NNSquad - Network Neutrality Squad
NNSquad Home Page
[ NNSquad ] Update to: "SSL vs. 'Referers': Friend or Foe?"
Update to: "SSL vs. 'Referers': Friend or Foe?" http://lauren.vortex.com/archive/000895.html (Updated) When I wrote the text for the main posting on this topic earlier today, my intention was to highlight the complexity of these issues from a "philosophical" standpoint, not to get at all into the technical details of SSL and browsers. But some queries I've received since I posted suggest that a few more words are in order. I'm simplifying somewhat, but the decision to send (or not send) the current referer onward with a user click is made by the user's browser itself. That is why existing browser options and extensions to control referers can function. The SSL referer pass-along prohibition is based on the desire to avoid exposing a URL "resulting" via an SSL connection (e.g., SSL to a search engine), on a subsequent click (like from search results) to a site that is not using SSL, exposing the referer URL in unencrypted ("in the clear") form. If a "clicked-to" site (e.g., clicked from search results generated via an SSL connection to a search engine) is also using SSL, the requirement for "end-to-end" encryption is met, and a browser may (subject to any other restrictive settings or options at the browser) pass along a referer as usual. So we have yet another irony. As major sites convert to default SSL, especially search engines, there will be a dramatic drop-off in referers, all else being equal, since most sites don't use SSL, and appropriately deploying SSL on complex and busy sites can be a nontrivial task in various respects. If we could flip a switch and make every site on the Internet SSL at once, the "SSL to non-SSL" ("no referer") issue essentially would not exist. In reality though, at least for the foreseeable future, there will likely be a widening gap between major sites supporting default SSL and the vast numbers of "referred-to" smaller sites that don't. Combine this with the (in my opinion inappropriate) "demonization" of referers by various parties -- likely to affect browser defaults in this context -- and you can see why I suspect that traditional referers will be in a downward accessibility spiral, as I discussed in the main blog entry above. I hope that this clarifies the issues at least a wee bit. --Lauren-- Lauren Weinstein (firstname.lastname@example.org): http://www.vortex.com/lauren Co-Founder: People For Internet Responsibility: http://www.pfir.org Founder: - Network Neutrality Squad: http://www.nnsquad.org - Global Coalition for Transparent Internet Performance: http://www.gctip.org - PRIVACY Forum: http://www.vortex.com Member: ACM Committee on Computers and Public Policy Blog: http://lauren.vortex.com Google+: http://vortex.com/g+lauren Twitter: https://twitter.com/laurenweinstein Tel: +1 (818) 225-2800 / Skype: vortex.com