Slashdot Mirror
Concerns Over Google Modifying SSL Behavior
Lauren Weinstein writes "Google is handling SSL search queries on https://www.google.com/ in a manner significantly different than the standard, expected SSL end-to-end behavior — specifically relating to referer query data. These changes give the potential appearance of favoring sites that buy ads from Google. Regardless of the actual intentions, I do not believe that this appearance is in the best interests of Google in the long run."
Google passes Referer info from https to http how?
The gist: Google actively hides referer data when linking from the new SSL site, even if the site that is linked to is also an SSL site, except when the link is an ad.
Well, tough titties. It's Google's site, they can link to you any way they want. If they want to redirect the visitor in a way that hides the query from the linked-to site, that's their prerogative. They could simply make their whole search engine POST the query and you'd never see the search terms, not even with plain HTTP. What are you gonna do about it? Oh right, whine on your blog and have Slashdot link to it.
I turn off the referer header in all browsers and proxies I set up. With the exception of a few shady third-rate direct download web sites whose hotlinking protection trips over this, nobody requires it. One information leak less to worry about. Eat shit, SEO scum.
Please read TFA. The question is not over use of SSL, which the author of TFA "applauded."
You know, I'd be a lot more concerned about this kind of thing if we weren't hearing Slashdot stories crying wolf practically every day. I'm just not impressed with people trying to call Google evil anymore; none of these so-called revelations have panned out so far, so how likely is this one to go any differently?
I know exactly who the 'product' and who the 'consumer' of Google is.
Its irrelevant to this. When traffic is HTTP or HTTPS for Google searches, Google gets that traffic either way. When the traffic is HTTPS though, that means LESS people are getting it (wireless sniffing, routers along the way, etc.) in an unencrypted format. I really could care less what information the sites I go to are missing from the search I entered that brought me to them.
Google is an ad agency. What do you expect?
To put things in perspective, isn't it fair to say that the vast majority of the web is financed through ads? Something as fantastic as Google which basically equates to a modern day Oracle of Delphi has to be financed somehow. Would you prefer they extract .001/$YOUR_LOCAL_CURRENCY from your bank account everytime you use it? Or if you don't use Google, how about Slashdot? Or any other ad financed website/service?
The soylentnews experiment has been a dismal failure.
That's not the point at all. Frankly, this has only little to do with SSL.
The point is that if you pay for Google-ads, you will receive the referer-information, regardless of whether your site uses HTTPS or not, even when its breaks security for the user. If you don't pay you won't get the info.
Summary for the security conscious: since you switched to using https://encrypted.google.com months ago, you're fine, nothing new here. Move along.
Summary for the masses: Google is now using security by default (if you're logged in), but it isn't quite as secure as is possible.
If I am paying per click for certain search terms, then this data SHOULD be passed along. The other alternative is to just get a bill from google and trust that it is accurate?
As an advertiser I need this information. First to make sure I get the clicks google is charging for me, and more importantly to determine which words don't have a conversion rate worth paying for.
You're the product, not the customer.
This meme needs to die. It superficially seems to have a message which rings true with slashdotters, but really doesn't deliver.
Just because a company is ad funded, doesn't allow a free-pass to provide crap service, whether that be search, or a social network.
You seem to be forgetting that this isn't television, and power users have unprecedented control over how content is displayed, if at all.
The second mistake you people make, is to think yourself part of some geek elite, where actually every kid or gamer can download the tools to control their web experience.
"You're the product, not the customer." basically says that an ad funded company is expected to act as evilly as possible, just because of the way it's funded. The reality is that sometimes there are conflicts of interest, getting it wrong tends to cause a backlash among more technically minded, and generally loud users. Facebook will tend to get away with more than google in this case, because of the technical experience of their users.
Do your part. Add to the conversation, and don't be a sheep by modding this meme up.
I would love to pay for Google. I would rather pay, get zero ads (without ad blocking), and BE the customer. Let the company's interest align with pleasing me rather than USING me. Today, there is rarely an option to pay for services directly. So you're only choice is often a "free" service where your every movement is harvested for ad dollars.
