Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Concerns Over Google Modifying SSL Behavior

timothy posted more than 2 years ago | from the hey-fellas-this-just-looks-bad dept.

Google 130

Lauren Weinstein writes "Google is handling SSL search queries on https://www.google.com/ in a manner significantly different than the standard, expected SSL end-to-end behavior — specifically relating to referer query data. These changes give the potential appearance of favoring sites that buy ads from Google. Regardless of the actual intentions, I do not believe that this appearance is in the best interests of Google in the long run."

cancel ×

130 comments

Sorry! There are no comments related to the filter you selected.

First (-1)

Anonymous Coward | more than 2 years ago | (#37832776)

First

First post trolls (-1)

Anonymous Coward | more than 2 years ago | (#37832810)

You are so pathetic.

Re:First post trolls (-1, Troll)

Aighearach (97333) | more than 2 years ago | (#37833006)

Everybody in clan Coward is pathetic, get over yourself.

Re:First (-1)

Anonymous Coward | more than 2 years ago | (#37832814)

nerd

Its in the best interest of users (1, Insightful)

DarkFencer (260473) | more than 2 years ago | (#37832828)

Regardless of what business sense this makes/doesn't make for Google - it is better for the users.

The more traffic is sent via HTTPS, the better. The days of concern over the CPU overhead of HTTPS are long past.

Re:Its in the best interest of users (4, Informative)

Jonner (189691) | more than 2 years ago | (#37832880)

Please read TFA. The question is not over use of SSL, which the author of TFA "applauded."

Re:Its in the best interest of users (-1)

Anonymous Coward | more than 2 years ago | (#37832886)

Regardless of what business sense this makes/doesn't make for Google - it is better for the users.

The more traffic is sent via HTTPS, the better. The days of concern over the CPU overhead of HTTPS are long past.

Yes, it is better for Google's users because they get to see referer data, probably even when they shouldn't.

Oh...you thought *you* were one of Google's users? Chances are you are product, not a customer or a user.

Re:Its in the best interest of users (4, Insightful)

DarkFencer (260473) | more than 2 years ago | (#37832926)

Yes, it is better for Google's users because they get to see referer data, probably even when they shouldn't.

Oh...you thought *you* were one of Google's users? Chances are you are product, not a customer or a user.

I know exactly who the 'product' and who the 'consumer' of Google is.

Its irrelevant to this. When traffic is HTTP or HTTPS for Google searches, Google gets that traffic either way. When the traffic is HTTPS though, that means LESS people are getting it (wireless sniffing, routers along the way, etc.) in an unencrypted format. I really could care less what information the sites I go to are missing from the search I entered that brought me to them.

Re:Its in the best interest of users (1)

Yakasha (42321) | more than 2 years ago | (#37833416)

Yes, it is better for Google's users because they get to see referer data, probably even when they shouldn't.

Oh...you thought *you* were one of Google's users? Chances are you are product, not a customer or a user.

I know exactly who the 'product' and who the 'consumer' of Google is.

Its irrelevant to this. When traffic is HTTP or HTTPS for Google searches, Google gets that traffic either way. When the traffic is HTTPS though, that means LESS people are getting it (wireless sniffing, routers along the way, etc.) in an unencrypted format. I really could care less what information the sites I go to are missing from the search I entered that brought me to them.

Again that goes back to the "read the TFA" comment. The missing information is only part of the problem. The other problem is the presence of search data when clicking through to unencrypted sites, if they are google customers. That means google's SSL service is a lie and your unencrypted searches will be sent to certain customers regardless of using http or https.

So back to your original comment, most geeks would agree I think that more SSL is good. However, SSL that only encrypts your data some of the time (or even most of the time) will lead people to believe they are safe when they aren't. I think that is far worse than people just assuming they are not safe.

Re:Its in the best interest of users (0)

Anonymous Coward | more than 2 years ago | (#37834004)

No, that's just the excuse that gets this "issue" talked about. Google very obviously needs to communicate the source of traffic to ad customers for conversion tracking. Expecting Google not to rat out visitors to ad customers is beyond naive.

The actual reason for the article is that normal sites no longer get referer information, HTTPS or not. Webmasters who have been infected with SEO are kinda whiny that way.

Re:Its in the best interest of users (1)

Yakasha (42321) | more than 2 years ago | (#37835088)

No, that's just the excuse that gets this "issue" talked about. Google very obviously needs to communicate the source of traffic to ad customers for conversion tracking.

Duh.

Expecting Google not to rat out visitors to ad customers is beyond naive.

Ok. Not sure the relevance of this comment.

The actual reason for the article is that normal sites no longer get referer information, HTTPS or not. Webmasters who have been infected with SEO are kinda whiny that way.

Well I'm glad you read the article. However, it is completely irrelevant to this thread as we're discussing the benefit of providing the ssl service in that it increases ssl usage overall. I merely brought up the point that making people think their data is encrypted, when in fact it is not, is more harmful than just making people use an unencrypted service and knowing their data is unencrypted. At least then they won't search for gay beastiality porn if its illegal in their state.

Re:Its in the best interest of users (1)

iluvcapra (782887) | more than 2 years ago | (#37836188)

The other problem is the presence of search data when clicking through to unencrypted sites, if they are google customers. That means google's SSL service is a lie and your unencrypted searches will be sent to certain customers regardless of using http or https.

