Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Mozilla Firefox: Rolling Out HTTPS Google search (blog.mozilla.org)
58 points by cpeterso on May 9, 2012 | hide | past | favorite | 31 comments


No REFERER header anymore, bye bye search keywords data, now only in Google Webmaster Tools...

Edit -- From the article: "Additionally, using HTTPS helps providers like Google remove information from the referrer string."


That's half the point - users don't want to be tracked.


Especially the one's that use Goog for web search! ;-P


Maybe I'm missing something, but doesn't Google redirect through an interstitial page that's always over HTTP, so you do get a referrer that says the traffic came from them?


Yes, they do. But they are cutting out the keyword intentionally. There is no technical need to hide the keyword from website owners.

Remarkable coincidence 1: There still is a keyword in the referrer for AdWords customers.

Remarkable coincidence 2: There is a new _charged_ product called "Google Analytics Premium" that promises "more data, features and dedicated support". Shame upon him who thinks evil upon it.


Ah, I thought they made that change for everyone a few months ago. Didn't realize it was only for https clicks.


Hmmm, I installed the Undirect Chrome extension because I got tired of the delay this causes ( https://chrome.google.com/webstore/detail/dohbiijnjeiejifbgf... ); I guess I have to choose between Google knowing which search result I clicked or the webmaster having the keyword in the referrer!


Or just make your site HTTPS only and the referer header is passed.


You get a referrer, but it won't contain the search keywords.


A nice side effect of using HTTPS is that Firefox 13+ will be able to use SPDY for Google searches.


So the question I have is how big of an impact is this going to have to online marketers? (Especially if Chrome/IE follow suit)


They are unhappy because websites won't see HTTP Referer headers and will have to rely on Google's webmaster services to get referral stats:

https://bugzilla.mozilla.org/show_bug.cgi?id=633773#c43


Will they not see the referer header if their own sites (as indexed by Google) are https?

If they don't switch, puts some sort of upper bound on how much they value the referer data.

(User agents aren't supposed to send referer http->https but scratch above if practice is for them not to send https->https across domains as well.)


I don't know about the spec, but in practice, you never get the referer data even when traffic flows from HTTPS to HTTPS.


This is actually up to the client. In Firefox about:config, network.http.sendSecureXSiteReferrer is set to true by default, so it does send it, but you can turn it off.


Google decides what the referrer is since it redirects first to a url it controls (downgrading to http if necessary).


In practice, this is not true. As for spec [0]:

   Clients SHOULD NOT include a Referer header field in a (non-secure)
   HTTP request if the referring page was transferred with a secure
   protocol.
[0] http://tools.ietf.org/html/rfc2616#section-15.1.3


Unless I'm missing something, that section only addresses HTTPS -> HTTP referrals, not HTTPS -> HTTPS.


I don't know of such a section, there is simply a section on Referer[sic] request-headers [0], at large. HTTP -> HTTP and HTTPS -> HTTPS are implied, if the only stated consideration is HTTPS -> HTTP referrals. HTTPS -> HTTPS Referer works on Google Search, which is usually of the most concern.

[0] http://tools.ietf.org/html/rfc2616#section-14.36


Right. The article says this: "Additionally, using HTTPS helps providers like Google remove information from the referrer string."


Yes, just checked, they strip the keywords from the referrer when using https.


If you want this today, you can go to http://opensearch.webos-internals.org/gtp.html using either Chrome or Firefox and make that the default search engine.

As a side benefit, the config also turns SafeSearch and personalization off.


This has nothing to do with security. Removing the referrer information puts Google in the position to use (sell?) this information exclusively.

While Google is collecting more and more data about users Mozilla calls it an "improvement" to keep away referrer information from website owners. This is ridiculous.

So Mozilla get's its money from Google and in return they do what Google tells them.


I see your point, but Mozilla is in an impossible position.

Encrypting people's search is a good idea. Mozilla should do this, and as others in this thread have pointed out, they could be chastised for not having done it.

The fault is Google's who tamper with the referrer data intentionally to obscure the keyword data. They do this for the users 'privacy', but then you can still get the data if you're a paying Adwords customer. I have trouble reconciling 'privacy' and 'you can buy it'.


> I have trouble reconciling 'privacy' and 'you can buy it'.

I'm not sure, but I would assume that the idea is that data from Adwords, etc. is more anonymised. You can't build a system that tracks peoples searches across visits (using cookies).


You can do this with chrome by adding a search engine (and making it default):

https://www.google.com/search?%7Bgoogle:RLZ%7D%7Bgoogle:acce...


Why was this not done when Google started supporting https?

It seems almost negligent to have not done it sooner.


Because you have to make sure that Google's https infrastructure can handle the load of 400 million Firefox users?


It could already provably handle the load of millions of Chrome users (cf. SPDY: https).

And it's not like it's totally separate from their normal http infrastructure, which could also already provably handle the load of billions of searches.


Mozilla has a contract with Google for this, remember? Google has to ack it for this to happen.


If there's any negligence I don't see how it goes to the browser vendors and not the website.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: