• Nikhil Raj. R

    Dear Yahoo, atleast show some respect to the concepts of the web. Don’t break it, others will follow what you’re doing right now. Hope it’s a technical mistake and expecting the referral data to pass on. And hey Google, you’re not that evil as I thought.

  • Jason Duke

    Sorry to call you on this one Danny but Yahoo is not taking away referer information by going SSL / https.

    Referer information is sent by the browser, not by the server. All mainstream browsers take the same view on passing referer information from site A to site B when Site A is SSL enabled (https) and Site B is not (http) – They don’t pass the information.

    Whereas if Site A and Site B are both SSL enabled (https to https) then referer information can and is sent. Yahoo are not breaking this and referer information is still being sent and viewable in log files, analytics products etc as previously; as long as the page receiving the referral from Yahoo search is also SSL enabled.

    Google go one stage further and purposely break the referer to give false information by way of a redirect to deliver the infamous [not provided] but Yahoo have chosen (wisely IMO) to not break this standard and useful piece of information. To enable it, you simply need to make your site secure by default too!

    P.S. The above info is all true and accurate based on a test I’ve just done but if Yahoo change things down the line, then that may mean what I’ve typed above is wrong! :)

  • RyanMJones

    new headline: Yahoo strips all search referrers, SEOs tracking rankings instead of traffic fail to notice.

  • RyanMJones

    Yahoo knows that most websites aren’t SSL, and that in general it’s not a good idea to default to SSL (costs more, slower, more bandwith, more processing, etc) Since they know this… and they know how Google fixed the issue, the burden is on them to have done something similar.

    Also, it’s not in yahoo’s best interest to strip out referers. For a dying brand that’s so dependent on display ads across its network of sites, you’d think they would want people to know that traffic is coming from there and see the potential value of yahoo as a network.

    Everybody going to SSL by default will just make a slower internet and require more resources. I don’t think we really want that.

  • Jason Duke

    Making the web SSL as standard would deliver nothing but Nyan cat riding rainbows of unicorn fart goodness to the majority of the users of the world (NSA and GCHQ aside) by making their end to end communications as secure as possible with zero downside and even zero noticeable changes. It’s how good security should be. Invisible yet there!

    Whether it be mobile web browsers, apps, or the desktop, the SSL burden is in fact so insignificant to the end user’s processing power it doesn’t matter any more. As to the processing required server side, well.

    Yahoo are doing it right. Fair props to them!

  • RyanMJones

    My latest and greatest phone is already slow enough when it comes to web browsing, and I pay by the amount of data I use. an all SSL web will just increase my data. And there’s really no benefit to me, the consumer, on 90% of the sites I visit – as I am not submitting information when I’m browsing news articles and blogs. It’ll end up costing me more money, and costing providers more money, with no real value add.

  • http://searchengineland.com/ Danny Sullivan

    Yes, I know this. That’s why I have the references in there about this being to non-secure sites and now most sites are not secure. Adn the articles I’ve referenced also explain what Google does and how it broke the standard, so that even if you had a secure server, you wouldn’t get the info.

  • Jason Duke

    We disagree Ryan. That’s OK, you’re allowed to be wrong. ;)

    Check this post in 18 months and see if more than 50% of the current web (by traffic volume) is SSL as standard or not. If not, I’ll buy a hat then eat it!

  • http://searchengineland.com/ Danny Sullivan

    Traffic volume means nothing. Google and Yahoo, for example, might make up 50% of the traffic volume of the web. But 99% of web sites, which have little volume, might not be secure.

    What would make a difference is if the percentage of web sites doing secure servers increased. And, if Google offered to share referrers with web sites that offered secure search, that would be a big incentive.

    I’ve written about this repeatedly – it’s in several of the articles I’ve linked to above. Unfortunately, Google has shown absolutely no willingness to do so.

  • Ria Parish

    Great article, I’m definitely going to be reading up more on this…

    btw you wrote “search search” a couple of times and I didn’t know whether both were meant to say “secure search”?

    – “What Search Search Means For Marketers”

    – “Bing: search search optional”

  • Jason Duke

    Danny. I know what I said and how I said it re volume -v- site quantity :)

    I also agree that if Google had taken a different route re passing referer information then that 50% of web traffic would easily be beaten and equate to > 50% of web sites.

  • Jason Duke

    You edited and added sources and comments after I posted, albeit you linked to a Twitter post. Most likely you edited while I typed as originally it was missing.

  • http://searchengineland.com/ Danny Sullivan

    No, Jason, I didn’t edit any sources. Certainly not while you literally typing a comment. OMG, I was so swamped yesterday with work, that was hardly top of my list.

    I mean what, you think I magically went back in time to write this:


    That’s a column I wrote last September for non-technical people to explain the whole secure-to-secure passes referral stuff. And it was referenced in this original article, along with this part of my story:

    “Yahoo is sending no referrer data at all from its secure server to unsecure sites (which are most sites out there).”

    That wasn’t added after you posted here. And also, why don’t you go back and read this:


    That’s from 2011, explaining again in detail how the whole secure-to-secure passes referrers work. You read that, then ask yourself if you really think your comment somehow told me something I didn’t know or fully understand.

    I understand it. The issue is, most people don’t. Most people are running non-secure sites, and most people are not going to get this information.

