back to article Firefox 14 encrypts Google search, but admen can still strip-search you

Mozilla has rolled out Firefox 14, which automatically encrypts web searches through Google, but the new release leaves an important back door open to advertisers. The move also quietly undermines Mozilla’s crusade in the past years on maintaining the privacy of netizens by using Do-Not-Track as a plea to websites not to track …

COMMENTS

This topic is closed for new posts.
  1. adnim

    refcontrol

    is a Firefox addon

  2. Anonymous Coward
    Anonymous Coward

    Add on

    If you're using Firefox get the refcontrol add on and screw the lot of them.

  3. Steve Knox
    Thumb Down

    Non-Story

    It doesn't matter how you send your information to Google. If you do so, they can and will use it as they wish.

    This story is nothing more that a bad misunderstanding of what HTTPS is.

    1. Anonymous Coward
      Anonymous Coward

      Re: Non-Story

      The story is that Mozilla was misleading users when they state on their blog that:

      "Additionally, using HTTPS helps providers like Google remove information from the referrer string. While Google users may expect Google to know what they are searching for, Firefox users may not be aware these search terms are often transmitted to sites they visit when they click on items in the search results; enabling HTTPS search helps sites like Google strip this information from the HTTP referrer string, putting the user better in control of when and to whom their interests are shared."

      and making no mention of the exception for advertisers. But then again most of Mozilla's funding comes from Google, doesn't it...

    2. Tom Samplonius
      Stop

      Re: Non-Story

      "This story is nothing more that a bad misunderstanding of what HTTPS is."

      Obviously, you don't know about all of the other bad people that want to see your Google traffic. For instance, I know of a company that works with ISPs to tap all of their traffic, and look for Google searches and the responses. They would collect the Google tracking ID, and search terms. And they would see which sites the users go to, using the Google tracking ID to link up the search terms and browsing click trail. This was very valuable data, and they would use it link the google tracking ID and the ISPs user records together, to provide super-targeted ads. You don't know about this right now. And your ISPs probably has enough weasel words in their privacy policy that they could route all of your Internet traffic to DPRK, and wouldn't have to tell you.

      With Firefox search going https, it shuts down half of what these bad guys can do. If all of the Google tracking IDs are also sent over https, they are dead in the water.

  4. Anonymous Coward
    Alert

    Easy peasy

    about:config

    Set network.http.sendRefererHeader to 0.

    1. Anonymous Coward
      Anonymous Coward

      Re: Easy peasy

      that breaks a lot of sites doesn't it? especially image URLs tend to expect a valid referrer.

      1. Testy McTester
        Go

        Re: Easy peasy

        I always have the referer header disabled. The only problems I've noticed (that I remember) are an on-line banking site not working, and the links to W3C's mark-up validator. Try it. It breaks fewer sites than you might think, and it's very easy to put it back again.

        1. Steve Foster

          @Testy McTester

          Same here; Opera makes it very easy to have the Referrer disabled on a global basis, and then if I do hit a site that needs it, I can enable it just for that site if I care enough to do so.

      2. Anonymous Coward
        Anonymous Coward

        Re: Easy peasy

        Thats where refcontrol has an advantage, you can set it to exclude named sites from blocking.

      3. Irongut

        Re: Easy peasy

        "that breaks a lot of sites doesn't it? especially image URLs tend to expect a valid referrer."

        Actually no it doesn't. I've had the referrer header turned off in every browser I use for about 10 years now. Occasionally I have to turn it back on for some stupid site that won't work but 95% of the time I have no problem. Also if a site does require it I only turn it on and use that site if I absolutely have to, if there is a competitor that will work without the referrer then they get my business.

  5. Mark C Casey

    How can...

    How can Mozilla be expected to have a say in what Google does?

  6. Anonymous Coward
    Anonymous Coward

    I love how Google manages to come up with things that appear well intentioned on the surface like HTTPS search, but whose purpose is to consolidate their advertising monopoly and ultimately financial position even more.

    It's the same with SPDY, that seems good except for the fact that the server can now push ads over the connection even if ad blocking software doesn't request them.

