Google Switching to SSL By Default For Logged-In Users

nonprofiteer writes "Google plans to encrypt search for signed-in users, so that websites will no longer get to see the search terms that led a user to their site, though they will get aggregated reports on the top 1000 search terms that led traffic to their sites."

the top 1000 search terms

[treeves]

That should be good enough, right?
Is this a good for Google, doing the right thing story, or is there more to it than meets the eye?

Re:

[ackthpt]

That should be good enough, right?
Is this a good for Google, doing the right thing story, or is there more to it than meets the eye?

Good or bad, doesn't matter. Microsoft will try to roll out the same thing in about 18 months to much ballyhoo and fanfare.

Re:the top 1000 search terms

[TechLA]

Google isn't doing it offer better privacy. It's doing it cause trouble for competing services. It basically requires all website owners to sign up with Google to access Analytics and Webmaster Tools. It's purely an anti-competitive thing and intented to destroy their compteitors. I'd be surprised if FCC doesn't start to crack on Google's monopoly tactics soon. Google is the new Microsoft.

Re:

[Threni]

In which field is Google a monopoly?

Pretty much all actions performed by a company are designed to destroy their competitors. That's the nature of the game.

Re:

[modmans2ndcoming]

Right.....so to protect the market and consumers the ftc needs to force Google to open up its database of user information to the public and prevent users from having encrypted connections to the Google servers.......you show 'em!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[epine]

Google is the new Microsoft.

Every public company is required by law to become the next Microsoft if the business opportunity presents itself in order to provide maximum return to shareholders.

But then, you can take it to a whole new level by submitting falsified video tapes to the DOJ.

The government produced its own videotape of the same process, revealing that Microsoft's videotape had conveniently removed a long and complex part of the procedure and that the Netscape icon was not placed on the desktop, re

Re:

[Confusador]

Every public company is required by law to follow their Articles of Incorporation

You can set up a corporation with whatever goals you want, maximizing shareholder profit doesn't have to even be on the list. For most corporations it is, de facto, but don't make the mistake of thinking that it has to be.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[rufty_tufty]

"Every public company is required by law to become the next Microsoft if the business opportunity presents itself in order to provide maximum return to shareholders."
Show me the law.
I know there are laws that say they are required to follow the votes of your shareholders and hold AGMs and suchlike but show me where it says companies must maximise profits/share price at the expense of everything else.

Re:

[dririan]

I'd be surprised if FCC doesn't start to crack on Google's monopoly tactics soon.

I'd be surprised if the FCC considered using HTTPS a monopolistic practice. I'd be even more surprised if the FCC told Google "Encryption is good for security, but you can't use it, because it stops Referrer headers from being sent. Your users will just have to go without crypto."

Re:

[cdrudge]

It basically requires all website owners to sign up with Google to access Analytics and Webmaster Tools.

If they don't already have an analytics package, or a Google account to access the webmaster tools for their search engine, the site maintainer either doesn't care about their site's SE performance, or is a complete idiot, or both.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Shihar]

If using encryption is a monopoly tactic, I'll take more monopolies plz. We should "monopoly" the entire web.

Re:

[hawguy]

That should be good enough, right?
Is this a good for Google, doing the right thing story, or is there more to it than meets the eye?

It's better than nothing, which is all that Google is obligated to give them.

Re:

[X0563511]

I think it's more good for everyone. it's not like you couldn't search via SSL before [google.com].

Re:

[daath93]

They are doing it so sites can't get the information without using their service, "Google Insights for Search".

Re:

[Omestes]

Sure, its bad for sites and webmasters... But its good for me, so I don't care. As a normal person, how is this bad for me? Where is my downside? I don't give a rat's ass if someone gets one less bit of information off of me.

So, Google is helping their bottom line, and their helping me with privacy. Sounds like the definition of "win-win" to me.

Also, you realize you could already use Google as an encrypted service, right? This just makes it the default. Should we ban the use of secure connections now

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Omestes]

Is it? Almost everyone I know searches while logged in, at least on PCs.

Re:

[skids]

Well, really, using HTTPS and providing the linked site with a referer URL are two different things entirely, the OP makes them sound like the former necessitates the latter. The latter has more downside than the former, but both are defensible privacy measures.

Re:

[physburn]

That really a lot of internet marketers and SEO specialists having to change there jobs completely. Marketers will no longer to owning the top buzzwords, and people creating for hobbies, work or leisure will get nearer the top of the pile. Should be good for readers, and might lead to more advertising spending and link gaming. So sound good to me.

Re:

[physburn]

Correction, that should read, and might lead to more advertising spending less spent on changing content to get the ranking.

Refreshing

[Anonymous Coward]

This will break those sites that automatically generate content based on your search query.

Re:

[Moheeheeko]

Its always fun to mess with those sites just a bit. "find 'weapons grade uranium' for sale here!"

Re:

[The Archon V2.0]

Its always fun to mess with those sites just a bit. "find 'weapons grade uranium' for sale here!"

I recall one fake wiki that was supposedly a fix-your-computer site but every "wiki" page was a template using search terms to personalize the page, and they all suggested running the same EXE. Could make for some amusing pages by feeding it really disturbing strings for errors. Was loads of laughs for about 2 minutes.

Re:

[Anonymous Coward]

I've always wondered this: how did those sites GET my search terms?

Well, I stopped using google some time ago, but back when I was, how did they get it? I enter some terms to google.com - how does sleazywebsite.com even know that I did a search? Google knows obviously and returns the sites from its map of keywords to domains. But presumably it doesn't notify every site on the internet that matches my search that I just did one, and I've seen this happen for search terms that I'm pretty sure are unique,

Re:Refreshing

[Qwell]

referer

Re:Refreshing

[kabloom]

And I should point out (since the GP doesn't know about referers, he probably needs more than a one word answer) that the Referer is a field in your HTTP request that's automatically sent by your browser telling it the address of the website that you came from. Since Google (and other search engines) put the query string in the URL of the search results page (like they should), the website can read the results out of the URL and know what your search terms were.

Google didn't invent this as a way to invade your privacy -- it's been a feature of the web since the early days.

Re:Refreshing

[williamhb]

And I should point out (since the GP doesn't know about referers, he probably needs more than a one word answer) that the Referer is a field in your HTTP request that's automatically sent by your browser telling it the address of the website that you came from. Since Google (and other search engines) put the query string in the URL of the search results page (like they should), the website can read the results out of the URL and know what your search terms were.

Google didn't invent this as a way to invade your privacy -- it's been a feature of the web since the early days.

It's also what was behind the "Bing copies Google" ridiculousness some time ago. For Bing toolbar users, the HTTP request when you visit any site is also sent to Microsoft (if you have "suggested sites" turned on), so they get the traffic stats. Bing also used the Referer that brought a user to a page as one of its minor indexing terms. By clicking a link on a page, the user has indicated they think the link is relevant to what they are looking for -- so the Referer, and especially any query contained within it, is pretty good information. And it's the user's information -- the user both typed the search query, and chose to click the link. Google's experiment spammed the signal by ordering employees to visit a page for a made-up search query (non-existent words) so that those paid click-throughs would be the only information Bing could receive for those made-up words. The words didn't exist, so Bing couldn't index them off the web -- so it doesn't matter what algorithms Bing uses, that forced the paid click-throughs to be the only results because there was no other source of data in the world for those words. Google then spun it that it was Google's information that Bing was using (Google own their generated results page, most of which was not clicked on and did not appear in Bing) rather than the human user's information (what sites the user chooses to visit). The difference being that if it's the human user's information (if your clicks belong to you not Google), then the human user within his rights to give that information to whomever he likes, including Microsoft, and Microsoft are within their rights to use it as an index signal, albeit according to them it was a very minor one.

There is a current relevance to this history. That Referer information from the user's browser is valuable data. By making this change, Google is ensuring that they get this valuable data and other's don't. They get to see the full details of both where you came from and where you went; others only get the full details of where you went, and no longer get full details on where you came from. That's a straightforward business advantage. They can then sell more detailed stats to companies (in a freemium model), sell tools that let you access the Referer information that users used to give you for free, etc. While there's a privacy angle to this story (your data is now sent to fewer places), there's also money in this decision.

