Oh no! We can't offend the SEO deities.

Re:Google Analytics - SEO's will be upset

[irventu]

I am a *search engine optimization* person and I'm NOT happy about it--this takes away about 90% of data used for SEO strategy.

google privacy

Given all the (totally justified) hatred directed towards Facebook, why do people still use Google, when there are other search engines that don't aggregate every bit of info about you and sell it on?

Google's hooks are all over the internet just as much as the FB Like button. Why does everybody seem to give them a free pass, when they hate FB for the same reason?

It isn't like Google is the only search engine otu there....

Re:google privacy

[D'Sphitz]

It isn't like Google is the only search engine otu there.

But they're the best. By a long shot.

Re:google privacy

[lgw]

These days I find that DuckDuckGo often gives better results - it's a toss-up. Perhaps that's because the SEO guys are crapping all over Google specifically, but I don't fell like I'm missing out when I use ddg.gg for privacy/bubblefree search.

Re:google privacy

[smellotron]

These days I find that DuckDuckGo often gives better results - it's a toss-up.

I recently switched to DDG both at home and at work. The "red box answer" tends to be very good, but IME the overall quality of the first two pages is worse than google's. However, when I want the google results I can just enter !g search terms and BAM I get the google results. It's similar to how Opera has done search engines for a long time, but it's nice to have everything pre-programmed. Because of this, making duckduckgo the default search engine is strictly an increase in functionality.

Re:google privacy

[datavirtue]

Google provides a valuable service that lifted the internet out of the dark ages. I'm still grateful (after 10 years) and happy that they are prosperous. I used excite for all search "back in the day" and dropped it the second I discovered Google. People forget, some people just don't know. Google -to- Facebook is no comparison.

Re:google privacy

[lgw]

I used to compre the results a lot. There are definitely times when Google is better, but wow, when I'm searching for product information on something that attracts SEO maggots, DDG is far better.

Will break wifi access point redirection

Lots of people set Google to be their homepage, so in future people will be setting their homepage to be a secure page.
Many public access points use HTTP 300 to redirect user's homepages to their own page (so they can buy access or agree to terms and conditions). When the homepage is a secure page the access point can't and won't redirect it. Typically the browser just times out. At this point most people will decide the access point is broken.

I already consider these access points broken, but more people will notice it now.

Re:Will break wifi access point redirection

Well, I'd call that a good thing (I also consider those broken, and awareness of that is good), but I'd expect most people to try some other page before giving up, perhaps assuming google is down, even though they won't catch what the issue is

Re:Will break wifi access point redirection

[mjr167]

Google can go down? But Google is the test page for the internet!

The referrer field sucks.

Good idea, but before the Internet was polluted with marketers and search engine spammers.

I've left referrers disabled for years.

HTTPS to HTTPS

For the version of firefox I'm using now:
HTTPS to HTTPS - Passed
HTTP to HTTP - Passed
HTTP to HTTPS - Passed
HTTPS to HTTP - Not passed

So if you want the referrer as a webmaster, run a secure site

Re:HTTPS to HTTPS

[BBTaeKwonDo]

Sure, but the link farms don't want to pay for SSL certificates for their subdomains such as https://viagra.spamsite.com/ , https://buy-viagra.spamsite.com/ , etc. I think I'm going to like this change.

Re:HTTPS to HTTPS

but you can buy a single certificate for *.spamsite.com and it covers them all

Re:HTTPS to HTTPS

[mounthood]

HTTPS to HTTP - Not passed

So if you want the referrer as a webmaster, run a secure site

Many Google search result links go through redirection. They use JavaScript so the browser still shows the URL if you hover over the link. Here's what's included on an SSL search result link:

onmousedown="return rwt(this,'','','','1','AFQjCAHIe9S3k-PkE4lzgXFEjII7Gc_PVg','','0CEM0FjAA')"

This way they can record your selection when you click a link. Redirecting isn't necessary to record your selection (they could use AJAX) and they don't seem to redirect all the time. So if you click a link that's redirected to another Google page, your browser won't send a referer [sic] with the search terms any more. I think they'll have to redirect ALL search links to implement this.

Curious choice of cipher..

I would have thought Google would be using AES-128-GCM for this, considering new Intel CPUs implement that completely in hardware and are very fast. RC4-SHA-1? Weird.

Re:Google Analytics - SEO's will be upset

[ackthpt]

I am a *search engine optimization* person and I'm NOT happy about it--this takes away about 90% of data used for SEO strategy.

You mean, like when I'm trying to look up some local bit of history and the first 5 pages of results are trying to sell me real estate, service, yelp reviews, etc?

Find homes near Hanging Trees!!!

Re:Google Analytics - SEO's will be upset

[EvanED]

Yep - referrer will show as NONE

That's not quite true, at least based on TFA. It says that you'll still be able to tell the search came from Google, just not what the terms are.

HTTPS Everywhere

...is a Firefox plugin that does that for you anyways. Google has a standard HTTPS page, as does a number of other sites, like Wikipedia.

While I applaud Google for doing this for its signed-in customers, people should be using HTTPS for everything, everywhere, if possible. Sure, it has its flaws, but better flawed privacy than no privacy.