It seems sorta common sense that if you click on a link to a site, that site will know you clicked on it and where you're going. Similarly, if you have a cookie on a site, that site will know when you've been there and will be able to correlate all kinds of things you typed into that site with links, etc.

Google possesses this information, they can sell it. That your request travelled over HTTPS means it's secret between you and google, what either side of the transmission does with the information it obtained is strictly the business of either party.

Anything you can do with a search result from https://google.com/ [google.com] , like for instance, sharing a search result with a friend, google can do with your click stream, like, for instance, sharing it with their friend.

Re:Its in the best interest of users (2)

Raenex (947668) | more than 2 years ago | (#37834516)

I really could care less

How much less could you care?

Re:Its in the best interest of users (1)

oakgrove (845019) | more than 2 years ago | (#37833628)

Chances are you are product, not a customer or a user.

The three are not mutually exclusive. Furthermore, Google penalizes advertisers that don't post relevant ads to the searcher by forcing said advertiser to pay more per click. As someone that searches Google and periodically even buys stuff, I'd much rather see an ad that is relevant to my interests. In this way, the ads actually enhance the search experience because it is getting me what I want faster. And if I'm not looking to buy anything, the ads are segregated either off to the side or are in a clearly defined area at the top so I ignore them. Win/win.

Re:Its in the best interest of users (0)

lister king of smeg (2481612) | more than 2 years ago | (#37832888)

i have been using google ssl beta for a little over a year now it works just fine i can't tell a speed difference

Re:Its in the best interest of users (-1)

Anonymous Coward | more than 2 years ago | (#37833042)

My cat's breath smells like cat food.

Oh, I bent my wookie.

Re:Its in the best interest of users (1)

ColdWetDog (752185) | more than 2 years ago | (#37833762)

i have been using google ssl beta for a little over a year now it works just fine i can't tell a speed difference

You would if you would just switch to a proportional font. Things would flow much faster.

Re:Its in the best interest of users (1, Insightful)

CAIMLAS (41445) | more than 2 years ago | (#37832930)

The days of concern over the CPU overhead of HTTPS are long past.

Really? Why do you say that? SSL still takes a fair amount of CPU overhead. Compared to an HTTP connection, HTTPS is markedly slower (aggregated over thousands of connections). I've seen a couple sites that use HTTPS exclusively throw up transparent SSL accelerator appliances in front of their servers to allow them to only need a fraction of the number of hosts for actually hosting the data.

Re:Its in the best interest of users (1)

0123456 (636235) | more than 2 years ago | (#37833038)

I've seen a couple sites that use HTTPS exclusively throw up transparent SSL accelerator appliances in front of their servers to allow them to only need a fraction of the number of hosts for actually hosting the data.

Yet people who've actually measured the overhead say it's more like 2% on a modern CPU. I guess if you're serving one-pixel .gif files to track people with then it would cause a lot of overhead, but if you are then who cares?

Re:Its in the best interest of users (0)

PerfectionLost (1004287) | more than 2 years ago | (#37833186)

If you're running a single server not at capacity, you probably don't care. When you're running a multi-server cluster with fault tolerance at near full capacity, 2% can be the difference of needing an additional server in your cluster. When you're a poorly funded company (ex. Wikipedia) with inadequate resources on a high profile site, you care. When you're bandwidth is enough that you are combining images into css sprites, you care.

Re:Its in the best interest of users (0)

Anonymous Coward | more than 2 years ago | (#37833434)

When you're bandwidth is enough that you are combining images into css sprites, you care.

Nobody uses CSS sprites to save bandwidth, it's to cut down on HTTP requests. The difference between 20 SSL connections per visitor and 3 is considerable, I'm sure that was the point you were trying to make. In terms of bandwidth, the 1/3 you save with GZIP is added right back by crypto overhead and that can be an issue for some operators.

Re:Its in the best interest of users (3, Informative)

NevDull (170554) | more than 2 years ago | (#37833626)

First of all, any well-architected clustered app spends more time waiting for I/O at the web tier than it uses CPU, so the 2% "penalty" is on an underutilized resource anyway. Second, terminating SSL at your load balancers is standard practice, be they Amazon ELB SSL termination, F5 BigIPs, or reverse proxies. Again, all otherwise I/O-bound implementations which can spare the CPU.

The fact that SSL obscures the requested URI from intermediaries seems in-line with the goals of Wikipedia for free information sharing -- with SSL operating properly, an intermediary may be able to tell that you were on Wikipedia, but not what you were looking at.

SSL/TLS and/or its successors everywhere is in everyone's interest if maintaining privacy from ubiquitous snooping is a concern.

Re:Its in the best interest of users (1)

PerfectionLost (1004287) | more than 2 years ago | (#37834148)

That is true, I forgot that our load balancers do handle all the SSL. That said, we recently had to upgrade ours so that they could handle 2048bit ssl certificates (I believe) since the higher level of encryption was slowing down the devices (or maybe the web interface--not sure not my department).

Re:Its in the best interest of users (1)

CaptainJeff (731782) | more than 2 years ago | (#37834664)

2% overhead PER SESSION. When you're talking about a server dealing with thousands upon thousands of simultaneous connections, that's a heckuva lot of overhead.

Re:Its in the best interest of users (0)

Anonymous Coward | more than 2 years ago | (#37835056)

That's over 2000% overhead!!!

Re:Its in the best interest of users (1)

kurls (1986658) | more than 2 years ago | (#37835536)

Well, my car would go faster (probably more than 2%) without the brakes and seatbelts, but that doesn't seem like a good idea. The question should be is there a cheaper, easier way to achieve the same security as SSL.

Re:Its in the best interest of users (1)

F.Ultra (1673484) | more than 2 years ago | (#37836306)

Learn math, 2% per session is the same as 2% total.

Re:Its in the best interest of users (0)

Anonymous Coward | more than 2 years ago | (#37837072)

A margin of two percent is very low. If you are worried that your servers can't handle that load then what will happen if the load increases in other ways, like when you have more users than expected?

Re:Its in the best interest of users (5, Insightful)

CAPSLOCK2000 (27149) | more than 2 years ago | (#37832996)

That's not the point at all. Frankly, this has only little to do with SSL.

The point is that if you pay for Google-ads, you will receive the referer-information, regardless of whether your site uses HTTPS or not, even when its breaks security for the user. If you don't pay you won't get the info.

Re:Its in the best interest of users (1)

Manip (656104) | more than 2 years ago | (#37832998)

Please read either the description or the article. You just look foolish.

IE on XP needs an IP per site (1)

tepples (727027) | more than 2 years ago | (#37835208)

The days of concern over the CPU overhead of HTTPS are long past.

But the days of concern over the IP address overhead of HTTPS are still with us, and they will remain with us until Windows XP and Android 2.x go away. IE on XP and Android Browser on Android 2.x don't support Server Name Indication (SNI). And without SNI, a user agent can see only the first certificate on port 443 of a given IP address, not the certificates for any of the other dozens or hundreds of domains that may be hosted on that server.

You're the product, not the customer. (0)

Animats (122034) | more than 2 years ago | (#37832842)

Google is an ad agency. What do you expect? Google has to pass the referrer to their advertisers or monetization won't work properly.

Expecting ad sites to run SSL is unreasonable. That would run up the cost of operating a content farm substantially. Made-for Adsense sites would have to have their own IP addresses; virtual hosting wouldn't work.

Re:You're the product, not the customer. (0)

stanlyb (1839382) | more than 2 years ago | (#37832896)

You may think that killing is reasonable, but the law is pretty explicit about it. DO NOT KILL.

Re:You're the product, not the customer. (1)

Anonymous Coward | more than 2 years ago | (#37833154)

You may think that killing is reasonable, but the law is pretty explicit about it. DO NOT KILL.

Crap. The law is far far more nuanced than that on the subject of killing.

Re:You're the product, not the customer. (2)

oakgrove (845019) | more than 2 years ago | (#37832928)

Google is an ad agency. What do you expect?

To put things in perspective, isn't it fair to say that the vast majority of the web is financed through ads? Something as fantastic as Google which basically equates to a modern day Oracle of Delphi has to be financed somehow. Would you prefer they extract .001/$YOUR_LOCAL_CURRENCY from your bank account everytime you use it? Or if you don't use Google, how about Slashdot? Or any other ad financed website/service?

Re:You're the product, not the customer. (2, Insightful)

Anonymous Coward | more than 2 years ago | (#37833182)

I would love to pay for Google. I would rather pay, get zero ads (without ad blocking), and BE the customer. Let the company's interest align with pleasing me rather than USING me. Today, there is rarely an option to pay for services directly. So you're only choice is often a "free" service where your every movement is harvested for ad dollars.

Re:You're the product, not the customer. (1)

praxis (19962) | more than 2 years ago | (#37833630)

. Would you prefer they extract .001/$YOUR_LOCAL_CURRENCY from your bank account everytime you use it?

Yes and no.

The problem with ad-supported the searcher-is-the-product Google is that it is exploitative to those that don't realize the ramifications since it's not in Google's best interest to be completely honest with how they operate and monetize. Those in the know can prevent some of those techniques they understand from harvesting their every bit, but the majority are in the dark. To me, that feels a bit underhanded.

The problem with for-pay the searcher-is-the-customer Google is that any payment scheme that is easy and secure to use today will require tying all those searches to an account, giving Google not only revenue from searchers, but unavoidable information about them too. That's double-dipping, and feels a bit overmuch.

One could I suppose sell anonymous search codes at the local cash shop and have them be good for 100 searches or whatnot. Or some other scheme, but that's not very cheap in a cost per payment method nor is it very convenient.

Re:You're the product, not the customer. (1)

oakgrove (845019) | more than 2 years ago | (#37833728)

The problem with ad-supported the searcher-is-the-product Google is that it is exploitative to those that don't realize the ramifications since it's not in Google's best interest to be completely honest with how they operate and monetize.

Google spells out very clearly how adwords works. I'd make the argument that in many ways the relevant ads actually enhance the search experience. Often times people use Google for just that, buying stuff. If an ad sucks and misrepresents the product, I might click it but then I'm going to hit faster than you can say it. Google clues into this and charges the advertiser more next time around as the ad is obviously not relevant. The advertiser feels the pain and fixes the ad. Everybody wins. I search for "linux laptop" and see a very relevant ad for system76.com so I win. If I searched for that and saw an ad for dell.com that took me to "We recommend Windows 7" landing page, believe me, Dell will be spending more money on Google in the future.

For the other 90 percent of the time when I'm not wanting to buy anything, I can easily ignore the right hand side of the page and the little bar at the top where the ads are.

