[IP] retraction re Google referer lines
Begin forwarded message:
From: "Steven M. Bellovin" <smb@xxxxxxxxxxxxxxx>
Date: January 10, 2006 5:07:16 PM EST
To: dave@xxxxxxxxxx
Subject: retraction re Google referer lines
As several people have pointed out, it's my *browser* that's sending
along the Referer line, not Google. Yup -- I got it wrong; mea culpa.
(I used to have a browser extension that would let me control whether
or not Referer was sent; I really should have known better.)
What this does point out, of course, is that security (and that
includes privacy) is a systems property. Just looking at one piece of
the puzzle will not tell you what's going on. Here, part of the issue
is Google's choice -- probably, but not definitely, correct -- to put
the query in the URL, rather than using HTTP POST. If they'd done the
latter, all the receiving site would know is that I came there from
Google. Nor do I know what happens if I click on a link that goes via
Google's site (behavior which they do document) -- that's another part
of the system. (I assume that they note the statistics and send a
redirect to my browser. I have no idea what my browser will do for a
referer line in that case.)
So -- again, my apologies to Google. I think they do need to be a lot
more careful about privacy, but in this case they're innocent.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/