NNSquad - Network Neutrality Squad
[ NNSquad ] Update to: "SSL vs. 'Referers': Friend or Foe?"
Update to: "SSL vs. 'Referers': Friend or Foe?"
http://lauren.vortex.com/archive/000895.html (Updated)
When I wrote the text for the main posting on this topic earlier
today, my intention was to highlight the complexity of these issues
from a "philosophical" standpoint, not to get at all into the
technical details of SSL and browsers. But some queries I've received
since I posted suggest that a few more words are in order.
I'm simplifying somewhat, but the decision to send (or not send) the
current referer onward with a user click is made by the user's browser
itself. That is why existing browser options and extensions to
control referers can function. The SSL referer pass-along prohibition
is based on the desire to avoid exposing a URL "resulting" via an SSL
connection (e.g., SSL to a search engine), on a subsequent click (like
from search results) to a site that is not using SSL, exposing the
referer URL in unencrypted ("in the clear") form.
If a "clicked-to" site (e.g., clicked from search results generated
via an SSL connection to a search engine) is also using SSL, the
requirement for "end-to-end" encryption is met, and a browser may
(subject to any other restrictive settings or options at the browser)
pass along a referer as usual.
So we have yet another irony. As major sites convert to default SSL,
especially search engines, there will be a dramatic drop-off in
referers, all else being equal, since most sites don't use SSL, and
appropriately deploying SSL on complex and busy sites can be a
nontrivial task in various respects.
If we could flip a switch and make every site on the Internet SSL at
once, the "SSL to non-SSL" ("no referer") issue essentially would not
exist.
In reality though, at least for the foreseeable future, there will
likely be a widening gap between major sites supporting default SSL
and the vast numbers of "referred-to" smaller sites that don't.
Combine this with the (in my opinion inappropriate) "demonization" of
referers by various parties -- likely to affect browser defaults in
this context -- and you can see why I suspect that traditional
referers will be in a downward accessibility spiral, as I discussed in
the main blog entry above.
I hope that this clarifies the issues at least a wee bit.
--Lauren--
Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
Co-Founder: People For Internet Responsibility: http://www.pfir.org
Founder:
- Network Neutrality Squad: http://www.nnsquad.org
- Global Coalition for Transparent Internet Performance: http://www.gctip.org
- PRIVACY Forum: http://www.vortex.com
Member: ACM Committee on Computers and Public Policy
Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren
Twitter: https://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800 / Skype: vortex.com