Firefox 14 has officially launched today, which means all Google searches are encrypted by default. However, due to a Google loophole, the encryption will not prevent things you search for from “leaking” out to Google’s advertisers nor potentially showing up as search suggestions or in data reported to web sites through Google Webmaster Central. The Firefox team saidof the change:
We automatically make your Google searches secure in Firefox to protect your data from potentially prying eyes, like network administrators when you use public or shared WiFi networks.
This is true. The “secure” version of Google search that Firefox will be using — called Google SSL search — does prevent anyone from “eavesdropping” on what you’re searching for. However, Google SSL search will tell advertisers what you searched for, if you click on their ads. If Firefox were trying to make searching fully secure, it would also block what’s called “referrer” information from being passed along, in addition to using Google SSL Search. Technically, this shouldn’t be a problem. However, Firefox apparently has decided against doing this. Our previous story explains more:
Firefox To Use Google Secure Search By Default; Expect More “Not Provided” Keywords To Follow
As for Google, it could also prevent referrer information from being passed along to advertisers, if it wanted. However, it made a deliberate choice to keep providing this information. The choice continues to be confusing. When Google made the change last October to block referrer informationfor non-advertisers last year, the argument was that this was intended to protect privacy, that search terms themselves were potentially sensitive and revealing information. However, those same potentially sensitive terms are provided to advertisers, plus they may be revealed within things like Google Autocomplete or in data reported to publishers through Google Webmaster Central. The articles below explain more about these issues:
Google Puts A Price On Privacy
2011: The Year Google & Bing Took Away From SEOs & Publishers
Google’s Results Get More Personal With “Search Plus Your World”
Google “Search Plus Your World” To Launch Beyond US? Likely, As Secure Search Set To Expand
For those seeking full-privacy, consider some of the search options listed below:
Scroogle’s Gone? Here’s Who Still Offers Private Searching
Postscript: My Debate With Firefox
I’ve been having a bit of a back-and-forth between Asa Dotzler, the director at Mozilla who oversees Firefox, who both accuses me of not understanding how Google SSL Search works and misrepresenting what Mozilla has said about how it will provide privacy within Firefox. Actually, I’ve come to think that Mozilla doesn’t understand how Google SSL Search works and itself has been misrepresenting how privacy protection will work — and not work — within Firefox.
SSL Search Blocks Two Types Of Leakage, Not One
Here’sthe comment at The Verge where Dotzler tells me I don’t understand what’s happening:
Danny, you misunderstand what SSL search is trying to accomplish. We’ve made the connection between the user and Google secure from snooping. That’s what SSL does and that’s why we’ve implemented it. Google can do what ever it wants with the data once it gets it, but the bad guys sniffing your wi-fi connection cannot get at your information.
Given that I’ve been writing about Google SSL Search in-depth (see those links above) since Google launched it last October, yeah, I have a pretty good idea of what it is and what Google was trying to accomplish with it. My replyat The Verge:
I’ve not misunderstood what SSL search is trying to accomplish. In fact, I probably understand it better than you do. Otherwise, I wouldn’t be having to explain the next part. SSL Search was rolled out because Google said that search term data was too sensitive to be leaked out, either through eavesdropping on a connection (what encryption prevents) or by passing along those terms in referrer data to publishers. SSL Search blocked BOTH of those things, because Google itself felt they were co-equal issues. SSL Search, however, specifically did not block passing referrer data to Google’s advertisers. Sensitive search terms data was apparently not so sensitive for Google’s advertisers to have access to. When Firefox makes use of SSL Search, you’re still allowing all those advertisers to see the search data that supposedly is too sensitive to leak out to non-advertisers. If you really wanted to make SSL Search as secure as Google could have — and should have — made it, then Firefox would stop passing referrers. Alternatively, you could use the completely separate Google Encrypted Search. That would prevent referrer leakage except in the extremely rare case where someone left Google for another secure site. The site would still see the referrer, but at least the data would remain encrypted. I’m pretty sure that by using SSL Search, the referrer data is being passed along without encryption, potentially opening up the ad clicks from Google to eavesdropping.
If you want to understand more about this, the referrers, the difference between Google SSL Search and Google Encrypted Search and how it all plays out with Firefox, I’ll refer you back to reading this previous post from me: Firefox To Use Google Secure Search By Default; Expect More “Not Provided” Keywords To Follow.