Re:

[antdude]

And that can be blocked/disabled in clients like web browsers. However, some sites require them. I always block my referrers that get sent if possible.

Re:

[Yaur]

what you see is not what google bot sees. They generate a page with a bunch of phrases for the crawlers (through UA sniffing and/or IP address) and another for normal users.

Re:

[D'Sphitz]

when you click a link the referring url is sent in a header. with google and most other search engines your query is in that url.

Re:

[TheInternetGuy]

They don't even need to look in the referer, the search terms are encoded in the outgoing URL from google.

Look here, I did a search for slashdot anonymous coward on google.

The outgoing URL of the first result looks like this (notice the 'q=slashdot+anonymous+coward'):

http://www.google.com/#sclient=psy-ab&hl=en&source=hp&q=slashdot+anonymous+coward&pbx=1&oq=slashdot+ano&aq=1&aqi=g3g-v1&aql=1&gs_sm=e&gs_upl=0l0l2l80l0l0l0l0l0l0l0l0ll0l0&bav=on.2,or.r_gc.r_pw.r_cp.,c [google.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[dead_user]

Yay!

Re:

[blair1q]

Since the link you follow is a result of the search, it's got the content baked-in.

Those sites that were spying on search results to decide what to do were trying to be too smart.

Hopefully what this really fixes is the massive disconnect between prices reported by Google Shopping and the price shown on the click-through, which happens so often that it must be the result of futzing with what Google sees and what the user sees for the same search term.

Re:

[MobyDisk]

I would love to find a site that does that and change my user-agent string to Googlebot. Would they actually let me check-out at the lower price?

Re:

[Pseudonym Authority]

Any sites doing such shady, and illegal, bait-and-switch tactics probably aren't ones that you really want to be buying from.

Re:

[MobyDisk]

true!

Some deal

[Hatta]

So I have to sign up with google and let them track me, or they'll divulge my searches to websites who will track me?

Re:Some deal

[Hatta]

Never mind, I should RTFA. For the rest of us who didn't: encrypted.google.com [google.com].

Re:

[Anonymous Coward]

It's not Google divulging your searches to websites, it's you. Well, it's your web browser to be more precise, see http://en.wikipedia.org/wiki/HTTP_referrer especially the section on Referrer hiding.

Re:

[blair1q]

Google tracks you plenty without you signing in.

Re:Some deal

[scdeimos]

You are the product.

Re:

[scdeimos]

Google doesn't need to sell your information to make you the product.

Google is paid money to put advertising in front of you. By tracking you and your browsing habits they are able to build a better profile on you and are able to put targeted advertising in front of you based on your interests. They are able to charge a premium for that targeted advertising because other people selling products feel they are getting better bang for their buck (as opposed to blanket advertising on television, or spam/UCE) du

Re:Some deal

[swillden]

They are able to charge a premium for that targeted advertising because other people selling products feel they are getting better bang for their buck (as opposed to blanket advertising on television, or spam/UCE) due to the higher conversion rates.

It's actually more direct than that.

The vast majority of Google's advertising revenue comes from pay-per-click advertising, and the ad that is shown is selected based both on your likely interests and on a real-time auction [netpaths.net] among advertisers. So, Google's goal is to put in front of you the highest-paying ad that you are likely to find sufficiently interesting that you click on it. More precisely, you can think of each possible ad you could see as having an expected value to Google, which is determined by the amount the advertiser will pay Google if you click on it times the probability that you will click on it, and Google's goal is to display the ads with the highest expected value.

Thus, the more Google knows about who you are and what you're looking for right now, the better job it can do at estimating the click probability function for each ad.

From Google's perspective, this is a win-win-win. It's a win for Google, obviously, because it's the way they make the most money. It's a win for the winning advertiser because the advertiser got an interested (at least enough to click) person to their site, for a price that's a little less than what they offered to pay -- plus Google also provides advertisers with extensive feedback that helps them optimize the effectiveness of their ads and even their site (but doesn't share any user info). Finally, it's a win for the user because it provides ads about things that are interesting and useful to him/her.