Re:You're the product, not the customer. (2)

oakgrove (845019) | more than 2 years ago | (#37833854)

I search for "linux laptop" and see a very relevant ad for system76.com so I win. If I searched for that and saw an ad for dell.com that took me to "We recommend Windows 7" landing page, believe me, Dell will be spending more money on Google in the future.

Well, damn. I used that purely as an example and just for shits and giggles, I tested it. Sure enough, the Dell ad at the top takes you to a "recommend Windows 7" page and the system76.com ad at the right is actually relevant. Ain't that a bitch. Maybe I'm wasting my talent as should get into advertising!

Re:You're the product, not the customer. (0)

Anonymous Coward | more than 2 years ago | (#37835736)

Your talent of being a fucking troll?

Re:You're the product, not the customer. (1)

praxis (19962) | more than 2 years ago | (#37834428)

What exactly did they share and with whom when I searched for "occupy seattle". And what did they store, and when and with whom did they share that stored data.

If you cannot answer that question in the specific, it's not clear enough. 'We share data with people' is not very clear.

Re:You're the product, not the customer. (1)

oakgrove (845019) | more than 2 years ago | (#37834564)

I just searched for "occupy seattle". There is not a single ad on the page. If you searched for that and saw an ad subsequently clicking on it, the site you clicked on knows you searched for that. It's not really that complicated. As far as I know, if you are using the https google page, none of the organic search results you click on know you found them buy typing "occupy seattle" into google. You are up in arms over nothing. Really.

Re:You're the product, not the customer. (0)

Anonymous Coward | more than 2 years ago | (#37834314)

Sorry to tell you, but Google does this already via Local Search History and the Eternal Cookie.

Re:You're the product, not the customer. (0)

Anonymous Coward | more than 2 years ago | (#37833002)

I don't think it's unreasonable.

I think it's about time that Ad providers take security a lot more seriously. Compromised Ad networks are a major (if not the biggest) vector for the spread of malware. They're juicy targets because one ad network will touch many many clients across huge numbers of sites, while banking on the reputation of an otherwise known good website.

If, say, an ad network were hijacked via a DNS exploit, HTTPS might provide extra mechanisms to keep bad actors from posing as an ad network in order to spread their malware. Seriously, it shocks me how many people are not worried about how your average modern web page has your browser load and execute scripts from dozens of different domains. The attack surface on a facebook page is staggering!

I say that sites should demand that advertisers use HTTPS. Advertisers that have bad behavior can have their certificates revoked by cert authorities, providing hard incentive to take security seriously.

Re:You're the product, not the customer. (3, Insightful)

sexconker (1179573) | more than 2 years ago | (#37833270)

This is why you disable third party cookies, and use ad block plus and noscript.

Users have to be proactive about security. Nearly every fucking site out there is actively working against good security practices even when they're not compromised by an attacker. The browsers are all in a race to reach stupid version numbers, pass some arbitrary and ridiculously convoluted css benchmark, and enable javascript bloat by endlessly tweaking the performance of the js engine.

Re:You're the product, not the customer. (2)

tomtomtom (580791) | more than 2 years ago | (#37833796)

Even with ABP and noscript and disabling third-party cookies this behaviour will still bite you. Refcontrol is what you need to stop Google telling the sites you visit what your search terms were.

Re:You're the product, not the customer. (1)

sexconker (1179573) | more than 2 years ago | (#37834310)

Passing on referral information isn't really a security concern (unless some shitty site relies on referral headers for any sort of user action or authentication).
It's a privacy concern.

Important, but no where near as important to an end user as stopping every random ad and script from loading and firing.

Bad meme (2, Informative)

Anonymous Coward | more than 2 years ago | (#37833130)

You're the product, not the customer.

This meme needs to die. It superficially seems to have a message which rings true with slashdotters, but really doesn't deliver.

Just because a company is ad funded, doesn't allow a free-pass to provide crap service, whether that be search, or a social network.
You seem to be forgetting that this isn't television, and power users have unprecedented control over how content is displayed, if at all.

The second mistake you people make, is to think yourself part of some geek elite, where actually every kid or gamer can download the tools to control their web experience.

"You're the product, not the customer." basically says that an ad funded company is expected to act as evilly as possible, just because of the way it's funded. The reality is that sometimes there are conflicts of interest, getting it wrong tends to cause a backlash among more technically minded, and generally loud users. Facebook will tend to get away with more than google in this case, because of the technical experience of their users.

Do your part. Add to the conversation, and don't be a sheep by modding this meme up.

Re:Bad meme (1)

aix tom (902140) | more than 2 years ago | (#37833296)

>"You're the product, not the customer." basically says that an ad funded company is expected to act as evilly as possible, just because of the way it's funded.

Of course Google isn't acting as evil as possible. Google is nice to us. The same way a hunter is nice to the game by not scaring it off by making a ruckus in the woods, or a fisherman will never splash around in the water, and even thrown in a couple of nice yummy bait bits before putting the fishing rod in.

Re:Bad meme (2, Funny)

sexconker (1179573) | more than 2 years ago | (#37833484)

Trollpost is trollpost.

A search company that sells ads has a fundamental conflict of interest:

Provide better search results to get more users.
vs.
Inject more ads into search results to get more money, and sell more user information to get more money.

There is no getting around this.
When Google started out, their product was the search results.
When Google got big, they switched to being an ad company.

