Concerns Over Google Modifying SSL Behavior
Lauren Weinstein writes "Google is handling SSL search queries on https://www.google.com/ in a manner significantly different than the standard, expected SSL end-to-end behavior — specifically relating to referer query data. These changes give the potential appearance of favoring sites that buy ads from Google. Regardless of the actual intentions, I do not believe that this appearance is in the best interests of Google in the long run."
You know, I'd be a lot more concerned about this kind of thing if we weren't hearing Slashdot stories crying wolf practically every day. I'm just not impressed with people trying to call Google evil anymore; none of these so-called revelations have panned out so far, so how likely is this one to go any differently?
I know exactly who the 'product' and who the 'consumer' of Google is.
Its irrelevant to this. When traffic is HTTP or HTTPS for Google searches, Google gets that traffic either way. When the traffic is HTTPS though, that means LESS people are getting it (wireless sniffing, routers along the way, etc.) in an unencrypted format. I really could care less what information the sites I go to are missing from the search I entered that brought me to them.
That's not the point at all. Frankly, this has only little to do with SSL.
The point is that if you pay for Google-ads, you will receive the referer-information, regardless of whether your site uses HTTPS or not, even when its breaks security for the user. If you don't pay you won't get the info.
I don't see why it's such a big problem.
Solutions/workarounds:
a) just don't click on the ads
b) block google ads from their search page.
Should be easy to do a) right?
This is why you disable third party cookies, and use ad block plus and noscript.
Users have to be proactive about security. Nearly every fucking site out there is actively working against good security practices even when they're not compromised by an attacker. The browsers are all in a race to reach stupid version numbers, pass some arbitrary and ridiculously convoluted css benchmark, and enable javascript bloat by endlessly tweaking the performance of the js engine.