In Google's view, if Google shows you an ad that you don't click on, that's a failure. That means Google fails most of the time, but really hard problems are like that. It also means that it's better to display no ads than ads that the user won't care about. If Google were able to do its job perfectly, you'd click on every single ad Google shows you, and proceed to buy from each advertiser -- and you'd be happy about it because in each case you found just what you were looking for.

The perhaps non-obvious implication of all of this is that users are not Google's product. Not from Google's perspective. Rather, advertisers and users are both customers, and Google maximizes its income by serving both effectively, by pointing users towards products they actually want to buy. The service Google sells is a sort of digital matchmaking service, and while it's the advertisers who pay Google, the users are at least as important -- since they're the ones who ultimately pay the bills.

At least that's true for pay-per-click advertising. Google does do some pay-per-impression advertising, and that's different. In the pay-per-impression model the goal is to build brand recognition or to steer consumer perception, and there the user is definitely the product. That's a pretty small piece of Google's business, though.

(Disclaimer: I work for Google, but not in anything ad-related, and everything I've said above is public knowledge.)

Re:

[Yaur]

note however that https://google.com/ [google.com] will redirect you to http://www.google.com

Mixed Bag

[Anonymous Coward]

On one hand automatic encription for logged in users. On the other hand google can track you better if your logged in. When your logged in they can build a profile on you based on your search terms. But many people are logged in anyways. So mixed bag.

Re:

[bhagwad]

To not be "evil" 100%, what do you suggest Google should do?

Re:

[ColdWetDog]

To not be "evil" 100%, what do you suggest Google should do?

Make Richard Stahlman CEO?

Re:

[X0563511]

Such a shame you don't actually have to log in [google.com], isn't it?

Re:

[cheater512]

This does not change or make you log in. It is just changing the default preference.

You can still use it encrypted without logging in. There is no increase in any data collection.

Good or bad?

[Daetrin]

Is this going to be considered good because it helps protect our privacy from the websites? Or bad because Google is effectively monetizing the private information by keeping the details to themselves (and using it?) while only handing out aggregate data to everyone else? I can see arguments being made either way.

Re:

[JustSomeProgrammer]

The thing I noticed was that they called out organic searches only. Does this mean the paid links in search will still have access to the search terms used?

Re:

[Pharmboy]

The thing I noticed was that they called out organic searches only. Does this mean the paid links in search will still have access to the search terms used?

You can easily tell which search term was used by using a different address for each search term. (Google allows you to show only the domain name and not the full URL in ads) We have done this for years to a small extent. If you really want to get technical, you make the link for a search term (example: "soap") to be like "www.mydomain.com/myapp.cgi?so

Re:

[Pharmboy]

Or you are selling a lot of different products with different brand names....

Re:Good or bad?

[blair1q]

How is it private information when you presented it to Google for them to do the legwork on finding 1.8 million matching websites?

They're making it a shared secret between you and Google instead of a broadcast message to every link you choose to click.

They're monetizing it because, well, they are the ones who gave you the free advice. 1.8 million times.

Good with the Bad...

[Bahlzahn Yuerchin]

Unfortunately, it's a bit of a tradeoff. Instead of third party sites getting more details on how you arrived there, Google gets to build a more detailed profile on you via your user name now instead of simply your IP address. I don't particularly care for it either way.

Re:

[canajin56]

Encrypted search works without being signed in. It's also 4 months old. The news is they are making it default for signed in users, not that it exists.

Re:

[amRadioHed]

One and a half years old, not 4 months old. They said the encrypted search was introduced 4 months after encrypted Gmail was standardized, back in January last year.

Re:

[canajin56]

Well, at least I got that number from somewhere, right? :(

Re:

[Baloroth]

It's more than 4 months old. I've been using Google SSL searches since last summer some time. Basically, all this news means is that Google feels their SSL search is ready for wider deployment.

Re:

[DragonWriter]

Unfortunately, it's a bit of a tradeoff. Instead of third party sites getting more details on how you arrived there, Google gets to build a more detailed profile on you via your user name now instead of simply your IP address.