The only company with more fanboy zealots than Google is Apple. Google will never have to pay the piper after screwing users over because the zealots will blindly defend them, and they'll be louder than any opponents. People who get fed up with Google's shit won't rage about it - they'll quietly stop using Google's services.

Remember Google Buzz? Me either. But apparently some people were mad about it, and there were even the usual bullshit stories about "I got caught cheating on my husband because of Buzz!", just like how there's always a bullshit story of someone getting tracked when a location service is turned on (like the recent "Find my iPhone" shit, or a story of someone getting nerd justice against a laptop thief a week after an Apple iMac conference, etc.).

So what did Google lose? A few people disabled Buzz. Well not really, they hid the Buzz tab. Because the language for the option to truly disable Buzz says it will delete your Google profile. What's that? Does that include your Gmail address? Your calendar? What about your youtube account that they forced you to link? Picasa? Who knows, better not click it, just hide all the Buzz notifications and sharing options.
And now they're killing off Buzz because they have Google Plus. And Google Plus has far more users than Buzz ever did. Nobody got mad enough to stop using Google. Everyone got kind of annoyed and said no to Buzz. Then Plus came out, invite-only as usual, (to create a false sense of scarcity / exclusivity, thus increasing demand) and nobody learned anything.

Re:Bad meme (1)

oakgrove (845019) | more than 2 years ago | (#37834124)

A search company that sells ads has a fundamental conflict of interest:

Provide better search results to get more users. vs.

Inject more ads into search results to get more money, and sell more user information to get more money.

Google penalizes advertisers with irrelevant ads by charging them more. When someone searches for something they want to buy, clicking on ads is a perfectly natural thing to do. If the ads represent the product well and you end up buying, your needs have been met. That is most certainly not a conflict of interest. If an ad misrepresents a product then if some hapless searcher clicks on it, they are probably going to very quickly hit the back button. Google notes this and charges the advertiser more the next time. The advertiser then wises up and makes a better more contextually relevant ad. This makes sense and everybody wins.

Re:Bad meme (1)

sexconker (1179573) | more than 2 years ago | (#37834260)

Wrong.
Users go to a search engines to find things and expect unaltered results.
No user ever wants to see ads, no matter how well "targeted".

Charging more for misplaced ads simply highlights the conflict of interest - Google recognizes that it's something users don't want, so they balance the other side of the conflict by charging advertisers more and allow the behavior to continue.

Re:Bad meme (2)

oakgrove (845019) | more than 2 years ago | (#37834450)

Users go to a search engines to find things

You got that much correct. The error in your reasoning is assuming that what you want is what everybody else wants. You may never type in "wholesale flea market merchandise" but, I assure you, many people do. Wading through the organic search listings for a real wholesaler that will actually give you the time of day for an order under 20,000 dollars and who isn't a scam is an exercise in pure frustration. But if a legitimate business can buy a relevant ad and that ad can allow Google to connect that buyer to that business...everybody wins. The buyer can cut to the chase and get the merchandise they want, Google wins because their search engine just got .0000001 percent better based on the quality of that ad and of course the wholesaler wins because they just made a sale.

Google handles ad placement very well. They are shoved off to the side to be ignored when you want or to be clicked on if you choose to do so. No flash, no blink, no marquee or whatever. That's why Google wins and the other search engines that want to be competitive end up looking and working like Google. But I digress.

Charging more for misplaced ads simply highlights the conflict of interest Google recognizes that it's something users don't want, so they balance the other side of the conflict by charging advertisers more and allow the behavior to continue.

That is so backwards. If you pollute Google's results with crap, they charge you. They don't have a heuristics engine to tell if your ad sucks or not. They use how fast a user clicks away from it to tell. Then you pay more. Crowd sourcing in action and it works.

Re:Bad meme (1)

sexconker (1179573) | more than 2 years ago | (#37837006)

I think you're misunderstanding the function of advertising.
Advertising is used to promote a product or service that can't promote itself on its own merits.

Every single time, "organic" search results will be better than ads.

If Google cared about search quality, they would ban advertisers who foist such ads onto users. Instead, they just charge them more and let them continue doing it.

Re:Bad meme (2)

gutnor (872759) | more than 2 years ago | (#37833720)

"You're the product, not the customer." basically says that an ad funded company is expected to act as evilly as possible, just because of the way it's funded.

Actually, it means exactly the opposite. Google does everything to provide better product to their client. That means, not annoying people, giving them the ads they are most likely to click on, giving them tons of excellent free tools so that they stay within the Google network and therefore helps Google getting the best value for its ads placements. However, as you said, ...

The reality is that sometimes there are conflicts of interest

So that is important to remember and why the meme is somewhat useful.

Re:Bad meme (1)

Lincolnshire Poacher (1205798) | more than 2 years ago | (#37834502)

> Just because a company is ad funded, doesn't allow a free-pass to provide
> crap service, whether that be search, or a social network.

Yes it does, if the alternatives are ( 1 ) no service or ( 2 ) a paid-for service.

You and I would likely pay for a search engine tailored to our needs, with Alta Vista-style boolean logic and no ads.

Joe Public won't, so we're landed with the crapfest that is Google and Bing search results.

Joe Public will be content with a craptastic Facebook experience just because it is free.

Joe Public will be happy with Google harvesting his e-mail content because IT IS FREE.

overriding browser how? (3, Interesting)

Hazel Bergeron (2015538) | more than 2 years ago | (#37832872)

Google passes Referer info from https to http how?