This is why you disable third party cookies, and use ad block plus and noscript.
Users have to be proactive about security. Nearly every fucking site out there is actively working against good security practices even when they're not compromised by an attacker. The browsers are all in a race to reach stupid version numbers, pass some arbitrary and ridiculously convoluted css benchmark, and enable javascript bloat by endlessly tweaking the performance of the js engine.
This just sounds like an individual gripe that somehow got accepted here at /. You don't like it, Google does, move along there's nothing more to see.
You know, if people don't like how Google runs their business: 1) Don't use it. 2) Start your own competitor. Google wasn't the first search engine. You can go somewhere else, but don't tell them how they should run their own business. That's nebby.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I hate referer information when I come from google, mostly because of sites that either:
1) Highlight my search terms in the page. You don't need to highlight every instance of 'of' in the page, and even highlighting the keywords is distracting.
2) Put a big fat "Welcome Google User!" (often with horribly colored letters for Google) that beg you to subscribe to the RSS feed.
I wish there was a chrome extension to hide referrer data just so that I could avoid that.
BTW: If you want an example of useless highlighting, google for VirtualBox and click on the VirtualBox website. I can't believe someone thought that people who can comprehend what VirtualBox is don't know how Ctrl+F works.
The right to protest the State is more sacred than the State.
First of all, any well-architected clustered app spends more time waiting for I/O at the web tier than it uses CPU, so the 2% "penalty" is on an underutilized resource anyway. Second, terminating SSL at your load balancers is standard practice, be they Amazon ELB SSL termination, F5 BigIPs, or reverse proxies. Again, all otherwise I/O-bound implementations which can spare the CPU.
The fact that SSL obscures the requested URI from intermediaries seems in-line with the goals of Wikipedia for free information sharing -- with SSL operating properly, an intermediary may be able to tell that you were on Wikipedia, but not what you were looking at.
SSL/TLS and/or its successors everywhere is in everyone's interest if maintaining privacy from ubiquitous snooping is a concern.
Even with ABP and noscript and disabling third-party cookies this behaviour will still bite you. Refcontrol is what you need to stop Google telling the sites you visit what your search terms were.
I search for "linux laptop" and see a very relevant ad for system76.com so I win. If I searched for that and saw an ad for dell.com that took me to "We recommend Windows 7" landing page, believe me, Dell will be spending more money on Google in the future.
Well, damn. I used that purely as an example and just for shits and giggles, I tested it. Sure enough, the Dell ad at the top takes you to a "recommend Windows 7" page and the system76.com ad at the right is actually relevant. Ain't that a bitch. Maybe I'm wasting my talent as should get into advertising!
The soylentnews experiment has been a dismal failure.
I really could care less
How much less could you care?
and it should be "i couldn't care less"
#include <sig.h>
Excellent question -- I was very surprised to see absolutely no analysis of this in TFA!
Doing a very quick test googling my own blog from https://google.com/ the referer I end up seeing is like this:
"http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CBwQFjAA&url=http%3A%2F%2Fbrionv.com%2F&ei=fjynTpC4KoSqiQLFvezYDQ&usg=AFQjCNHi_Ia5lQINhrMRGTJyRLFc4ZOajw"
I don't have any Google ads on my site, so I guess this would be in the "Ordinary Site (http: = non-SSL)" category, which TFA claims gets no referer -- but I do get a referer, and it's an intermediary redirect that's on http, leading the browser to happily send that as referer info.
Following the same link from https://encrypted.google.com/ shows no referer, indicating that it either went through no intermediate redirect, or an https one (you can see by testing that there is one, also on https://encrypted.google.com/) that didn't pass on referer info from the browser.
SSL pages on my own site don't seem to be in index, but the intermediate redirects I see on other things like mailing list archives that are in there look the same -- http: redirects from https://google.com/ and https: redirects from https://encrypted.google.com/
I think it's just sending everything through an http redirect so everyone sees referer data, unless you search from encrypted.google.com.
Chu vi parolas Vikipedion?