    The latest is their Transparency Report, which again sounds great however it actually consolidates links to pirate media in a single, easy to access, location - causing companies to issue takedowns for the ChillingEffects site itself, in a never-ending self-loop: http://torrentfreak.com/google-builds-largest-database-of-links-to-pirated-media-120717/

  7. LordHighFixer
    Holmes

    Trust no one

    That is why I try to strip out or otherwise mangle all of the advertisements, and tracking information, using squid and firewall rules. Its not perfect, but it sure helps. If you didn't have control before, don't expect them to actually give it to you now. But the illusion of control is just as good right?

    1. Anonymous Coward
      Anonymous Coward

      ... or reverse the effect

      I still let the adverts through... so I know who not to buy from.

  8. Anonymous Coward
    Anonymous Coward

    I am confused

    Clicking on adverts.. people actually do that?

    1. Anonymous Coward
      Anonymous Coward

      Re: I am confused

      I don't know what adverts they are clicking on. I can't see any.

      1. Anonymous Coward
        Anonymous Coward

        Re: I am confused

        I actually saw those ads a while back- when I was using a browser for a short time that I couldn't have adblocked (don't ask). I had to stop reading theregister until I got the ad blocking back, as the obnoxious flashing HP et al ads were making it quite hard to see, spazzing around in my peripheral vision, twitching and flashing.

        It is that simple, really, if I can't have the site without the ads, I generally don't want the site. I am not sure that I can think of any examples, off the top of my head.

  9. Ian Michael Gumby
    Pirate

    A pox on all of them.

    Privacy is dead.

  10. mikeyboosh
    WTF?

    Who uses firefox anyway?

  11. Anonymous Coward
    Anonymous Coward

    Adblock, Ghostery, Disconnect and refcontrol

    Fuck the ad brokers.

    1. frank ly

      Also ...

      ... Request Policy, Better Privacy and NoScript (of course).

      Image Block and Flash Block are useful if you're tethered to a phone and worry about your data budget.

    2. Chronos
      Thumb Up

      Thanks for the pointer to Disconnect. i missed that one in my usual privacy-enforcing toolbox.

      Have an upvote ;-)

    3. dephormation.org.uk
      Devil

      SecretAgent for Firefox

      If I might plug my own wares.

      :)

  12. The BigYin

    People still use Google?

    Jeez. DuckDuckGo FTW!

  13. Testy McTester
    Boffin

    HTTPS does not prevent tracking.

    "The move also quietly undermines Mozilla’s crusade in the past years on maintaining the privacy of netizens by using Do-Not-Track to anonymise users' searches."

    "Do not track" does absolutely nothing to anonymise users' searches. All it does is add an extra HTTP header, "DNT: 1", indicating to the server that the user does not want to be tracked. This is a political, not a technical, approach, and I worry that users will think it actually gives them some sort of real protection. In fact I think it's rather amusing how a web browser can basically say, "please do not track me! Thanks. And by the way, the unique identifier you gave me last time is ac2983b6."

    Using HTTPS by default is a good thing, even if it is only for Google searches. HTTPS authenticates the server and provides confidentiality from anyone intercepting or tampering with the connection between your browser and the web server, so your ISP, or the shady laptop user in the corner of the café, cannot see what you're searching for. It has nothing to do with whether the web server can track you or not.

    "Additionally, using HTTPS helps providers like Google remove information from the referrer string."

    If Google suppresses tracking when you use HTTPS (which I doubt), it's because Google decided to do that. Using HTTPS neither helps nor hinders.

    "If you happen to click on an ad on a page you hit then the encryption is removed and advertisers can see who you are and where you’ve been."

    Advertisers probably see that information without your clicking on it. HTTPS is to stop people intercepting your connection, it does nothing to control what the remote server does with the information you send it. (Note that advertisers don't intercept TCP connections to gather data, Google gives the data to them.)

    1. dephormation.org.uk
      Unhappy

      Re: HTTPS does not prevent tracking.

      As you say, the line in the article... "Do-Not-Track to anonymise users' searches" ... what a load of utter codswallop.

      DNT is a plea to a web site to ignore you. The truth is it will be ignored, and if anything draw more attention to those who wish to remain anonymous.

