Concerns Over Google Modifying SSL Behavior 130
Lauren Weinstein writes "Google is handling SSL search queries on https://www.google.com/ in a manner significantly different than the standard, expected SSL end-to-end behavior — specifically relating to referer query data. These changes give the potential appearance of favoring sites that buy ads from Google. Regardless of the actual intentions, I do not believe that this appearance is in the best interests of Google in the long run."
Its in the best interest of users (Score:2, Insightful)
Regardless of what business sense this makes/doesn't make for Google - it is better for the users.
The more traffic is sent via HTTPS, the better. The days of concern over the CPU overhead of HTTPS are long past.
Re:Its in the best interest of users (Score:5, Informative)
Please read TFA. The question is not over use of SSL, which the author of TFA "applauded."
Re: (Score:2)
i have been using google ssl beta for a little over a year now it works just fine i can't tell a speed difference
You would if you would just switch to a proportional font. Things would flow much faster.
Re: (Score:2, Insightful)
The days of concern over the CPU overhead of HTTPS are long past.
Really? Why do you say that? SSL still takes a fair amount of CPU overhead. Compared to an HTTP connection, HTTPS is markedly slower (aggregated over thousands of connections). I've seen a couple sites that use HTTPS exclusively throw up transparent SSL accelerator appliances in front of their servers to allow them to only need a fraction of the number of hosts for actually hosting the data.
Re: (Score:2)
I've seen a couple sites that use HTTPS exclusively throw up transparent SSL accelerator appliances in front of their servers to allow them to only need a fraction of the number of hosts for actually hosting the data.
Yet people who've actually measured the overhead say it's more like 2% on a modern CPU. I guess if you're serving one-pixel .gif files to track people with then it would cause a lot of overhead, but if you are then who cares?
Re: (Score:2)
Re: (Score:1)
Well, my car would go faster (probably more than 2%) without the brakes and seatbelts, but that doesn't seem like a good idea. The question should be is there a cheaper, easier way to achieve the same security as SSL.
Re: (Score:2)
Re: (Score:2)
Re:Its in the best interest of users (Score:4, Informative)
First of all, any well-architected clustered app spends more time waiting for I/O at the web tier than it uses CPU, so the 2% "penalty" is on an underutilized resource anyway. Second, terminating SSL at your load balancers is standard practice, be they Amazon ELB SSL termination, F5 BigIPs, or reverse proxies. Again, all otherwise I/O-bound implementations which can spare the CPU.
The fact that SSL obscures the requested URI from intermediaries seems in-line with the goals of Wikipedia for free information sharing -- with SSL operating properly, an intermediary may be able to tell that you were on Wikipedia, but not what you were looking at.
SSL/TLS and/or its successors everywhere is in everyone's interest if maintaining privacy from ubiquitous snooping is a concern.
Re: (Score:1)
That is true, I forgot that our load balancers do handle all the SSL. That said, we recently had to upgrade ours so that they could handle 2048bit ssl certificates (I believe) since the higher level of encryption was slowing down the devices (or maybe the web interface--not sure not my department).
Re: (Score:2)
Also, https prevents caching of objects such as images, css, javascript, which is a concern on large networks that routinely employ caching proxy servers to reduce uplink bandwidth requirements.
Re:Its in the best interest of users (Score:5, Insightful)
That's not the point at all. Frankly, this has only little to do with SSL.
The point is that if you pay for Google-ads, you will receive the referer-information, regardless of whether your site uses HTTPS or not, even when its breaks security for the user. If you don't pay you won't get the info.
Re: (Score:2)
Re: (Score:2)
IE on XP needs an IP per site (Score:2)
The days of concern over the CPU overhead of HTTPS are long past.
But the days of concern over the IP address overhead of HTTPS are still with us, and they will remain with us until Windows XP and Android 2.x go away. IE on XP and Android Browser on Android 2.x don't support Server Name Indication (SNI). And without SNI, a user agent can see only the first certificate on port 443 of a given IP address, not the certificates for any of the other dozens or hundreds of domains that may be hosted on that server.
