Concerns Over Google Modifying SSL Behavior

Lauren Weinstein writes "Google is handling SSL search queries on https://www.google.com/ in a manner significantly different than the standard, expected SSL end-to-end behavior — specifically relating to referer query data. These changes give the potential appearance of favoring sites that buy ads from Google. Regardless of the actual intentions, I do not believe that this appearance is in the best interests of Google in the long run."

Winded and pointless

The gist: Google actively hides referer data when linking from the new SSL site, even if the site that is linked to is also an SSL site, except when the link is an ad.

Well, tough titties. It's Google's site, they can link to you any way they want. If they want to redirect the visitor in a way that hides the query from the linked-to site, that's their prerogative. They could simply make their whole search engine POST the query and you'd never see the search terms, not even with plain HTTP. What are you gonna do about it? Oh right, whine on your blog and have Slashdot link to it.

I turn off the referer header in all browsers and proxies I set up. With the exception of a few shady third-rate direct download web sites whose hotlinking protection trips over this, nobody requires it. One information leak less to worry about. Eat shit, SEO scum.

Re:Winded and pointless

[TheLink]

I don't see why it's such a big problem.

Solutions/workarounds:
a) just don't click on the ads
b) block google ads from their search page.

Should be easy to do a) right?

Yawn

[TheEyes]

You know, I'd be a lot more concerned about this kind of thing if we weren't hearing Slashdot stories crying wolf practically every day. I'm just not impressed with people trying to call Google evil anymore; none of these so-called revelations have panned out so far, so how likely is this one to go any differently?

Re:Its in the best interest of users

[DarkFencer]

Yes, it is better for Google's users because they get to see referer data, probably even when they shouldn't.

Oh...you thought *you* were one of Google's users? Chances are you are product, not a customer or a user.

I know exactly who the 'product' and who the 'consumer' of Google is.

Its irrelevant to this. When traffic is HTTP or HTTPS for Google searches, Google gets that traffic either way. When the traffic is HTTPS though, that means LESS people are getting it (wireless sniffing, routers along the way, etc.) in an unencrypted format. I really could care less what information the sites I go to are missing from the search I entered that brought me to them.

Re:Its in the best interest of users

[CAPSLOCK2000]

That's not the point at all. Frankly, this has only little to do with SSL.

The point is that if you pay for Google-ads, you will receive the referer-information, regardless of whether your site uses HTTPS or not, even when its breaks security for the user. If you don't pay you won't get the info.

Re:You're the product, not the customer.

I would love to pay for Google. I would rather pay, get zero ads (without ad blocking), and BE the customer. Let the company's interest align with pleasing me rather than USING me. Today, there is rarely an option to pay for services directly. So you're only choice is often a "free" service where your every movement is harvested for ad dollars.

Re:You're the product, not the customer.

[sexconker]

This is why you disable third party cookies, and use ad block plus and noscript.

Users have to be proactive about security. Nearly every fucking site out there is actively working against good security practices even when they're not compromised by an attacker. The browsers are all in a race to reach stupid version numbers, pass some arbitrary and ridiculously convoluted css benchmark, and enable javascript bloat by endlessly tweaking the performance of the js engine.