Tweet

Last month, Google announced that they were making search more secure for their users. They announced that users already signed in to Google would have a more secure experience. This meant two things: first, search queries and results would now be sent via HTTPS. This protects the searches of users with unsecured Internet connections, such as most WiFi hotspots.

The second part was far more interesting. According to our tests, Google does not include the search terms used to reach websites anymore in the HTTP referrer header. Here’s part of the URL that Google is now sending as the referring URL:

Note that after the &q= portion, no search term is specified. By contrast, a standard search has a referring URL more like this:

The repercussions are twofold. First, legitimate web sites won’t be able to point out what terms they use are popular. Thus, their own optimization efforts might be impeded. I know that as a web site owner, it’s really useful to have those stats and be able to tune your content so that it’s more easily searchable. To get this information, you now have to sign up for Google’s own analytics services–which may or may not be feasible for all websites.

Second, blackhat SEO sites won’t be able to access those stats either. It’s very useful for them to know what search term they have successfully hijacked. This is bad for them also for statistical purposes. When these sites receive visits from search engine visitors, they will have no idea what search sent them there. They won’t have a clear idea which search terms work and which don’t, so they are essentially in the dark. This can have a lot of impact on the effectiveness of their poisoning activities. This is, of course, good for Google as their search lists are cleaner but it’s also good for all users because they’ll be less likely to click on bad links from Google.

Of course, this only happens when users are already logged in to Google’s services. Given how many people already use Google Mail and Google+, this may not be such a big obstacle – but it still poses one. If people keep using regular no-padlock HTTP searches, they will keep disclosing their search terms and keeping things unchanged. The more people use HTTPS, the less information we’re giving the bad guys so there you have it: now you have one more reason to use secure connections to do your web searching.

Other blackhat SEO-related posts:

• Google’s Decision to Ban an Entire SLD Is a Paper Tiger
• Searches for iCloud Unveil FAKEAV
• Blackhat SEO Attack Uses Google’s Image Search to Reach 300 Million Hits