Forgot your password?
typodupeerror
Google Advertising Businesses The Internet Technology Your Rights Online

Concerns Over Google Modifying SSL Behavior 130

Posted by timothy
from the hey-fellas-this-just-looks-bad dept.
Lauren Weinstein writes "Google is handling SSL search queries on https://www.google.com/ in a manner significantly different than the standard, expected SSL end-to-end behavior — specifically relating to referer query data. These changes give the potential appearance of favoring sites that buy ads from Google. Regardless of the actual intentions, I do not believe that this appearance is in the best interests of Google in the long run."
This discussion has been archived. No new comments can be posted.

Concerns Over Google Modifying SSL Behavior

Comments Filter:
  • Regardless of what business sense this makes/doesn't make for Google - it is better for the users.

    The more traffic is sent via HTTPS, the better. The days of concern over the CPU overhead of HTTPS are long past.

    • by Jonner (189691) on Tuesday October 25, 2011 @11:46AM (#37832880)

      Please read TFA. The question is not over use of SSL, which the author of TFA "applauded."

    • Re: (Score:2, Insightful)

      by CAIMLAS (41445)

      The days of concern over the CPU overhead of HTTPS are long past.

      Really? Why do you say that? SSL still takes a fair amount of CPU overhead. Compared to an HTTP connection, HTTPS is markedly slower (aggregated over thousands of connections). I've seen a couple sites that use HTTPS exclusively throw up transparent SSL accelerator appliances in front of their servers to allow them to only need a fraction of the number of hosts for actually hosting the data.

      • by 0123456 (636235)

        I've seen a couple sites that use HTTPS exclusively throw up transparent SSL accelerator appliances in front of their servers to allow them to only need a fraction of the number of hosts for actually hosting the data.

        Yet people who've actually measured the overhead say it's more like 2% on a modern CPU. I guess if you're serving one-pixel .gif files to track people with then it would cause a lot of overhead, but if you are then who cares?

        • 2% overhead PER SESSION. When you're talking about a server dealing with thousands upon thousands of simultaneous connections, that's a heckuva lot of overhead.
          • by kurls (1986658)

            Well, my car would go faster (probably more than 2%) without the brakes and seatbelts, but that doesn't seem like a good idea. The question should be is there a cheaper, easier way to achieve the same security as SSL.

          • by F.Ultra (1673484)
            Learn math, 2% per session is the same as 2% total.
      • Also, https prevents caching of objects such as images, css, javascript, which is a concern on large networks that routinely employ caching proxy servers to reduce uplink bandwidth requirements.

    • by CAPSLOCK2000 (27149) on Tuesday October 25, 2011 @11:55AM (#37832996) Homepage

      That's not the point at all. Frankly, this has only little to do with SSL.

      The point is that if you pay for Google-ads, you will receive the referer-information, regardless of whether your site uses HTTPS or not, even when its breaks security for the user. If you don't pay you won't get the info.

    • by Manip (656104)
      Please read either the description or the article. You just look foolish.
    • The days of concern over the CPU overhead of HTTPS are long past.

      But the days of concern over the IP address overhead of HTTPS are still with us, and they will remain with us until Windows XP and Android 2.x go away. IE on XP and Android Browser on Android 2.x don't support Server Name Indication (SNI). And without SNI, a user agent can see only the first certificate on port 443 of a given IP address, not the certificates for any of the other dozens or hundreds of domains that may be hosted on that server.

  • Google is an ad agency. What do you expect? Google has to pass the referrer to their advertisers or monetization won't work properly.

    Expecting ad sites to run SSL is unreasonable. That would run up the cost of operating a content farm substantially. Made-for Adsense sites would have to have their own IP addresses; virtual hosting wouldn't work.

    • by oakgrove (845019)

      Google is an ad agency. What do you expect?

      To put things in perspective, isn't it fair to say that the vast majority of the web is financed through ads? Something as fantastic as Google which basically equates to a modern day Oracle of Delphi has to be financed somehow. Would you prefer they extract .001/$YOUR_LOCAL_CURRENCY from your bank account everytime you use it? Or if you don't use Google, how about Slashdot? Or any other ad financed website/service?

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        I would love to pay for Google. I would rather pay, get zero ads (without ad blocking), and BE the customer. Let the company's interest align with pleasing me rather than USING me. Today, there is rarely an option to pay for services directly. So you're only choice is often a "free" service where your every movement is harvested for ad dollars.

      • by praxis (19962)

        . Would you prefer they extract .001/$YOUR_LOCAL_CURRENCY from your bank account everytime you use it?

        Yes and no.