Re:HTTPS Everywhere

[Tomato42]

Definitely this! If they also started checking if the same pages aren't available using HTTPS on other sites and presenting HTTPS links to users it would be golden!

Re:HTTPS Everywhere

[ThatsNotPudding]

HTTPS Everywhere seems to slow things down more than it should, though.

Re:HTTPS Everywhere

[archen]

This generally isn't the plugin, but has more to do with the way websites are set up. For some sites like wikipedia it's noticeable, but still usable. java.com loads the front page but then simply doesn't work at all. Either way if you're concerned about speed for some sites, you can selectively turn it off.

Re:Google Analytics - SEO's will be upset

Good, get a real job

Compete with Facebook?

[otaku244]

My guess is that they feel like Google wants to emulate that facet of the Facebook model. It has been said that Facebook's database of user activities and preferences is superior because it shows a more qualitative preference than "a random Google search." By walling off authenticated users, they make it possible to tie search terms more accurately to a particular user. This should shift search preferences and habits results... perhaps even improve the quality.

Re:Google Analytics - SEO's will be upset

[X0563511]

Such a shame.

Try getting a real job, you damn parasite!

wow

Been using google ssl for many months now. Hardly seems like a big deal since ssl is not as secure as once thought. Way to come in on the backend google.

Re:Google Analytics - SEO's will be upset

[TheReaperD]

Let me put this as simply as possible: Whah!!!

Forced Safesearch (by proxy) defeated using https

[CityZen]

Hmm. At certain places (of employment), they use a proxy that always forces Google searches to have SafeSearch on. Using https for Google appears to bypass this particular constraint. For the moment, anyway.

Re:Google Analytics - SEO's will be upset

[icebraining]

I don't see how they'll do that. The browser controls the referer header, no Google.

Re:Protects Google, not their customers.

[icebraining]

Other people get the user's advertising data when the users are on their site. Just like Google.

Re:Forced Safesearch (by proxy) defeated using htt

[icebraining]

Well, they can still MITM the connection, since they have the power to install their own CA certificate on the employees' computers.

Squid has SslBump and Dynamic SSL Certificate Generation for such purpose.

Re:Forced Safesearch (by proxy) defeated using htt

[HTH+NE1]

Hmm. At certain places (of employment)

(and of education and of public services)

they use a proxy that always forces Google searches to have SafeSearch on. Using https for Google appears to bypass this particular constraint. For the moment, anyway.

The IP range for secure searching is different from the IP range for other Google secure services. Such institutions just block access to Google secure search IPs, redirecting you back to the insecure version so they can spy on you and deny and/or punish you for seeking inappropriate knowledge (Security Now 255, 27:37 - 33:20).

There's no need for a gateway to act as a MITM performing encryptions and decryptions when it can be a MITM forcing plaintext communications for more efficient monitoring.

cryptome.org had some great posts on SSL

[AHuxley]

http://cryptome.org/0005/ssl-broken.htm on this issue.
Welcome to en.wikipedia.org/wiki/Clipper_chip, Enigma or the fun of Data Encryption Standard era standards in your new safe browser.

Re:Google Analytics - SEO's will be upset

[the+eric+conspiracy]

Admitting that you are an SEO professional is the same thing as admitting that you are in charge of causing people's search engines to return corrupted and useless results.

Everyone benefits

[FyberOptic]

This is particularly beneficial to all the hapless people who think using open wifi is perfectly safe. And it saves Google from having to deal with stolen accounts as a result. That's why it's so popular on places like Twitter and Facebook, too.

That's not to say that SSL is perfect, and a hapless user can still be tricked or spied upon once somebody starts ARP spoofing'em or SSL stripping or what have you. But some protection is better than none.

Incentive for more sites to go SSL

Sites can still see your search terms (aka referrer) if they are https.

Hopefully this will provide an incentive for wider SSL implementation!

What about Google Analytics?

[fivevoltforest]

It's funny to think about Google hiding referrer data from their own service.

Greasemonkey

So far so good, but do you Greasemonkey to rewrite the links so Google can't use HTTP redirection to know which result you clicked? Oh wait, Greasemonkey doesn't work very well for encrypted websites...

No more cookies needed

Every client/browser has a unique SSL-key. This allows Google to identify every searcher with much higher accuracy than cookies would ever do. And there's no way to turn it off.

Google Analytics

[myspys]

Since Google accounts for 90% (or more) of the searches performed, what use is the keyword-part of Google Analytics?

Or will they in some magical way make it work with GA, but no other tracking tool?

Re:Google Analytics - SEO's will be upset

[datavirtue]

Awesome. Gaming the system IS the current issue with search. It is very discouraging to offer a real service (information, software) or free product and be overridden by commercial interests in search results because they pay thousands of dollars for SEO pros. Search is close to broken in some respects, human manipulation pandering to the quantifiable metrics of the algorithm are hurting search. I think this move by Google is killin gseveral birds with one stone. Hopefully it is no the end to changes that deflect SEO. Organic SEO is fine where you optimize your site to make it easier to search, but it doesn't cost $2000 - $5000 a month to do this.

POST Search Results

[TheNinjaroach]

Couldn't Google change their HTML form method to use POST? That would remove most of the value from the HTTP-Referer header.