Re:overriding browser how? (1)

davidbrit2 (775091) | more than 2 years ago | (#37832902)

I'm wondering exactly the same thing. Isn't this behavior a function of the web browser? How would Google be altering it without some elaborate HTTP redirect tricks?

Re:overriding browser how? (0)

Anonymous Coward | more than 2 years ago | (#37832936)

I suspect it is an elaborate HTTP redirect trick. They're only doing it for advertisers, so the ads probably link to an http Google site, which then further redirects the user to the real site.

Re:overriding browser how? (1)

EvanED (569694) | more than 2 years ago | (#37833362)

Google has been using "elaborate" HTTP redirection tricks for ages.

Re:overriding browser how? (1)

hedwards (940851) | more than 2 years ago | (#37833516)

I'm trying to figure out how this is somehow unexpected. My understanding was that traffic between me and Google was being done via SSL, not traffic from Google to the site.

Ultimately, this is a significant improvement over how it was previously, done, but shy of requiring all traffic to be over SSL, I'm not really sure how much better this could be.

Re:overriding browser how? (0)

Anonymous Coward | more than 2 years ago | (#37834424)

Browsers normally don't send the referer if you request an insecure resource from a referral from a secure resource. This is to avoid leaking the pages you visit over SSL in the clear. However, if Google redirects you to an outbound link shim that's served over HTTP and provided with the details of the query, then the referral from that to the target site WILL contain those details.

Winded and pointless (2, Insightful)

Anonymous Coward | more than 2 years ago | (#37832876)

The gist: Google actively hides referer data when linking from the new SSL site, even if the site that is linked to is also an SSL site, except when the link is an ad.

Well, tough titties. It's Google's site, they can link to you any way they want. If they want to redirect the visitor in a way that hides the query from the linked-to site, that's their prerogative. They could simply make their whole search engine POST the query and you'd never see the search terms, not even with plain HTTP. What are you gonna do about it? Oh right, whine on your blog and have Slashdot link to it.

I turn off the referer header in all browsers and proxies I set up. With the exception of a few shady third-rate direct download web sites whose hotlinking protection trips over this, nobody requires it. One information leak less to worry about. Eat shit, SEO scum.

Re:Winded and pointless (3, Insightful)

TheLink (130905) | more than 2 years ago | (#37833010)

I don't see why it's such a big problem.

Solutions/workarounds:
a) just don't click on the ads
b) block google ads from their search page.

Should be easy to do a) right?

Summary (1)

sakdoctor (1087155) | more than 2 years ago | (#37832882)

Both TFA itself, and the summary could do with a summary.

...a manner significantly different than the standard, namely, passing the refer to a non-secure site with Google ads, whilst withholding it from another secure site, going against normal browser behavior.

Re:Summary (3, Informative)

Anonymous Coward | more than 2 years ago | (#37833008)

Summary for the security conscious: since you switched to using https://encrypted.google.com months ago, you're fine, nothing new here. Move along.

Summary for the masses: Google is now using security by default (if you're logged in), but it isn't quite as secure as is possible.

Definitely sucks for search keywords (1, Insightful)

youn (1516637) | more than 2 years ago | (#37832894)

https move in itself is not bad... but the way it is implemented messes up statistics (you know that stuff came from google but no search keywords) and operation of some sites (display a page with the queried keyword to boost relevance). They say it affects less than 1% of the queries only logged on users).. but I think that is a low number.... who is not logged into gmail? maybe not everybody but I suspect figure is higher than 1%

Among others, they could in theory fix that with a redirect to an http site they own, then redirect to the final site.. I am sure there are other ways if they sit around long enough.

definitely a lot of webmasters pissed, that is sure

Re:Definitely sucks for search keywords (1)

mmcuh (1088773) | more than 2 years ago | (#37833522)

Does this mean that "webmasters" will stop trying to optimise their pages after search word hits? That can't possibly be a bad thing.

Yawn (5, Insightful)

TheEyes (1686556) | more than 2 years ago | (#37832906)

You know, I'd be a lot more concerned about this kind of thing if we weren't hearing Slashdot stories crying wolf practically every day. I'm just not impressed with people trying to call Google evil anymore; none of these so-called revelations have panned out so far, so how likely is this one to go any differently?

Re:Yawn (-1, Troll)

stanlyb (1839382) | more than 2 years ago | (#37832984)

I am not impressed too. There is no need to convince me how evil is Google. Black is Black and White is White. Google is Evil.

Re:Yawn (1)

youn (1516637) | more than 2 years ago | (#37833032)

Google may be evil... but it is definitely not black or white... it's blue red yellow and green (well at least its logo is lol)

Re:Yawn (0)

Anonymous Coward | more than 2 years ago | (#37833504)

No, black is grey, white is grey and google are a for profit company. Good or evil don't come into it.

Re:Yawn (1)

amicusNYCL (1538833) | more than 2 years ago | (#37833526)

Regardless of the actual intentions, I do not believe that this appearance is in the best interests of Google in the long run.

Slashdot: Opinions of nerds. Does this matter?

Re:Yawn (1)

Nimey (114278) | more than 2 years ago | (#37834092)

Yeah, this. Slashdot's "journalism" isn't trustworthy.

Re:Yawn (1)

Raenex (947668) | more than 2 years ago | (#37834250)

"See no evil, hear no evil, speak no evil."