        The problem with ad-supported the searcher-is-the-product Google is that it is exploitative to those that don't realize the ramifications since it's not in Google's best interest to be completely honest with how they operate and monetize. Those in the know can prevent some of those techniques they understand from harvesting their every bit, but the majority are in the dark. To me, that feels a bit underhanded.

        The problem with for-pay the searcher-is-the-customer Google is that any payment scheme

        • by oakgrove (845019)

          The problem with ad-supported the searcher-is-the-product Google is that it is exploitative to those that don't realize the ramifications since it's not in Google's best interest to be completely honest with how they operate and monetize.

          Google spells out very clearly how adwords works. I'd make the argument that in many ways the relevant ads actually enhance the search experience. Often times people use Google for just that, buying stuff. If an ad sucks and misrepresents the product, I might click it but then I'm going to hit faster than you can say it. Google clues into this and charges the advertiser more next time around as the ad is obviously not relevant. The advertiser feels the pain and fixes the ad. Everybody wins. I search

          • by oakgrove (845019)

            I search for "linux laptop" and see a very relevant ad for system76.com so I win. If I searched for that and saw an ad for dell.com that took me to "We recommend Windows 7" landing page, believe me, Dell will be spending more money on Google in the future.

            Well, damn. I used that purely as an example and just for shits and giggles, I tested it. Sure enough, the Dell ad at the top takes you to a "recommend Windows 7" page and the system76.com ad at the right is actually relevant. Ain't that a bitch. Maybe I'm wasting my talent as should get into advertising!

          • by praxis (19962)

            What exactly did they share and with whom when I searched for "occupy seattle". And what did they store, and when and with whom did they share that stored data.

            If you cannot answer that question in the specific, it's not clear enough. 'We share data with people' is not very clear.

            • by oakgrove (845019)
              I just searched for "occupy seattle". There is not a single ad on the page. If you searched for that and saw an ad subsequently clicking on it, the site you clicked on knows you searched for that. It's not really that complicated. As far as I know, if you are using the https google page, none of the organic search results you click on know you found them buy typing "occupy seattle" into google. You are up in arms over nothing. Really.
    • Bad meme (Score:2, Informative)

      by Anonymous Coward

      You're the product, not the customer.

      This meme needs to die. It superficially seems to have a message which rings true with slashdotters, but really doesn't deliver.

      Just because a company is ad funded, doesn't allow a free-pass to provide crap service, whether that be search, or a social network.
      You seem to be forgetting that this isn't television, and power users have unprecedented control over how content is displayed, if at all.

      The second mistake you people make, is to think yourself part of some geek elite, where actually every kid or game

      • by aix tom (902140)

        >"You're the product, not the customer." basically says that an ad funded company is expected to act as evilly as possible, just because of the way it's funded.

        Of course Google isn't acting as evil as possible. Google is nice to us. The same way a hunter is nice to the game by not scaring it off by making a ruckus in the woods, or a fisherman will never splash around in the water, and even thrown in a couple of nice yummy bait bits before putting the fishing rod in.

      • Re: (Score:2, Funny)

        by sexconker (1179573)

        Trollpost is trollpost.

        A search company that sells ads has a fundamental conflict of interest:

        Provide better search results to get more users.
        vs.
        Inject more ads into search results to get more money, and sell more user information to get more money.

        There is no getting around this.
        When Google started out, their product was the search results.
        When Google got big, they switched to being an ad company.

        The only company with more fanboy zealots than Google is Apple. Google will never have to pay the piper after

        • by oakgrove (845019)

          A search company that sells ads has a fundamental conflict of interest:

          Provide better search results to get more users. vs.

          Inject more ads into search results to get more money, and sell more user information to get more money.

          Google penalizes advertisers with irrelevant ads by charging them more. When someone searches for something they want to buy, clicking on ads is a perfectly natural thing to do. If the ads represent the product well and you end up buying, your needs have been met. That is most certainly not a conflict of interest. If an ad misrepresents a product then if some hapless searcher clicks on it, they are probably going to very quickly hit the back button. Google notes this and charges the advertiser more the

          • Wrong.
            Users go to a search engines to find things and expect unaltered results.
            No user ever wants to see ads, no matter how well "targeted".

            Charging more for misplaced ads simply highlights the conflict of interest - Google recognizes that it's something users don't want, so they balance the other side of the conflict by charging advertisers more and allow the behavior to continue.