  14. Dr. Ellen
    Windows

    Tracking - not

    NoScript, AdBlock Plus, and Do Not Track Plus, with the 'do not track' flag set in firefox. Plus I use DuckDuckGo as my search engine, which promises it does not collect or share personal information. I don't see very many ads of any sort.

    Of course the advertising industry will move on. Offense and defense have played leapfrog throughout history, in just about every venue.

  15. cyberdemon Silver badge
    FAIL

    Please Don't Track Me

    How the hell is that going to make any difference?

    It's as worthless as the Telephone Preference Service etc. All it means is you filter out all the -scrupulous- marketeers, and end up being targeted solely by unscrupulous ones.

    1. Anonymous Coward
      Anonymous Coward

      Re: Please Don't Track Me

      You can sue the unscrupulous ones, or at least open complaints about them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Please Don't Track Me

        somewhat off topic, but along similar lines...

        "You can sue the unscrupulous ones, or at least open complaints about them."

        Also, if they don't withhold their telephone number, e.g. if they (appear to) use an 07xxxx/08xxxxx number in the UK, you can also politely contact the licenced telecom operator that provides that number (details below) and point out that one of their customers appears to be abusing the terms of their contract. Do it politely as it is entirely possible the CLI is being spoofed. But do it.

        If the telco involved wishes to retain their licence, they have to take complaints seriously, and it is in their interests to do something about the abuser. Even if it is only to move them on to another telco.

        Spread the word.

        There are also an increasing number of affordable phones that simply don't make a noise on an anonymous incoming call, so you just don't hear them, and if suitably configured, these phones will take a message from a genuine anonymous (or maybe international) caller. I came across a £40 pair of Gigaset phones with this capability in my local supermarket a few days ago. In a variant on a similar theme you can get affordable phones that have a whitelist, ie they only make a noise if the CLI is in its list of known numbers, otherwise it's straight to answerphone.

        If you are a Virgin cablephone customer (callerID is not free, unlike BT Privacy At Home), you can often get callerID for free by asking the callcentre first line nicely and then when they refuse, ask to speak to retentions.

        In the UK, Ofcom administer the numbering plan. The "which telco issues what number" list of numbers to issuers can currently be found at:

        http://www.ofcom.org.uk/static/numbering/index.htm

        1. paulf
          Flame

          Re: Please Don't Track Me @AC

          "If you are a Virgin cablephone customer (callerID is not free, unlike BT Privacy At Home), you can"

          AC, I have to pick you up on one point. BT Privacy At Home is not free it is "free".

          If you do not make enough calls in a quarter BT reserve the right to charge you for the Incoming caller display aspect of the BT Privacy service; which I found out the hard way*. I made two calls in a quarter, instead of the required three and got a £8 charge as a result.

          * Yeah it's probably detailed in clause 271, on page 58 of the Ts&Cs but charging £8 for the sake of not making three 10p calls is completely out of proportion and is surely designed only to piss off customers while wallet raping them.

  16. mittfh

    Hang on a tick...

    Yes, it's all very well sharing tips on how to prevent your web searches being able to be tracked by the search engine provider and their advertisers...

    ...but all those web servers and databases don't run on fresh air. Companies can either follow the Microsoft approach (selling bloatware to you at inflated prices) or the Google approach (provide advertising space).

    While ads could theoretically be context-free, the click through rate would be very low (possibly even insignificant), making companies wonder why they were going to the bother of paying to advertise. However, if the search engine looks at what you're searching for, and finds adverts with keywords attached that match what you've searched for, the click through rate will be much higher, companies will be satisfied they're getting more visits / purchases as a result of their advertising, and will consider paying for more advertising with the search engine.

    Google has an advantage over other search engines (other than its sheer market size!) in that as it also owns its own advertising network, all the juicy data you give it remains completely in house. They don't sell your data to third parties because they have no need to. It would, however, be interesting to know how much of your search history is passed to the advertiser - just the search which resulted in you clicking on their ad, or everything (probably unrelated) you searched for beforehand? Also bear in mind that although they can track your machine, unless you're stupid enough to be browsing on a mobile phone with location information turned on, particularly if you're using a dynamic IP address, your Geo IP information could be anywhere within a couple of hundred miles of yourself. As others have said, given most browsers have ad blocking extensions, any information the companies do collect on you will go to waste (other than saying someone that matches your profile isn't interested in them) because they'll have a zero click through rate from you!