That would be a "tradeoff", if non-logged-in users couldn't also use encrypted Google search with the same features: https://encrypted.google.com/ [google.com]

The referrer field sucks.

[Anonymous Coward]

Good idea, but before the Internet was polluted with marketers and search engine spammers.

I've left referrers disabled for years.

HTTPS to HTTPS

[Anonymous Coward]

For the version of firefox I'm using now:
HTTPS to HTTPS - Passed
HTTP to HTTP - Passed
HTTP to HTTPS - Passed
HTTPS to HTTP - Not passed

So if you want the referrer as a webmaster, run a secure site

Re:

[BBTaeKwonDo]

Sure, but the link farms don't want to pay for SSL certificates for their subdomains such as https://viagra.spamsite.com/ [spamsite.com] , https://buy-viagra.spamsite.com/ [spamsite.com] , etc. I think I'm going to like this change.

Re:

[mounthood]

HTTPS to HTTP - Not passed

So if you want the referrer as a webmaster, run a secure site

Many Google search result links go through redirection. They use JavaScript so the browser still shows the URL if you hover over the link. Here's what's included on an SSL search result link:

onmousedown="return rwt(this,'','','','1','AFQjCAHIe9S3k-PkE4lzgXFEjII7Gc_PVg','','0CEM0FjAA')"

This way they can record your selection when you click a link. Redirecting isn't necessary to record your selection (they could use AJAX) and they don't seem to redirect all the time. So if you click a link that's redir

HTTPS Everywhere

[Anonymous Coward]

...is a Firefox plugin that does that for you anyways. Google has a standard HTTPS page, as does a number of other sites, like Wikipedia.

While I applaud Google for doing this for its signed-in customers, people should be using HTTPS for everything, everywhere, if possible. Sure, it has its flaws, but better flawed privacy than no privacy.

Re:

[Tomato42]

Definitely this! If they also started checking if the same pages aren't available using HTTPS on other sites and presenting HTTPS links to users it would be golden!

Re:

[ThatsNotPudding]

HTTPS Everywhere seems to slow things down more than it should, though.

Compete with Facebook?

[otaku244]

My guess is that they feel like Google wants to emulate that facet of the Facebook model. It has been said that Facebook's database of user activities and preferences is superior because it shows a more qualitative preference than "a random Google search." By walling off authenticated users, they make it possible to tie search terms more accurately to a particular user. This should shift search preferences and habits results... perhaps even improve the quality.

Forced Safesearch (by proxy) defeated using https

[CityZen]

Hmm. At certain places (of employment), they use a proxy that always forces Google searches to have SafeSearch on. Using https for Google appears to bypass this particular constraint. For the moment, anyway.

Re:

[icebraining]

Well, they can still MITM the connection, since they have the power to install their own CA certificate on the employees' computers.

Squid has SslBump [squid-cache.org] and Dynamic SSL Certificate Generation [squid-cache.org] for such purpose.

Re:

[HTH NE1]

Hmm. At certain places (of employment)

(and of education and of public services)

they use a proxy that always forces Google searches to have SafeSearch on. Using https for Google appears to bypass this particular constraint. For the moment, anyway.

The IP range for secure searching is different from the IP range for other Google secure services. Such institutions just block access to Google secure search IPs, redirecting you back to the insecure version so they can spy on you and deny and/or punish you for seeking inappropriate knowledge (Security Now 255 [twit.tv], 27:37 - 33:20).

There's no need for a gateway to act as a MITM performing encryptions and decryptions when it can be a MITM forcing plaintext communications f

cryptome.org had some great posts on SSL

[AHuxley]

http://cryptome.org/0005/ssl-broken.htm [cryptome.org] on this issue.
Welcome to en.wikipedia.org/wiki/Clipper_chip, Enigma or the fun of Data Encryption Standard era standards in your new safe browser.

Everyone benefits

[FyberOptic]

This is particularly beneficial to all the hapless people who think using open wifi is perfectly safe. And it saves Google from having to deal with stolen accounts as a result. That's why it's so popular on places like Twitter and Facebook, too.