            • by oakgrove (845019)

              Users go to a search engines to find things

              You got that much correct. The error in your reasoning is assuming that what you want is what everybody else wants. You may never type in "wholesale flea market merchandise" but, I assure you, many people do. Wading through the organic search listings for a real wholesaler that will actually give you the time of day for an order under 20,000 dollars and who isn't a scam is an exercise in pure frustration. But if a legitimate business can buy a relevant ad and that ad can allow Google to connect that buy

              • I think you're misunderstanding the function of advertising.
                Advertising is used to promote a product or service that can't promote itself on its own merits.

                Every single time, "organic" search results will be better than ads.

                If Google cared about search quality, they would ban advertisers who foist such ads onto users. Instead, they just charge them more and let them continue doing it.

                • I think you're misunderstanding the function of advertising.
                  Advertising is used to promote a product or service that can't promote itself on its own merits.

                  Some advertising does as you say. But a lot of advertising is actually just about making people aware of a product so that it can promote itself on its own merits. It doesn't matter how good the merits are of your product if no one knows about it in the first place.

                  Every single time, "organic" search results will be better than ads.

                  Untrue. If I search for a piece of hardware, a lot of the search results are going to be people discussing how to make some software work with that hardware, reporting problems with the hardware, praising the hardware, etc. Whilst I might fi

      • by gutnor (872759)

        "You're the product, not the customer." basically says that an ad funded company is expected to act as evilly as possible, just because of the way it's funded.

        Actually, it means exactly the opposite. Google does everything to provide better product to their client. That means, not annoying people, giving them the ads they are most likely to click on, giving them tons of excellent free tools so that they stay within the Google network and therefore helps Google getting the best value for its ads placements. However, as you said, ...

        The reality is that sometimes there are conflicts of interest

        So that is important to remember and why the meme is somewhat useful.

      • > Just because a company is ad funded, doesn't allow a free-pass to provide
        > crap service, whether that be search, or a social network.

        Yes it does, if the alternatives are ( 1 ) no service or ( 2 ) a paid-for service.

        You and I would likely pay for a search engine tailored to our needs, with Alta Vista-style boolean logic and no ads.

        Joe Public won't, so we're landed with the crapfest that is Google and Bing search results.

        Joe Public will be content with a craptastic Facebook experience just because it

      • by bonch (38532)

        Can I ask something? Why are there so many anonymous Google supporters who post on Slashdot? Does anyone else find it somewhat suspicious how they appear in every single Google article in which they get criticized?

        "You're the product, not the customer." basically says that an ad funded company is expected to act as evilly as possible, just because of the way it's funded.

        No, it simply describes a truth about their behavior and their business model. Google's source of revenue is web advertising, and their cus

  • by Hazel Bergeron (2015538) on Tuesday October 25, 2011 @11:46AM (#37832872) Journal

    Google passes Referer info from https to http how?

    • I'm wondering exactly the same thing. Isn't this behavior a function of the web browser? How would Google be altering it without some elaborate HTTP redirect tricks?
    • by hedwards (940851)

      I'm trying to figure out how this is somehow unexpected. My understanding was that traffic between me and Google was being done via SSL, not traffic from Google to the site.

      Ultimately, this is a significant improvement over how it was previously, done, but shy of requiring all traffic to be over SSL, I'm not really sure how much better this could be.

      • Excellent question -- I was very surprised to see absolutely no analysis of this in TFA!

        Doing a very quick test googling my own blog from https://google.com/ [google.com] the referer I end up seeing is like this:

        "http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CBwQFjAA&url=http%3A%2F%2Fbrionv.com%2F&ei=fjynTpC4KoSqiQLFvezYDQ&usg=AFQjCNHi_Ia5lQINhrMRGTJyRLFc4ZOajw"

        I don't have any Google ads on my site, so I guess this would be in the "Ordinary Site (http: = n

        • by makomk (752139)

          If you'd clicked on a paid link, apparently you'd have seen a referrer which told you which search terms the user got there from. That's what this is about.

          • by brion (1316)

            Ah, who gives a rat's ass then? As a user I don't want my search keywords going to third-party sites to begin with, and I don't click on paid links in search results. (It wasn't clear from the original article that this referred to *ad links on the Google page* and not *links to sites with google ads*.)

            Far more worrying is that the redirect always goes through HTTP, giving a chance for MitM attacks to sniff or alter your target traffic -- for instance redirecting you from what you thought was a nice safe

  • by Anonymous Coward

    The gist: Google actively hides referer data when linking from the new SSL site, even if the site that is linked to is also an SSL site, except when the link is an ad.

    Well, tough titties. It's Google's site, they can link to you any way they want. If they want to redirect the visitor in a way that hides the query from the linked-to site, that's their prerogative. They could simply make their whole search engine POST the query and you'd never see the search terms, not even with plain HTTP. What are you gonna

  • Both TFA itself, and the summary could do with a summary.