Re:Yawn (0)

Anonymous Coward | more than 2 years ago | (#37835386)

So if somebody is seen murdering somebody, and then he's seen again, and again and again, at some point you STOP believing he's a murderer?

Because that's the analogy of what you just said.

It really made you *stop* believe that you're the product and money is made off of selling your privacy to the highest bidder??

Listen. If they wouldn't do it, they would be replaced in a couple of days in your industrial-feudalism-based economy. Only the biggest dick wins.

Blind ignorance FAIL

Re:Yawn (2)

TubeSteak (669689) | more than 2 years ago | (#37836834)

FTC Gives Final Approval to Settlement with Google over Buzz Rollout
http://www.ftc.gov/opa/2011/10/buzz.shtm [ftc.gov]

The settlement resolves charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The [FTC] alleged that the practices violate the FTC Act. The settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years.

Google has made numerous mistakes and misteps with regard to "don't be evil"
If you bothered to read the follow up stories, you'd see that the boy is crying wolf because there is a wolf.

a bit confused... (1)

CheshireDragon (1183095) | more than 2 years ago | (#37833034)

I have not reached the security/SSL stuff in my IT course yet so could someone explain this a bit?
I did RTFA, but I am still at a loss as to how and where the problem lies. I typically don't use the HTTPS portion of the Google searches because I don't really care what they know I am searching for. Other places that are slightly more important, like FaceBook, I do browse using HTTPS.

Re:a bit confused... (0)

Anonymous Coward | more than 2 years ago | (#37834836)

The overall idea here has almost NOTHING to do with SSL.

When you are served a webpage, and you click on a link on that page, most browsers by default include a "Referrer" tag to let the site you're going to know where you came from. This is not the case with SSL enabled sites, browser behavior by default does not include a referrer field if you click on an unencrypted link on an encrypted page, (to prevent the store advertising on your bank's website know what exact page on their site you came from for example).

The point behind this is that Google appears to be circumventing that default behavior, and sending referrer information from both HTTP:// and HTTPS:// search pages to ad-sense buyers, but only sending HTTP:// referrer information to non-buyers.

IMHO: it's a value added service. I see no problem with this whatsoever. All google is doing is setting a global non encrypted cookie for non-secure sites to read when you're searching using the encrypted search engine. Personally, I'm in favor of the referrer field in any case! (I enjoy seeing people end up on a computer parts website having come from youporn. :P

Re:a bit confused... (1)

Galestar (1473827) | more than 2 years ago | (#37835122)

Yes but they are also NOT sending the referrer information when you click on a link that is secure.

How they do it... (1)

Manip (656104) | more than 2 years ago | (#37833088)

If anyone was wondering how they do it, they're using JavaScript when you click a link instead of allowing the browser to open the link "normally." e.g.

window.open("").location.href = "http://www.example.com";

This results in the page opening as if it was a "new page" rather than as if it came from any

So? (0)

Anonymous Coward | more than 2 years ago | (#37833102)

And who the hell is Lauren Weinstein and why the hell would anyone give a shit what he thinks about Google in the long run?

The site should get this data (4, Interesting)

dracocat (554744) | more than 2 years ago | (#37833128)

If I am paying per click for certain search terms, then this data SHOULD be passed along. The other alternative is to just get a bill from google and trust that it is accurate?

As an advertiser I need this information. First to make sure I get the clicks google is charging for me, and more importantly to determine which words don't have a conversion rate worth paying for.

Re:The site should get this data (0)

Anonymous Coward | more than 2 years ago | (#37834422)

Mod up parent, this make complete sense...

Re:The site should get this data (0)

Anonymous Coward | more than 2 years ago | (#37837102)

No, it doesn't. He is only seeing half the picture

Re:The site should get this data (1)

Galestar (1473827) | more than 2 years ago | (#37835154)

Yes but they are also NOT sending the referrer information when you click on a link that is secure. Those that SHOULD be getting the information, but since they didn't pay Google for it, Google doesn't send it to them.

Re:The site should get this data (1)

icebraining (1313345) | more than 2 years ago | (#37835580)

Those that SHOULD be getting the information

Why? Who decided that?

Gripe (2, Interesting)

Nom du Keyboard (633989) | more than 2 years ago | (#37833276)

This just sounds like an individual gripe that somehow got accepted here at /. You don't like it, Google does, move along there's nothing more to see.

You know, if people don't like how Google runs their business: 1) Don't use it. 2) Start your own competitor. Google wasn't the first search engine. You can go somewhere else, but don't tell them how they should run their own business. That's nebby.

I hate Referer (5, Interesting)

andymadigan (792996) | more than 2 years ago | (#37833346)

I hate referer information when I come from google, mostly because of sites that either:

1) Highlight my search terms in the page. You don't need to highlight every instance of 'of' in the page, and even highlighting the keywords is distracting.

2) Put a big fat "Welcome Google User!" (often with horribly colored letters for Google) that beg you to subscribe to the RSS feed.

I wish there was a chrome extension to hide referrer data just so that I could avoid that.

BTW: If you want an example of useless highlighting, google for VirtualBox and click on the VirtualBox website. I can't believe someone thought that people who can comprehend what VirtualBox is don't know how Ctrl+F works.

Re:I hate Referer (0)

Anonymous Coward | more than 2 years ago | (#37834170)

I wish there was a chrome extension to hide referrer data just so that I could avoid that.

Something like, say, this [google.com] ?

