Building notes, projects, and occasional rants

Google HTTPS Search

Recently Google announced they will redirect their logged in users to the HTTPS version of their search engine.

(skip the rambling, take me to the summary: tl;dr)

I think nobody can dispute that this is a good thing. HTTPS will provide an almost (if only Certification Authorities (CA) weren't so prone to hacks...) perfect assurance that you were indeed talking to the correct server. HTTPS with CAs is a solution to man-in-the-middle attacks.

We can only hope that this redirect will eventually become the default behavior, because regular and non-authenticated users will still be using the plain HTTP search, and need to specifically ask for the secure site to be safer. But given Google's goal of securing personalized search results I think is acceptable to limit this to logged in users only for now, given that they are the ones with access to the personalized search results. Mind you that this might also be a way for Google to load test their HTTPS setup.

But starting on the third paragraph things take a turn into a new reality: Google will no longer provide the query information to the site you click on the organic search results page. There is no direct explanation on that article why they will start (or stop) doing this.

Before going on further, lets make one thing clear: there is no technical limitation that prevents Google to forward the individual query. In fact this is working right now. When you use the HTTPS version of Google Search, the URLs are rewritten in a way that they go through a Google jump, and from that they are redirected to the final page. But this Google jump page is hosted on a plain HTTP site so the final redirect to your page includes this as the Referrer, with the full query information. Google could just keep using this scheme to provide sites with the information they want.

What they do tell you is that if you click on a ad from the results page, the query information does get sent to the destination site.

This might seem as a double standard of behavior, but sites that appear on organic search results and sites that appear because they payed Google are clearly two different populations and so they can have different treatments from Google if Google chooses to do so. After all, when I pay to get my site on the search result page, I have a right to get all the information about why my ad was shown there. I payed for that right.

It seems we sometimes forget that Google is a company, and as all companies, the goal is to make a profit selling goods. The goods Google sells are your searches. The fact that Google has become so large and useful as to be considered indispensable, and that some small changes in its behavior can make or destroy entire business models, is something that we should be aware, and if possible try to fight against. Its never good to have so much power in the hands of a private company, be it Google, Apple, Microsoft or Facebook. If Microsoft was investigated in the 90's, I will not be surprised to see the same happen to Google in the next decade.

The point is: Google is deliberately choosing, as is their right to do so, to stop sending valuable information to outsiders for free. And I think this will move them closer to a investigation by some governments.

One of the business models that is threatened by this change is the land of search engine optimization. As we can expect, they are livid, and react accordingly. There is this particular article that caught my attention: Google Puts A Price On Privacy.

The premise of the article is that with this change, Google will only share is search data if you pay them.

Well, duh...

Google is a company, a for-profit company, of course it wants to get payed.

The second paragraph is even better:

Google’s a big company that goes after revenue in a variety of ways some critics feel put users second.

(emphasis mine). Now this is laughable. There are two different types of people that classify as users:

  • users of the search engine that use it to find stuff: we get a free (and great) service, and in exchange we get to see some ads - I think these are the real users of the service;
  • users of the ad system: they pay to show ads of their products on the search result pages - I call these customers of the service.

But no matter which group of users you pick, the change Google announced is good for them.

As users of the service, we get a little bit of extra privacy from third parties: strangers on WiFi networks, governments with intent to control their citizens civil rights, you name it, it gets better.

For customers of the service, they get more value from their payments because now they will have exclusive access to valuable information.

So who are those users who loose? I think they are two other groups, and only one of them really looses a lot. The first is all of us who have a site and were used to receive the search query information. Some of us used it for actual useful features on our site, others would only see them via the analytics system they were using. So we loose a little. We can still get to part of the analytics information via Google Webmaster Tool if we want for some reason optimize our search ranking, but not adjust in real-time to our users queries.

People who make money re-selling the search queries that leaked from Google Search are the really big losers, though. They would use the search queries to target ads on their own sites. And it was a good business.

And I believe the article was written by someone in the second group, or someone who writes for the second group.

The claims are all interesting:

  • "[Google is ] perfectly happy to sell out privacy": not news, the moment ads started showing up on Google Search results, we knew they were selling our privacy - we are the product. Besides, explain why someone who makes a living on the search keywords that leak via the referrer is not violating our privacy also?
  • "...blocking is a pesky side effect to a real privacy enhancement Google made": no, blocking is not a side effect. Today you can search on HTTPS Google search site and still get the information on your non-HTTPS site. Blocking is a deliberate decision by Google, don't blame technology about this one;
  • "Google could have pushed many sites across the web to become more secure themselves": this is based on the logic that if all sites were HTTPS then the referrer information would still flow to the sites. Google is actively trying to change people over to SSL-based communications, to the point that they designed a protocol that requires it (SPDY) and bundled that protocol into their own browser. I don't see how you can accuse Google of not doing plenty for the improvement of the security on the web. Even this change is a clear prod in that direction - as the author notes, if you want to keep receiving the data, switch to HTTPS;
  • "Google could have [...] its default search [redirected] to be secure. [...] using Google’s own figures, [logged in users filter will ] protect less than 10% of searchers": true, but I believe that this is an engineering decision - lets try with 10%, and if all goes well, switch everybody over.

I guess that if my business was based on referrer information I would be pissed today, and even I don't depend on them, I really do hope that Google keeps sending those lovely q's query parameters in the referrers.

But most of this article facts and complaints are at best self-serving, if not just plain wrong.

My biggest doubt is the SPDY angle. If you use a recent version of Chrome, your access to Google is done using SPDY, which includes TLS security by default. So even if you just type you are using a secured version of the search engine, but still the following click will be plain old HTTP with the full referrer information. Will they change this too? What are the rules for a SPDY to HTTP transition? Should they be the same as a HTTPS to HTTP transition?

Bottom line: I appreciate the default redirect to HTTPS, and I agree that Google has a right to provide a better service to paying customers. But I don't believe they will be able to sustain this policy of not forwarding search keywords. Not only its petty, it might also trigger a government investigation on the subject, something that I think they would not want.