    1. Anonymous Coward
      Anonymous Coward

      Re: Hang on a tick...

      Fuck 'em, frankly. Adverts use my time and bandwidth without permission. There is no reason whatsoever to be considerate of advertisers or the people that use them.

      1. Oninoshiko
        WTF?

        Re: Hang on a tick...

        You gave your permission. If you don't want to see ads, don't go to ad driven sites. It's quite simple, really. Requesting my website from my server implies you want me to send you my web site. That site includes ads.

        That's like going into a resturaunt, ordering a burger and coke and getting mad when they charge you for a coke.

        1. Homer 1
          Pirate

          @Oninoshiko

          No, it's more like you running a soup kitchen that refuses to serve blind people, because they can't see your sponsor's advertising billboard.

          If you want to run a commercial website, then require registration and payment for access, but don't publish freely then whine when people freely access your site in a selective manner that doesn't suit you.

          Are you related to Danny Carlton, by any chance?

          "Danny Carlton is a delusional megalomaniac, who seems to think that the whole world has some kind of legal and moral obligation to view advertisements. This is indeed a bizarre misconception. If I leave the room or change channels whilst adverts are being shown on television, am I breaking the law? If I browse a Web site, and use my fingers to cover up an advert, so I can no longer see it, am I committing some mortal sin? If I pluck out my eyes, and perforate my eardrums, so that I never again have to be subjected to the horrors of advertising-spam, does that make me evil (or just loony-tunes like Danny Carlton)? So what's the difference between that, and using some software to conveniently and automatically block it for me? If I don't want to see adverts, then there is no law in the world that compels me to endure them, and (God forbid) if there is such a law, then that law needs to be abolished as a matter of extreme urgency. As one Digg commenter recently put it (paraphrased); "Advertising is an opportunity ... not a right." One advertises in the hope that people may see and respond to that advertisement ... not in the expectation that the law or some twisted sense of morality will compel people to do so."

          1. Oninoshiko
            WTF?

            Re: @Oninoshiko

            Apperently you didn't read the person I was responding to. Don't worry, I'll wait.

            Oh, you're just too slow, so let me point this out:

            "Adverts use my time and bandwidth without permission"

            You implictly gave your permission for me to send me my website WHEN YOU SENT A REQUEST ASKING FOR IT to my server. I never, NOT ONCE, said that you have to look at it. Block it, ignore it, masterbate to it, I don't care, but don't tell me I'm sending you something you didn't consent to WHEN YOU REQUESTED IT.

            *I'm* not the one whining, but I suppose accusing someone of doing what they are arguing against is the height of discourse these days.

            Sad.

            1. Mike Flex

              Re: @Oninoshiko

              >You implictly gave your permission for me to send me my website WHEN YOU SENT A REQUEST ASKING FOR IT to my server.

              Yes, we've asked for your webpage. We haven't asked for you to send us a whole bunch of ads from third party advertising servers that can track us across sites.

              If your business model requires adverts then serve them off your own webserver. If you can't be bothered to do that then expect them to be adblocked.

            2. Homer 1
              WTF?

              Re: "sending" Websites?

              You didn't "send" anything. You placed something in a publicly visible space for all to see, then whined when people didn't look at the bits you wanted them to.

              Like I said, if you don't like the public having free access to what you publicly display, then don't make it public, make it private, and require advance registration and payment.

              The spammer mentality is really bizarre.

    2. Nuno trancoso

      Re: Hang on a tick...

      Hmmm hmmm... Let me give you a small heads up.

      If i wanted a car, i'd have searched for "car" and looked at the results. Same for everything else. So, if sitexyz doesn't have shit worth of content to show in real searches, the only thing your clients get from me is.... nothing.

      Brain is trained to totally ignore any ad that slips through the blocks. And even if i notice it, 2nd stage kicks in telling me "ad, not important". That's what you people managed, a really epic achievement. Now people IGNORE ads. Even the important and meaningful ones.