Re:I hate Referer (0)

Anonymous Coward | more than 2 years ago | (#37834984)

There will be people that take advantage of key functionality, just as there are people that use it to make information more accessible.

If you don't like the sites that do stupid things like that, google also recently added the "Block all [address-you-just-bounced-from] results" links to sites.. when you bounce off the pages. feel free to sign in and block sites that do stupid things like that, and you'll quickly stop looking at sites that do it!

Follow the Money! (1)

mrnick (108356) | more than 2 years ago | (#37833454)

Google is no more Evil than any company out there trying to make a buck. Do they care about their users? Sure, but only up to the point where it hurts the bottom line to do so.

This new tactic moves along the same line as their view on SEO. Do they want to make it more difficult to obtain better ranking in their site? Yes, but only to the point where they make it easier to pay to get better position within listings.

Is this new process for handling SSL information biased towards their paying customers? Obviously, they are looking to differentiate their free and paid service. If this were to move into larger deployment, say all users (logged in or not), they would be able to offer, as a premium, to their paying customers rereferer data exclusively.

Follow the money! Does the fact that Google is out there to make a buck surprise anyone? I understand that's their goal and I don't consider them to be Evil because of it.

With that said it seems clear that they are not using standard SSL and therefore they should not be able to advertise that their site uses SSL or HTTPS, IMHO.

Re:Follow the Money! (1)

Todd Knarr (15451) | more than 2 years ago | (#37833928)

They're using SSL in a standard way. What the article gets confused is the difference between SSL (the protocol used to encrypt connections) and HTTP Referrer header handling (used to pass referrer information to the target site). Note that the two have nothing to do with one another.

The convention has been that when the source page is https: and the target page is http: the Referrer header is suppressed, while if both are https: the Referrer header is passed normally. Google's changed this to a different rule: if it's an organic seach link the Referrer header is suppressed always, if it's a paid placement link the Referrer header is sent always. That's a change from conventional HTTP Referrer behavior, but not a change in SSL at all.

And I'd note that it also has nothing to do with paying for position within the organic listings. You can't pay for placement there. All you can buy is advertising space separate from the organic listings.

how is this breaking anything? (1)

shadowrat (1069614) | more than 2 years ago | (#37833480)

TFA implies that google is somehow causing my browser to send unencrypted data? I'm not an ssl expert, but i thought the expectation set by ssl is that communication between my browser and google would be encrypted. What google chooses to do with the data i sent them (my request headers, form inputs, etc) has nothing to do with ssl. As far as i know there is no SSL standard that says all data posted over ssl must only be transmitted via ssl from then on.

Google can take my referers and post them on the good year blimp at the superbowl. How is that significantly different from expected end to end behavior?

When a service is provided for free... (1)

sirwired (27582) | more than 2 years ago | (#37833860)

When a service is provided for free, you aren't the customer, you are the product.

Google handed out my referrer data before, to everybody, for free. Now they restrict it to clicks on ads. My overall privacy has increased. I imagine ad buyers would revolt if they didn't get the referrer data they have always gotten from Google. Google, quite properly, doesn't give a flying *bleep!* about webmasters collecting referrer data on clicks they are getting for free.

Actually Google didn't touch your Referrer before (1)

realxmp (518717) | more than 2 years ago | (#37835988)

Referrer information is typically a function of the browser and is passed in your HTTP headers you're sending to the site you're going to. Normally referrer information doesn't persist when you click a HTTP link from a HTTPS page but do when you click a HTTPS link from a HTTPS page. According to the article what Google are doing here is ACTIVELY interfering with the normal functioning of this information. Adding javascript tricks to prevent it being passed to HTTPS pages when it's not a paid link and using similar tricks to ensure advertisers do get that information, regardless of HTTP(S) status. If google didn't give a beep about web masters collecting referrer data on non-paid links, they wouldn't be using the javascript tricks.

Actual question (1)

Bengie (1121981) | more than 2 years ago | (#37834258)

Outside of advertisement info, why is this "referrer" data important?

If this is somehow reducing my security, I can see a problem, but if it's just data to help websites know who their customers are, then why should I care?

Google provides a service. They give it free to the customer and if you want your website to have an advantage, then you pay a premium for access to Google's services.

To me this sounds more like a QQ, but I am interested to know if there's something I'm missing as I am not knowledgeable in this area.

Re:Actual question (1)

maxwell demon (590494) | more than 2 years ago | (#37835686)

The point is, if you are using SSL, you probably do so because you don't want someone in between to read your search terms. Now the referer contains your search terms (as part of the URL), therefore if the referer is sent to a non-SSL site, your search terms can be read in the clear.

SSL is a red herring here (1)

psydeshow (154300) | more than 2 years ago | (#37834716)

This isn't Google somehow modifying the way SSL and referrers work in your browser -- after all, in the normal course of things, you browser is in charge of deciding whether to send a Referer header or not.

This is Google using a JavaScript method to intercept and handle clicks on their site. In some cases the JavaScript does a redirect through non-HTTPS Google so that the referer is sent. In other cases it goes directly to the result site, no referer (as expected).

They could (and probably do?) use a similar trick for non-HTTPS search users.

Google has become unreliable (1)

msobkow (48369) | more than 2 years ago | (#37835814)

Lately I'm finding Google is getting increasingly unreliable about finding references I want, specifically regarding politics, the economy, and Occupy.

Ask has been filling in the gap quite nicely, but I don't like what seems to be censorship by Google.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>