Re:Its in the best interest of users (Score:5, Insightful)
I know exactly who the 'product' and who the 'consumer' of Google is.
Its irrelevant to this. When traffic is HTTP or HTTPS for Google searches, Google gets that traffic either way. When the traffic is HTTPS though, that means LESS people are getting it (wireless sniffing, routers along the way, etc.) in an unencrypted format. I really could care less what information the sites I go to are missing from the search I entered that brought me to them.
Re: (Score:1)
I know exactly who the 'product' and who the 'consumer' of Google is.
Its irrelevant to this. When traffic is HTTP or HTTPS for Google searches, Google gets that traffic either way. When the traffic is HTTPS though, that means LESS people are getting it (wireless sniffing, routers along the way, etc.) in an unencrypted format. I really could care less what information the sites I go to are missing from the search I entered that brought me to them.
Again that goes back to the "read the TFA" comment. The missing information is only part of the problem. The other problem is the presence of search data when clicking through to unencrypted sites, if they are google customers. That means google's SSL service is a lie and your unencrypted searches will be sent to certain customers regardless of using http or https.
So back to your original comment, most geeks would agree I think that more SSL is good. However, SSL that only encrypts your data some of the
Re: (Score:2)
The other problem is the presence of search data when clicking through to unencrypted sites, if they are google customers. That means google's SSL service is a lie and your unencrypted searches will be sent to certain customers regardless of using http or https.
It seems sorta common sense that if you click on a link to a site, that site will know you clicked on it and where you're going. Similarly, if you have a cookie on a site, that site will know when you've been there and will be able to correlate all kinds of things you typed into that site with links, etc.
Google possesses this information, they can sell it. That your request travelled over HTTPS means it's secret between you and google, what either side of the transmission does with the information it obta
Re: (Score:2)
It seems sorta common sense that if you click on a link to a site, that site will know you clicked on it and where you're going.
What's not common-sense or obvious is that Google only give sites information on what SSL search query lead users to that site if the site paid money to Google for that click, and that they do so regardless of whether it causes the search terms used to be sent across the user's connection as plaintext or not.
Re: (Score:1)
The other problem is the presence of search data when clicking through to unencrypted sites, if they are google customers. That means google's SSL service is a lie and your unencrypted searches will be sent to certain customers regardless of using http or https.
It seems sorta common sense that if you click on a link to a site, that site will know you clicked on it and where you're going. Similarly, if you have a cookie on a site, that site will know when you've been there and will be able to correlate all kinds of things you typed into that site with links, etc.
Google possesses this information, they can sell it. That your request travelled over HTTPS means it's secret between you and google, what either side of the transmission does with the information it obtained is strictly the business of either party.
Anything you can do with a search result from https://google.com/ [google.com], like for instance, sharing a search result with a friend, google can do with your click stream, like, for instance, sharing it with their friend.
I don't care if customers get my search results. That is google's business model. My problem is they offer an ssl service, but ignore expected ssl behaviors in favor of their business model. If you perform a search using the ssl service, then your search should be encrypted. Always. However, google forwards your search request in the referer header to their customers, regardless of their customer's usage of ssl. That means if you click through to an unencrypted site, the fact that you logged into goog
Re: (Score:1)
No, that's just the excuse that gets this "issue" talked about. Google very obviously needs to communicate the source of traffic to ad customers for conversion tracking.
Duh.
Expecting Google not to rat out visitors to ad customers is beyond naive.
Ok. Not sure the relevance of this comment.
The actual reason for the article is that normal sites no longer get referer information, HTTPS or not. Webmasters who have been infected with SEO are kinda whiny that way.