    ...a manner significantly different than the standard, namely, passing the refer to a non-secure site with Google ads, whilst withholding it from another secure site, going against normal browser behavior.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Summary for the security conscious: since you switched to using https://encrypted.google.com months ago, you're fine, nothing new here. Move along.

      Summary for the masses: Google is now using security by default (if you're logged in), but it isn't quite as secure as is possible.

  • https move in itself is not bad... but the way it is implemented messes up statistics (you know that stuff came from google but no search keywords) and operation of some sites (display a page with the queried keyword to boost relevance). They say it affects less than 1% of the queries only logged on users).. but I think that is a low number.... who is not logged into gmail? maybe not everybody but I suspect figure is higher than 1%

    Among others, they could in theory fix that with a redirect to an http site t

    • by mmcuh (1088773)
      Does this mean that "webmasters" will stop trying to optimise their pages after search word hits? That can't possibly be a bad thing.
  • Yawn (Score:5, Insightful)

    by TheEyes (1686556) on Tuesday October 25, 2011 @11:48AM (#37832906)

    You know, I'd be a lot more concerned about this kind of thing if we weren't hearing Slashdot stories crying wolf practically every day. I'm just not impressed with people trying to call Google evil anymore; none of these so-called revelations have panned out so far, so how likely is this one to go any differently?

    • Regardless of the actual intentions, I do not believe that this appearance is in the best interests of Google in the long run.

      Slashdot: Opinions of nerds. Does this matter?

    • by Nimey (114278)

      Yeah, this. Slashdot's "journalism" isn't trustworthy.

    • by Raenex (947668)

      "See no evil, hear no evil, speak no evil."

    • by TubeSteak (669689)

      FTC Gives Final Approval to Settlement with Google over Buzz Rollout
      http://www.ftc.gov/opa/2011/10/buzz.shtm [ftc.gov]

      The settlement resolves charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The [FTC] alleged that the practices violate the FTC Act. The settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years.

      Google has made numerous mistakes and misteps with regard to "don't be evil"
      If you bothered to read the follow up stories, you'd see that the boy is crying wolf because there is a wolf.

  • I have not reached the security/SSL stuff in my IT course yet so could someone explain this a bit?
    I did RTFA, but I am still at a loss as to how and where the problem lies. I typically don't use the HTTPS portion of the Google searches because I don't really care what they know I am searching for. Other places that are slightly more important, like FaceBook, I do browse using HTTPS.
  • If anyone was wondering how they do it, they're using JavaScript when you click a link instead of allowing the browser to open the link "normally." e.g.

    window.open("").location.href = "http://www.example.com";

    This results in the page opening as if it was a "new page" rather than as if it came from any
  • by dracocat (554744) on Tuesday October 25, 2011 @12:06PM (#37833128)

    If I am paying per click for certain search terms, then this data SHOULD be passed along. The other alternative is to just get a bill from google and trust that it is accurate?

    As an advertiser I need this information. First to make sure I get the clicks google is charging for me, and more importantly to determine which words don't have a conversion rate worth paying for.

    • by Galestar (1473827)
      Yes but they are also NOT sending the referrer information when you click on a link that is secure. Those that SHOULD be getting the information, but since they didn't pay Google for it, Google doesn't send it to them.
      • Those that SHOULD be getting the information

        Why? Who decided that?

        • by Galestar (1473827)
          according to SSL specifications. go RTFA ... but of course the "score 4 interesting" grandparent obviously didn't, why would anyone expect you to
          • The spec only says that if it's a link, which it isn't (it's a Javascript redirect). In fact, Google can't break the SSL spec, since it's the browser, which they don't control, that has to abide by it.

            So again, why?

  • Gripe (Score:3, Interesting)

    by Nom du Keyboard (633989) on Tuesday October 25, 2011 @12:18PM (#37833276)
    This just sounds like an individual gripe that somehow got accepted here at /. You don't like it, Google does, move along there's nothing more to see.

    You know, if people don't like how Google runs their business: 1) Don't use it. 2) Start your own competitor. Google wasn't the first search engine. You can go somewhere else, but don't tell them how they should run their own business. That's nebby.
  • I hate Referer (Score:5, Interesting)

    by andymadigan (792996) <amadigan@gmai3.14159l.com minus pi> on Tuesday October 25, 2011 @12:24PM (#37833346)
    I hate referer information when I come from google, mostly because of sites that either:

    1) Highlight my search terms in the page. You don't need to highlight every instance of 'of' in the page, and even highlighting the keywords is distracting.

