SSL Search Behavior (locked thread: http://blogoscoped.com/forum/180875.html)
Lauren Weinstein has made a blog entry titled "Google Modifies SSL Behavior – and the Results Are Troubling". http://lauren.vortex.com/archive/000906.html
He has made a chart comparing the behavior of (https https://encrypted.google.com/) with the new behavior of (https www https://www.google.com/).
http://docs.vortex.com/google-ssl-chart.jpg
Lauren says:
"There are two variations reported from expected SSL behavior on this version of the site, as denoted by the red boxes on the chart."
"Normally, we would expect an ordinary destination site using SSL to receive the referer query data as per standard SSL end-to-end behavior. But apparently Google is now blocking this data in this case, as shown in the first red box."
"Even more problematically, in the second red box we observe that for user clicks on Google ads, the ad site will receive the referer query info from the SSL search, even if that ad site is not using https: – that is, isn't even using SSL at all – seemingly directly violating the normally expected end-to-end SSL protection sequence."
If this is correct and your "secure" query is revealed in an unsecured manner to the advertiser, then your query is available to a variety of third parties that have access to those packets. If it gets into a log file, it may be visible to the general public via web searches.
In an earlier locked blogoscoped thread titled "SSL search and users logged with Google Account" I wrote:
"Accessing a site from an unsecured Google results page can reveal your search query. Accessing a site from an organic search result on a secured Google results page should not reveal your search query. Accessing a site from an advertisement on a secured Google results page may reveal your search query." http://blogoscoped.com/forum/180875.html#id180884
|
This table is the same I said in the previous thread. Google isn't doing fair here, that's why there is a petition against the query removal in the referrer: http://keywordtransparency.com/google-petition |