Well I'm glad you read the article. However, it is completely irrelevant to this thread as we're discussing the benefit of providing the ssl service in that it increases ssl usage overall. I merely brought up the point that making people think their data is encrypted, when in fact it is not, is more harmful than just making people use an unencrypted service and knowing their data is unencrypted. At least then they won't search for gay beastiality porn if it
Re: (Score:3)
I really could care less
How much less could you care?
Re: (Score:3)
Re: (Score:1)
As has been said, you need to stop karma-whoring and RTFA. The use of SSL isn't the issue. It's not even the headline of the submission.
Re: (Score:2)
Chances are you are product, not a customer or a user.
The three are not mutually exclusive. Furthermore, Google penalizes advertisers that don't post relevant ads to the searcher by forcing said advertiser to pay more per click. As someone that searches Google and periodically even buys stuff, I'd much rather see an ad that is relevant to my interests. In this way, the ads actually enhance the search experience because it is getting me what I want faster. And if I'm not looking to buy anything, the ads are segregated either off to the side or are in a clea
You're the product, not the customer. (Score:1)
Google is an ad agency. What do you expect? Google has to pass the referrer to their advertisers or monetization won't work properly.
Expecting ad sites to run SSL is unreasonable. That would run up the cost of operating a content farm substantially. Made-for Adsense sites would have to have their own IP addresses; virtual hosting wouldn't work.
Re: (Score:1)
You may think that killing is reasonable, but the law is pretty explicit about it. DO NOT KILL.
Crap. The law is far far more nuanced than that on the subject of killing.
Re: (Score:3)
Google is an ad agency. What do you expect?
To put things in perspective, isn't it fair to say that the vast majority of the web is financed through ads? Something as fantastic as Google which basically equates to a modern day Oracle of Delphi has to be financed somehow. Would you prefer they extract .001/$YOUR_LOCAL_CURRENCY from your bank account everytime you use it? Or if you don't use Google, how about Slashdot? Or any other ad financed website/service?
Re: (Score:2, Insightful)
I would love to pay for Google. I would rather pay, get zero ads (without ad blocking), and BE the customer. Let the company's interest align with pleasing me rather than USING me. Today, there is rarely an option to pay for services directly. So you're only choice is often a "free" service where your every movement is harvested for ad dollars.
Re: (Score:2)
. Would you prefer they extract .001/$YOUR_LOCAL_CURRENCY from your bank account everytime you use it?
Yes and no.
The problem with ad-supported the searcher-is-the-product Google is that it is exploitative to those that don't realize the ramifications since it's not in Google's best interest to be completely honest with how they operate and monetize. Those in the know can prevent some of those techniques they understand from harvesting their every bit, but the majority are in the dark. To me, that feels a bit underhanded.
The problem with for-pay the searcher-is-the-customer Google is that any payment scheme
Re: (Score:2)
The problem with ad-supported the searcher-is-the-product Google is that it is exploitative to those that don't realize the ramifications since it's not in Google's best interest to be completely honest with how they operate and monetize.
Google spells out very clearly how adwords works. I'd make the argument that in many ways the relevant ads actually enhance the search experience. Often times people use Google for just that, buying stuff. If an ad sucks and misrepresents the product, I might click it but then I'm going to hit faster than you can say it. Google clues into this and charges the advertiser more next time around as the ad is obviously not relevant. The advertiser feels the pain and fixes the ad. Everybody wins. I search
Re: (Score:3)
I search for "linux laptop" and see a very relevant ad for system76.com so I win. If I searched for that and saw an ad for dell.com that took me to "We recommend Windows 7" landing page, believe me, Dell will be spending more money on Google in the future.
Well, damn. I used that purely as an example and just for shits and giggles, I tested it. Sure enough, the Dell ad at the top takes you to a "recommend Windows 7" page and the system76.com ad at the right is actually relevant. Ain't that a bitch. Maybe I'm wasting my talent as should get into advertising!
Re: (Score:2)
What exactly did they share and with whom when I searched for "occupy seattle". And what did they store, and when and with whom did they share that stored data.