    2) Put a big fat "Welcome Google User!" (often with horribly colored letters for Google) that beg you to subscribe to the RSS feed.

    I wish there was a chrome extension to hide referrer data just so that I could avoid that.

    BTW: If you want an example of useless highlighting, google for VirtualBox and click on the VirtualBox website. I can't believe someone thought that people who can comprehend what VirtualBox is don't know how Ctrl+F works.
    • by wigbold (2494048)

      I've grown to really like NoScript for this. VirtualBox was simple when I clicked, and only got distractedly highlighted when I temporarily allowed it to execute scripts. Cheers!

    • >> I wish there was a chrome extension to hide referrer data just so that I could avoid that.

      You can do it on firefox by setting following key network.http.sendRefererHeader to 0. Not sure if Chrome has something similar, though.

  • Google is no more Evil than any company out there trying to make a buck. Do they care about their users? Sure, but only up to the point where it hurts the bottom line to do so.

    This new tactic moves along the same line as their view on SEO. Do they want to make it more difficult to obtain better ranking in their site? Yes, but only to the point where they make it easier to pay to get better position within listings.

    Is this new process for handling SSL information biased towards their paying customers? O

    • by Todd Knarr (15451)

      They're using SSL in a standard way. What the article gets confused is the difference between SSL (the protocol used to encrypt connections) and HTTP Referrer header handling (used to pass referrer information to the target site). Note that the two have nothing to do with one another.

      The convention has been that when the source page is https: and the target page is http: the Referrer header is suppressed, while if both are https: the Referrer header is passed normally. Google's changed this to a different r

  • TFA implies that google is somehow causing my browser to send unencrypted data? I'm not an ssl expert, but i thought the expectation set by ssl is that communication between my browser and google would be encrypted. What google chooses to do with the data i sent them (my request headers, form inputs, etc) has nothing to do with ssl. As far as i know there is no SSL standard that says all data posted over ssl must only be transmitted via ssl from then on.

    Google can take my referers and post them on the goo
  • When a service is provided for free, you aren't the customer, you are the product.

    Google handed out my referrer data before, to everybody, for free. Now they restrict it to clicks on ads. My overall privacy has increased. I imagine ad buyers would revolt if they didn't get the referrer data they have always gotten from Google. Google, quite properly, doesn't give a flying *bleep!* about webmasters collecting referrer data on clicks they are getting for free.

    • Referrer information is typically a function of the browser and is passed in your HTTP headers you're sending to the site you're going to. Normally referrer information doesn't persist when you click a HTTP link from a HTTPS page but do when you click a HTTPS link from a HTTPS page. According to the article what Google are doing here is ACTIVELY interfering with the normal functioning of this information. Adding javascript tricks to prevent it being passed to HTTPS pages when it's not a paid link and usi
  • Outside of advertisement info, why is this "referrer" data important?

    If this is somehow reducing my security, I can see a problem, but if it's just data to help websites know who their customers are, then why should I care?

    Google provides a service. They give it free to the customer and if you want your website to have an advantage, then you pay a premium for access to Google's services.

    To me this sounds more like a QQ, but I am interested to know if there's something I'm missing as I am not knowledgeable i

    • The point is, if you are using SSL, you probably do so because you don't want someone in between to read your search terms. Now the referer contains your search terms (as part of the URL), therefore if the referer is sent to a non-SSL site, your search terms can be read in the clear.

  • This isn't Google somehow modifying the way SSL and referrers work in your browser -- after all, in the normal course of things, you browser is in charge of deciding whether to send a Referer header or not.

    This is Google using a JavaScript method to intercept and handle clicks on their site. In some cases the JavaScript does a redirect through non-HTTPS Google so that the referer is sent. In other cases it goes directly to the result site, no referer (as expected).

    They could (and probably do?) use a similar

    • by Galestar (1473827)
      Well, except they also do not send the referrer to https website that do not pay. That is the 2nd problem.
  • Lately I'm finding Google is getting increasingly unreliable about finding references I want, specifically regarding politics, the economy, and Occupy.

    Ask has been filling in the gap quite nicely, but I don't like what seems to be censorship by Google.

  • I submitted a post that Google has stopped using the + symbol
    to denote boolean AND, (ie specifically to require the word in
    the results.)

    It has been replaced with double quotes.

    I for one find it EXTREMELY annoying after a decade and a half
    of the 'correct way' to have to completely relearn the new way.

    http://slashdot.org/firehose.pl?op=view&id=24913740 [slashdot.org]

    -AI

    • by makomk (752139)

      Oh dear. That explains why I've been failing to get their over-active autocorrect not to "correct" my queries as of late.

Your own mileage may vary.

Working...