      So, all your client money is getting him is fattening YOUR wallet. It's doing next to nothing for him, well, except making him less wealthy of course.

      If/when people do come around and not only start denying you referer data, but also start supplying you with JUNK referer data, your value will come down to what it really is, next to nothing.

      Maybe then some of the advertising victims, i mean, clients, can stop squandering their greens and instead use it to top up what they constantly neglect, their sites real content.

      Web will go on, it's just that you're gonna have to start doing some real work for your clients instead of just being a near zero value leech.

  17. Anonymous Coward
    Anonymous Coward

    Advertisers Deceived

    This whole "tracking" thing is bogus. What advertisers don't seem to realize is it doesn't make economic sense for them to do this (or pay to have it done for them).

    Google AdSense, etc. promises advertisers ads which are 'pin-point-selectively delivered to your target demographic', or some swill like that. And, advertisers have fallen for it. It's like the old 1950s ads for "blah-blah-blah at the push of a button."

    It's simple. If I'm at a sports site, it makes sense to show me ads for sporting equipment and upcoming sports events. If I'm at a sports site, there's a pretty good chance I'll click on such an ad. Likewise, if I'm at an automobile review site, it makes sense to show me ads for automobiles, auto accessories, tools, and such. If I'm at an auto site, there's a pretty good chance I'll click on one of those ads.

    But even with all the tracking going on, I"m consistently served with the "wrong" ads.

    Don't try to sell me more of the same thing (new PC power supply) that I've already bought. When I need another one, I'll buy it then, but not until.

    Don't decide that because I've bought bulk kitty litter, I have an infant and want to see ads for diapers. I don't.

    A show of hands: how many other people here have developed visual/mental filters to Google's ads on their search results pages?

    Want to know if it's raining? Then, look outside.

    Want to know if your company's service, products, or policies stink? Look at the angry, torch-and-pitchfork-bearing crowds outside your corporate headquarters, and the tons of "I hate your company/products/policies and here's why ... go FOAD" emails and letters.

    It can simple. Make me a happy customer by (1) making a quality product at a reasonable price; (2) not tracking me; and (3) using common sense in selecting ads to show me. You could make a lot of money that way.

  18. ehoffman

    Click an advert?

    Click an advert? What's that? Hardly haven't seen any in years with AdBlock addon...

  19. Anonymous Coward
    Pirate

    untitled

    fF is G00gle'$ b1tch.

  20. Bradley Hardleigh-Hadderchance
    Windows

    Cnut the Great

    I sometimes wonder if we are not just trying to hold back a rising tide.

    You and me are ok, we have the chops and take the time to do the necessary.

    The average user? Not so much.

    It is a war. On the whole they are winning. They will keep winning that much more as time goes by.

    Even though much more powerful anti-scripting and anti-tracking tools come out, their government sanctioned 'loop holes' built into the next version of their browser or plug-in or whatever, will get the best of most people most the time. Anyone here have Java disabled? Are you sure it really is? On all your browsers?

    Ah the Golden age of computing, full of so much Eastern Promise. Now we just have the digital imprimatur:

    http://www.fourmilab.ch/documents/digital-imprimatur/

    Forgive me if I am off thread. I do ramble. I know. Even in my own head.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cnut the Great

      Am I sure that java is disabled? Yes, I removed it, and sweep for it occasionally, with a tool made by a reputable security consultancy. Next? :D

  21. cmaurand
    Linux

    Install adblock-pluse

    There is a google site where you can check what they have on you. they have a whole lot of nothing on me and I don't see piles of ads when I visit websites.

  22. Anonymous Coward
    Anonymous Coward

    Google and its addicks can kiss my shiny metal backside

    I use proxy search engines like Duck Duck Go (SSL) when searching for most stuff, just-in-case Firefox lets stuff past Ghostery, Adblock+, NoScript etc. and only use Google when I want to see specific kinds of results.

    I also run different browser instances for different types of task, specifically to sabotage most ad-tracking and demographics mechanisms.

This topic is closed for new posts.

Other stories you might like