If you cannot answer that question in the specific, it's not clear enough. 'We share data with people' is not very clear.
Re: (Score:2)
Re: (Score:3, Insightful)
This is why you disable third party cookies, and use ad block plus and noscript.
Users have to be proactive about security. Nearly every fucking site out there is actively working against good security practices even when they're not compromised by an attacker. The browsers are all in a race to reach stupid version numbers, pass some arbitrary and ridiculously convoluted css benchmark, and enable javascript bloat by endlessly tweaking the performance of the js engine.
Re: (Score:3)
Re: (Score:1)
Passing on referral information isn't really a security concern (unless some shitty site relies on referral headers for any sort of user action or authentication).
It's a privacy concern.
Important, but no where near as important to an end user as stopping every random ad and script from loading and firing.
Bad meme (Score:2, Informative)
You're the product, not the customer.
This meme needs to die. It superficially seems to have a message which rings true with slashdotters, but really doesn't deliver.
Just because a company is ad funded, doesn't allow a free-pass to provide crap service, whether that be search, or a social network.
You seem to be forgetting that this isn't television, and power users have unprecedented control over how content is displayed, if at all.
The second mistake you people make, is to think yourself part of some geek elite, where actually every kid or game
Re: (Score:1)
>"You're the product, not the customer." basically says that an ad funded company is expected to act as evilly as possible, just because of the way it's funded.
Of course Google isn't acting as evil as possible. Google is nice to us. The same way a hunter is nice to the game by not scaring it off by making a ruckus in the woods, or a fisherman will never splash around in the water, and even thrown in a couple of nice yummy bait bits before putting the fishing rod in.
Re: (Score:2, Funny)
Trollpost is trollpost.
A search company that sells ads has a fundamental conflict of interest:
Provide better search results to get more users.
vs.
Inject more ads into search results to get more money, and sell more user information to get more money.
There is no getting around this.
When Google started out, their product was the search results.
When Google got big, they switched to being an ad company.
The only company with more fanboy zealots than Google is Apple. Google will never have to pay the piper after
Re: (Score:2)
A search company that sells ads has a fundamental conflict of interest:
Provide better search results to get more users. vs.
Inject more ads into search results to get more money, and sell more user information to get more money.
Google penalizes advertisers with irrelevant ads by charging them more. When someone searches for something they want to buy, clicking on ads is a perfectly natural thing to do. If the ads represent the product well and you end up buying, your needs have been met. That is most certainly not a conflict of interest. If an ad misrepresents a product then if some hapless searcher clicks on it, they are probably going to very quickly hit the back button. Google notes this and charges the advertiser more the
Re: (Score:1)
Wrong.
Users go to a search engines to find things and expect unaltered results.
No user ever wants to see ads, no matter how well "targeted".
Charging more for misplaced ads simply highlights the conflict of interest - Google recognizes that it's something users don't want, so they balance the other side of the conflict by charging advertisers more and allow the behavior to continue.
Re: (Score:3)
Users go to a search engines to find things
You got that much correct. The error in your reasoning is assuming that what you want is what everybody else wants. You may never type in "wholesale flea market merchandise" but, I assure you, many people do. Wading through the organic search listings for a real wholesaler that will actually give you the time of day for an order under 20,000 dollars and who isn't a scam is an exercise in pure frustration. But if a legitimate business can buy a relevant ad and that ad can allow Google to connect that buy
Re: (Score:1)
I think you're misunderstanding the function of advertising.
Advertising is used to promote a product or service that can't promote itself on its own merits.
Every single time, "organic" search results will be better than ads.
If Google cared about search quality, they would ban advertisers who foist such ads onto users. Instead, they just charge them more and let them continue doing it.
Re: (Score:2)
I think you're misunderstanding the function of advertising.
Advertising is used to promote a product or service that can't promote itself on its own merits.
Some advertising does as you say. But a lot of advertising is actually just about making people aware of a product so that it can promote itself on its own merits. It doesn't matter how good the merits are of your product if no one knows about it in the first place.
