retraction re Google referer lines

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: January 10, 2006 5:07:16 PM EST
To: dave () farber net
Subject: retraction re Google referer lines

As several people have pointed out, it's my *browser* that's sending
along the Referer line, not Google.  Yup -- I got it wrong; mea culpa.
(I used to have a browser extension that would let me control whether
or not Referer was sent; I really should have known better.)

What this does point out, of course, is that security (and that
includes privacy) is a systems property.  Just looking at one piece of
the puzzle will not tell you what's going on.   Here, part of the issue
is Google's choice -- probably, but not definitely, correct -- to put
the query in the URL, rather than using HTTP POST.  If they'd done the
latter, all the receiving site would know is that I came there from
Google.  Nor do I know what happens if I click on a link that goes via
Google's site (behavior which they do document) -- that's another part
of the system.  (I assume that they note the statistics and send a
redirect to my browser.  I have no idea what my browser will do for a
referer line in that case.)

So -- again, my apologies to Google.  I think they do need to be a lot
more careful about privacy, but in this case they're innocent.

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/