NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Update to: "SSL vs. 'Referers': Friend or Foe?"

              Update to: "SSL vs. 'Referers': Friend or Foe?"
          http://lauren.vortex.com/archive/000895.html (Updated)

When I wrote the text for the main posting on this topic earlier
today, my intention was to highlight the complexity of these issues
from a "philosophical" standpoint, not to get at all into the
technical details of SSL and browsers.  But some queries I've received
since I posted suggest that a few more words are in order.

I'm simplifying somewhat, but the decision to send (or not send) the
current referer onward with a user click is made by the user's browser
itself.  That is why existing browser options and extensions to
control referers can function.  The SSL referer pass-along prohibition
is based on the desire to avoid exposing a URL "resulting" via an SSL
connection (e.g., SSL to a search engine), on a subsequent click (like
from search results) to a site that is not using SSL, exposing the
referer URL in unencrypted ("in the clear") form.

If a "clicked-to" site (e.g., clicked from search results generated
via an SSL connection to a search engine) is also using SSL, the
requirement for "end-to-end" encryption is met, and a browser may
(subject to any other restrictive settings or options at the browser)
pass along a referer as usual.

So we have yet another irony.  As major sites convert to default SSL,
especially search engines, there will be a dramatic drop-off in
referers, all else being equal, since most sites don't use SSL, and
appropriately deploying SSL on complex and busy sites can be a
nontrivial task in various respects.

If we could flip a switch and make every site on the Internet SSL at
once, the "SSL to non-SSL" ("no referer") issue essentially would not

In reality though, at least for the foreseeable future, there will
likely be a widening gap between major sites supporting default SSL
and the vast numbers of "referred-to" smaller sites that don't.
Combine this with the (in my opinion inappropriate) "demonization" of
referers by various parties -- likely to affect browser defaults in
this context -- and you can see why I suspect that traditional
referers will be in a downward accessibility spiral, as I discussed in
the main blog entry above.

I hope that this clarifies the issues at least a wee bit.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
Co-Founder: People For Internet Responsibility: http://www.pfir.org
 - Network Neutrality Squad: http://www.nnsquad.org
 - Global Coalition for Transparent Internet Performance: http://www.gctip.org
 - PRIVACY Forum: http://www.vortex.com
Member: ACM Committee on Computers and Public Policy
Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren
Twitter: https://twitter.com/laurenweinstein 
Tel: +1 (818) 225-2800 / Skype: vortex.com