Every single time, "organic" search results will be better than ads.
Untrue. If I search for a piece of hardware, a lot of the search results are going to be people discussing how to make some software work with that hardware, reporting problems with the hardware, praising the hardware, etc. Whilst I might fi
Re: (Score:3)
"You're the product, not the customer." basically says that an ad funded company is expected to act as evilly as possible, just because of the way it's funded.
Actually, it means exactly the opposite. Google does everything to provide better product to their client. That means, not annoying people, giving them the ads they are most likely to click on, giving them tons of excellent free tools so that they stay within the Google network and therefore helps Google getting the best value for its ads placements. However, as you said, ...
The reality is that sometimes there are conflicts of interest
So that is important to remember and why the meme is somewhat useful.
Re: (Score:2)
> Just because a company is ad funded, doesn't allow a free-pass to provide
> crap service, whether that be search, or a social network.
Yes it does, if the alternatives are ( 1 ) no service or ( 2 ) a paid-for service.
You and I would likely pay for a search engine tailored to our needs, with Alta Vista-style boolean logic and no ads.
Joe Public won't, so we're landed with the crapfest that is Google and Bing search results.
Joe Public will be content with a craptastic Facebook experience just because it
Re: (Score:1)
Can I ask something? Why are there so many anonymous Google supporters who post on Slashdot? Does anyone else find it somewhat suspicious how they appear in every single Google article in which they get criticized?
No, it simply describes a truth about their behavior and their business model. Google's source of revenue is web advertising, and their cus
overriding browser how? (Score:4, Interesting)
Google passes Referer info from https to http how?
Re: (Score:2)
Re: (Score:1)
Google has been using "elaborate" HTTP redirection tricks for ages.
Re: (Score:2)
I'm trying to figure out how this is somehow unexpected. My understanding was that traffic between me and Google was being done via SSL, not traffic from Google to the site.
Ultimately, this is a significant improvement over how it was previously, done, but shy of requiring all traffic to be over SSL, I'm not really sure how much better this could be.
Looks like all pages get referers, not just ads (Score:3)
Excellent question -- I was very surprised to see absolutely no analysis of this in TFA!
Doing a very quick test googling my own blog from https://google.com/ [google.com] the referer I end up seeing is like this:
"http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CBwQFjAA&url=http%3A%2F%2Fbrionv.com%2F&ei=fjynTpC4KoSqiQLFvezYDQ&usg=AFQjCNHi_Ia5lQINhrMRGTJyRLFc4ZOajw"
I don't have any Google ads on my site, so I guess this would be in the "Ordinary Site (http: = n
Re: (Score:2)
If you'd clicked on a paid link, apparently you'd have seen a referrer which told you which search terms the user got there from. That's what this is about.
Re: (Score:2)
Ah, who gives a rat's ass then? As a user I don't want my search keywords going to third-party sites to begin with, and I don't click on paid links in search results. (It wasn't clear from the original article that this referred to *ad links on the Google page* and not *links to sites with google ads*.)
Far more worrying is that the redirect always goes through HTTP, giving a chance for MitM attacks to sniff or alter your target traffic -- for instance redirecting you from what you thought was a nice safe
Winded and pointless (Score:2, Insightful)
The gist: Google actively hides referer data when linking from the new SSL site, even if the site that is linked to is also an SSL site, except when the link is an ad.
Well, tough titties. It's Google's site, they can link to you any way they want. If they want to redirect the visitor in a way that hides the query from the linked-to site, that's their prerogative. They could simply make their whole search engine POST the query and you'd never see the search terms, not even with plain HTTP. What are you gonna
Re:Winded and pointless (Score:4, Insightful)
Solutions/workarounds:
a) just don't click on the ads
b) block google ads from their search page.
Should be easy to do a) right?
