

Mozilla Firefox: Rolling Out HTTPS Google search - cpeterso
https://blog.mozilla.org/privacy/2012/05/07/rolling-out-https-google-search/

======
yaix
No REFERER header anymore, bye bye search keywords data, now only in Google
Webmaster Tools...

Edit -- From the article: "Additionally, using HTTPS helps providers like
Google remove information from the referrer string."

~~~
mkjones
Maybe I'm missing something, but doesn't Google redirect through an
interstitial page that's always over HTTP, so you do get a referrer that says
the traffic came from them?

~~~
germane
Yes, they do. But they are cutting out the keyword intentionally. There is no
technical need to hide the keyword from website owners.

Remarkable coincidence 1: There still is a keyword in the referrer for AdWords
customers.

Remarkable coincidence 2: There is a new _charged_ product called "Google
Analytics Premium" that promises "more data, features and dedicated support".
Shame upon him who thinks evil upon it.

~~~
mkjones
Ah, I thought they made that change for everyone a few months ago. Didn't
realize it was only for https clicks.

------
cpeterso
A nice side effect of using HTTPS is that Firefox 13+ will be able to use SPDY
for Google searches.

------
janesvilleseo
So the question I have is how big of an impact is this going to have to online
marketers? (Especially if Chrome/IE follow suit)

~~~
cpeterso
They are unhappy because websites won't see HTTP Referer headers and will have
to rely on Google's webmaster services to get referral stats:

<https://bugzilla.mozilla.org/show_bug.cgi?id=633773#c43>

~~~
mlinksva
Will they not see the referer header if their own sites (as indexed by Google)
are https?

If they don't switch, puts some sort of upper bound on how much they value the
referer data.

(User agents aren't supposed to send referer http->https but scratch above if
practice is for them not to send https->https across domains as well.)

~~~
ComputerGuru
I don't know about the spec, but in practice, you never get the referer data
even when traffic flows from HTTPS to HTTPS.

~~~
fl3tch
This is actually up to the client. In Firefox about:config,
network.http.sendSecureXSiteReferrer is set to true by default, so it does
send it, but you can turn it off.

~~~
tonfa
Google decides what the referrer is since it redirects first to a url it
controls (downgrading to http if necessary).

------
newman314
If you want this today, you can go to <http://opensearch.webos-
internals.org/gtp.html> using either Chrome or Firefox and make that the
default search engine.

As a side benefit, the config also turns SafeSearch and personalization off.

------
germane
This has nothing to do with security. Removing the referrer information puts
Google in the position to use (sell?) this information exclusively.

While Google is collecting more and more data about users Mozilla calls it an
"improvement" to keep away referrer information from website owners. This is
ridiculous.

So Mozilla get's its money from Google and in return they do what Google tells
them.

~~~
TomAnthony
I see your point, but Mozilla is in an impossible position.

Encrypting people's search is a good idea. Mozilla should do this, and as
others in this thread have pointed out, they could be chastised for not having
done it.

The fault is Google's who tamper with the referrer data intentionally to
obscure the keyword data. They do this for the users 'privacy', but then you
can still get the data if you're a paying Adwords customer. I have trouble
reconciling 'privacy' and 'you can buy it'.

~~~
driax
> I have trouble reconciling 'privacy' and 'you can buy it'.

I'm not sure, but I would assume that the idea is that data from Adwords, etc.
is more anonymised. You can't build a system that tracks peoples searches
across visits (using cookies).

------
rwar
You can do this with chrome by adding a search engine (and making it default):

[https://www.google.com/search?%7Bgoogle:RLZ%7D%7Bgoogle:acce...](https://www.google.com/search?%7Bgoogle:RLZ%7D%7Bgoogle:acceptedSuggestion%7D%7Bgoogle:originalQueryForSuggestion%7Dsourceid=chrome&ie=%7BinputEncoding%7D&q=%s&num=100)

------
DHowett
Why was this not done when Google started supporting https?

It seems almost negligent to have not done it sooner.

~~~
khuey
Because you have to make sure that Google's https infrastructure can handle
the load of 400 million Firefox users?

~~~
DHowett
It could already provably handle the load of millions of Chrome users (cf.
SPDY: https).

And it's not like it's totally separate from their normal http infrastructure,
which could also already provably handle the load of billions of searches.