That's not to say that SSL is perfect, and a hapless user can still be tricked or spied upon once somebody starts ARP spoofing'em or SSL stripping or what have you. But some protection is better than none.

What about Google Analytics?

[fivevoltforest]

It's funny to think about Google hiding referrer data from their own service.

Google Analytics

[myspys]

Since Google accounts for 90% (or more) of the searches performed, what use is the keyword-part of Google Analytics?

Or will they in some magical way make it work with GA, but no other tracking tool?

POST Search Results

[TheNinjaroach]

Couldn't Google change their HTML form method to use POST? That would remove most of the value from the HTTP-Referer header.

Re:Google Analytics - SEO's will be upset

[xmas2003]

Yep - referrer will show as NONE ... so similar to if a user is coming to the site by typing the URL. Since you don't have the keywords in the weblogs, those tools don't have anything to parse ... and the Search Engine Optimization people aren't going to be happy about.

Re:

[mr1911]

Oh no! We can't offend the SEO deities.

Re:

[irventu]

I am a *search engine optimization* person and I'm NOT happy about it--this takes away about 90% of data used for SEO strategy.

Re:

[ackthpt]

I am a *search engine optimization* person and I'm NOT happy about it--this takes away about 90% of data used for SEO strategy.

You mean, like when I'm trying to look up some local bit of history and the first 5 pages of results are trying to sell me real estate, service, yelp reviews, etc?

Find homes near Hanging Trees!!!

Re:

[X0563511]

Such a shame.

Try getting a real job, you damn parasite!

Re:

[TheReaperD]

Let me put this as simply as possible: Whah!!!

Re:

[the eric conspiracy]

Admitting that you are an SEO professional is the same thing as admitting that you are in charge of causing people's search engines to return corrupted and useless results.

Re:

[EvanED]

Yep - referrer will show as NONE

That's not quite true, at least based on TFA. It says that you'll still be able to tell the search came from Google, just not what the terms are.

Re:

[icebraining]

I don't see how they'll do that. The browser controls the referer header, no Google.

Re:

[I(rispee_I(reme]

Also, they moved the "cached" search results inside the website preview.

Now you can't get cached results if you have javascript disabled, and you still have to wait for that lame thumbnail to pop up in order to hit google's cache.

Re:Javascript on links...

[hawguy]

Also, they moved the "cached" search results inside the website preview.

Now you can't get cached results if you have javascript disabled, and you still have to wait for that lame thumbnail to pop up in order to hit google's cache.

So that's where the cache link went! I assumed they stopped providing cached pages at all.

I really don't care to see the thumbnails that are so tiny that the text is unreadable, I wish they'd bring the cache link back to the search results page.

Re:

[X0563511]

The preview is sorta-useful.

You can see that a link is obviously link-farm or other trash without sending them a click or giving them an opportunity to rape your browser.

Re:

[kyz]

Or you could install this Greasemonkey script which brings back the cached and similar links in google search [userscripts.org]

Re:

[irventu]

There are actually websites that "spam" the referer [sic] since when using Google Analytics, usually one visits these websites to see where the link is/was.

Re:

[D'Sphitz]

It isn't like Google is the only search engine otu there.

But they're the best. By a long shot.

Re:

[lgw]

These days I find that DuckDuckGo often gives better results - it's a toss-up. Perhaps that's because the SEO guys are crapping all over Google specifically, but I don't fell like I'm missing out when I use ddg.gg for privacy/bubblefree search.

Re:

[smellotron]

These days I find that DuckDuckGo often gives better results - it's a toss-up.

I recently switched to DDG both at home and at work. The "red box answer" tends to be very good, but IME the overall quality of the first two pages is worse than google's. However, when I want the google results I can just enter !g search terms and BAM I get the google results. It's similar to how Opera has done search engines for a long time, but it's nice to have everything pre-programmed. Because of this, making duckduckg

Re:

[lgw]

I used to compre the results a lot. There are definitely times when Google is better, but wow, when I'm searching for product information on something that attracts SEO maggots, DDG is far better.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[icebraining]

Other people get the user's advertising data when the users are on their site. Just like Google.