Re: (Score:2)
Unlike with normal search results there's intentionally no way to find out what URL a Google ad goes to without clicking on it, which means that if the ad is relevant people probably will click it.
Summary (Score:2)
Both TFA itself, and the summary could do with a summary.
Re: (Score:3, Informative)
Summary for the security conscious: since you switched to using https://encrypted.google.com months ago, you're fine, nothing new here. Move along.
Summary for the masses: Google is now using security by default (if you're logged in), but it isn't quite as secure as is possible.
Definitely sucks for search keywords (Score:2, Insightful)
https move in itself is not bad... but the way it is implemented messes up statistics (you know that stuff came from google but no search keywords) and operation of some sites (display a page with the queried keyword to boost relevance). They say it affects less than 1% of the queries only logged on users).. but I think that is a low number.... who is not logged into gmail? maybe not everybody but I suspect figure is higher than 1%
Among others, they could in theory fix that with a redirect to an http site t
Re: (Score:2)
Yawn (Score:5, Insightful)
You know, I'd be a lot more concerned about this kind of thing if we weren't hearing Slashdot stories crying wolf practically every day. I'm just not impressed with people trying to call Google evil anymore; none of these so-called revelations have panned out so far, so how likely is this one to go any differently?
Re: (Score:2)
Regardless of the actual intentions, I do not believe that this appearance is in the best interests of Google in the long run.
Slashdot: Opinions of nerds. Does this matter?
Re: (Score:2)
Yeah, this. Slashdot's "journalism" isn't trustworthy.
Re: (Score:2)
"See no evil, hear no evil, speak no evil."
Re: (Score:3)
FTC Gives Final Approval to Settlement with Google over Buzz Rollout
http://www.ftc.gov/opa/2011/10/buzz.shtm [ftc.gov]
The settlement resolves charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The [FTC] alleged that the practices violate the FTC Act. The settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years.
Google has made numerous mistakes and misteps with regard to "don't be evil"
If you bothered to read the follow up stories, you'd see that the boy is crying wolf because there is a wolf.
Re: (Score:2)
Google may be evil... but it is definitely not black or white... it's blue red yellow and green (well at least its logo is lol)
Re: (Score:1)
a bit confused... (Score:1)
I did RTFA, but I am still at a loss as to how and where the problem lies. I typically don't use the HTTPS portion of the Google searches because I don't really care what they know I am searching for. Other places that are slightly more important, like FaceBook, I do browse using HTTPS.
Re: (Score:2)
How they do it... (Score:2)
window.open("").location.href = "http://www.example.com";
This results in the page opening as if it was a "new page" rather than as if it came from any
The site should get this data (Score:5, Interesting)
If I am paying per click for certain search terms, then this data SHOULD be passed along. The other alternative is to just get a bill from google and trust that it is accurate?
As an advertiser I need this information. First to make sure I get the clicks google is charging for me, and more importantly to determine which words don't have a conversion rate worth paying for.
Re: (Score:2)
Re: (Score:2)
Those that SHOULD be getting the information
Why? Who decided that?
Re: (Score:2)
Re: (Score:2)
The spec only says that if it's a link, which it isn't (it's a Javascript redirect). In fact, Google can't break the SSL spec, since it's the browser, which they don't control, that has to abide by it.
So again, why?
Gripe (Score:3, Interesting)
You know, if people don't like how Google runs their business: 1) Don't use it. 2) Start your own competitor. Google wasn't the first search engine. You can go somewhere else, but don't tell them how they should run their own business. That's nebby.
I hate Referer (Score:5, Interesting)
1) Highlight my search terms in the page. You don't need to highlight every instance of 'of' in the page, and even highlighting the keywords is distracting.
2) Put a big fat "Welcome Google User!" (often with horribly colored letters for Google) that beg you to subscribe to the RSS feed.
I wish there was a chrome extension to hide referrer data just so that I could avoid that.
BTW: If you want an example of useless highlighting, google for VirtualBox and click on the VirtualBox website. I can't believe someone thought that people who can comprehend what VirtualBox is don't know how Ctrl+F works.
Re: (Score:1)
I've grown to really like NoScript for this. VirtualBox was simple when I clicked, and only got distractedly highlighted when I temporarily allowed it to execute scripts. Cheers!
Re: (Score:1)
>> I wish there was a chrome extension to hide referrer data just so that I could avoid that.
You can do it on firefox by setting following key network.http.sendRefererHeader to 0. Not sure if Chrome has something similar, though.
Follow the Money! (Score:2)
Google is no more Evil than any company out there trying to make a buck. Do they care about their users? Sure, but only up to the point where it hurts the bottom line to do so.
This new tactic moves along the same line as their view on SEO. Do they want to make it more difficult to obtain better ranking in their site? Yes, but only to the point where they make it easier to pay to get better position within listings.
Is this new process for handling SSL information biased towards their paying customers? O
Re: (Score:2)
They're using SSL in a standard way. What the article gets confused is the difference between SSL (the protocol used to encrypt connections) and HTTP Referrer header handling (used to pass referrer information to the target site). Note that the two have nothing to do with one another.
The convention has been that when the source page is https: and the target page is http: the Referrer header is suppressed, while if both are https: the Referrer header is passed normally. Google's changed this to a different r
how is this breaking anything? (Score:2)
Google can take my referers and post them on the goo
Re: (Score:2)
When a service is provided for free... (Score:2)
When a service is provided for free, you aren't the customer, you are the product.
Google handed out my referrer data before, to everybody, for free. Now they restrict it to clicks on ads. My overall privacy has increased. I imagine ad buyers would revolt if they didn't get the referrer data they have always gotten from Google. Google, quite properly, doesn't give a flying *bleep!* about webmasters collecting referrer data on clicks they are getting for free.
Actually Google didn't touch your Referrer before (Score:2)
Actual question (Score:2)
Outside of advertisement info, why is this "referrer" data important?
If this is somehow reducing my security, I can see a problem, but if it's just data to help websites know who their customers are, then why should I care?
Google provides a service. They give it free to the customer and if you want your website to have an advantage, then you pay a premium for access to Google's services.
To me this sounds more like a QQ, but I am interested to know if there's something I'm missing as I am not knowledgeable i
Re: (Score:1)
The point is, if you are using SSL, you probably do so because you don't want someone in between to read your search terms. Now the referer contains your search terms (as part of the URL), therefore if the referer is sent to a non-SSL site, your search terms can be read in the clear.
SSL is a red herring here (Score:2)
This isn't Google somehow modifying the way SSL and referrers work in your browser -- after all, in the normal course of things, you browser is in charge of deciding whether to send a Referer header or not.
This is Google using a JavaScript method to intercept and handle clicks on their site. In some cases the JavaScript does a redirect through non-HTTPS Google so that the referer is sent. In other cases it goes directly to the result site, no referer (as expected).
They could (and probably do?) use a similar
Re: (Score:2)
Google has become unreliable (Score:2)
Lately I'm finding Google is getting increasingly unreliable about finding references I want, specifically regarding politics, the economy, and Occupy.
Ask has been filling in the gap quite nicely, but I don't like what seems to be censorship by Google.
In other Google Search news... (Score:2)
I submitted a post that Google has stopped using the + symbol
to denote boolean AND, (ie specifically to require the word in
the results.)
It has been replaced with double quotes.
I for one find it EXTREMELY annoying after a decade and a half
of the 'correct way' to have to completely relearn the new way.
http://slashdot.org/firehose.pl?op=view&id=24913740 [slashdot.org]
-AI
Re: (Score:2)
Oh dear. That explains why I've been failing to get their over-active autocorrect not to "correct" my queries as of late.
Re: (Score:1)
lol dorkus you want to waste your mod points defending whatever passes for "honor" in clan Coward, here is another one for you! Cowards suck, get an account... if you can afford it! lololol