    If they would shift to secure sites, then at the moment, yes, they would get data from Yahoo. Not from Google, because it doesn’t follow the standard. And Yahoo could change at any time.

    Don’t get me wrong. I wish that Google would pass along the terms to sites if they run secure. But having written upteenbillion articles berating Google on this issue, I feel like I’ve beaten the drum as much as I can. They don’t f’ing care, and it’s not for lack of me trying or for lack of me trying to explain things clearly.

    I did, in our Search Engine Land article, make two small changes to better explain that this is something that’s happening for most searches not all, even though that also had references in the original that this involves secure-to-non-secure sites. Hopefully, that makes Joost happen, who seems to be the other person who really wanted to jump on this really minor technical issue.

    And stay tuned, because I’m virtually certain that Yahoo simply will do what Google does. Strip the referrer of search terms, so that it’s passing along referrer only. They just haven’t thought about what this will do to their traffic estimates.

    And when they do, all that secure-to-secure stuff will be just like with Google, not mattering.

  • http://searchengineland.com/ Danny Sullivan

    Yes, it would. And I’ve written from the start of Google breaking things that they should have done the other way: http://searchengineland.com/google-puts-a-price-on-privacy-98029

  • Jason Duke

    wow, I dont think i’ve ever seen you so worked up. :)

    I may have gotten your SE Land and Marketing land articles mixed up. Both sites are so similar after all and of course i` read both; but I definately saw a change in an article by you on the topic on one of the 2 sites.

    I also didn’t read the original article in a way that shows that https -> https can and should allow referer through; but rather as a fait accompli inferring that G’s method of stopping referer info being passed was due to the http:// to https:// change and indeed that Yahoo had followed in this standard breaking method in the same way,

    Yahoo have gotten lots wrong over the years and when they did something right, like this, I think they should be lauded.

    Re Joost (Yoast) and I both picking this up, it probably shows that although your intent was to show the true picture that maybe (just maybe?) you missed it out and 2 technically versed search guys wanted to make sure that clarity was shown.

    As to Yahoo changing to the same method of Google and breaking / falsifying referer information. I think that’s likely now you’ve essentially given them a green light by saying its “expected”

    I can hear the board meeting now, “Damn search retargeting companies taking all our data. Let’s break and falsify referer information in the same way Google did. They got away with it and Danny says everyone thinks we’ll do it anyway”

  • http://searchengineland.com/ Danny Sullivan

    About fifteen minutes after the SEL article posted, I added this:

    “By the way, when it comes to searches that lead to secure servers, Yahoo appears to be following standard protocol and passing along full-referrers. However, as most sites are not secure sites, most publishers won’t receive this information.”

    Since the SEL article was a companion to the ML article, with a reference that the ML article had more details on how all this happens, I didn’t think getting into the often confusing world of secure-to-secure passing was important. That’s especially because, to me, the far bigger issue was this:

    “How is it that Google secure search still lets you know someone came from Google but Yahoo secure search doesn’t? That’s because Google carefully constructed its secure search to actually make it less secure, to allow for general referrer information to pass (so you know an unnamed search happened on Google) and for actual search terms to pass for Google’s advertisers.”

    IE, that Google degraded its security to please advertisers. Of course, as it turns out, Yahoo’s doing the same.

    About three hours after the story went up, when Joost kept hammering away on Twitter about the secure-to-secure issues, I changed the SEL article’s lead from:

    “By default, searches on Yahoo.com are now done through a secure server. That means more protection for searchers but less data for search marketers about how they are receiving traffic. *ANY* visits from Yahoo done via search will appear as if someone came to a site directly”


    “By default, searches on Yahoo.com are now done through a secure server. That means more protection for searchers but less data for search marketers about how they are receiving traffic. *Most* visits from Yahoo done via search will appear as if someone came to a site directly”

    Because yes, it’s accurate to say that most visits will have referrers stripped, not all of them.

    Similarly, I also changed:

    “So is Yahoo’s change going to cause a spike in “not provided.” No. That’s because Yahoo’s not sharing anything at all. A search on Yahoo that leads to a publisher will reveal nothing”


    “So is Yahoo’s change going to cause a spike in “not provided.” No. That’s because Yahoo’s not sharing anything at all. ***In most cases***, a search on Yahoo that leads to a publisher will reveal nothing”

    And I guess I’m worked up because I’ve written about the secure-to-secure stuff and no one seems to care. So when I’m not getting down into those details that no one has previously really cared about, getting hammered by you and Joost, yeah, not exactly great.

    As for me giving Yahoo some type of green light, hey, they already green lit themselves. They already are passing data to advertisers as part of all this despite the searches being done on a secure environment. I didn’t cause that. They did it themselves.

    Of course, they did it because they’re not really thinking any of this through. They probably send the ad click internally to their secure server, process it, then spit out from an insecure route to an insecure destination site. Which goes against the promise they’ve made everything that leaves the sites should be secure by the end of Q1, but they have some time, so we’ll see.

    And I think the board / executive meetings go something like this, in particular at Google: “Hey, we’re going to make secure search by default for everyone, which means even less data will go out to people — and we’ll keep all the privacy loopholes for our advertisers and other places going. About the only person who will notice is Danny, but every time he writes about all our loopholes, nothing happens, so I think we’re good.”

    If I come up at all. I mean Jason look:

    I have tried and tried and tried on this issue, including even writing it up on CNET. No one cares. Google has managed to wave a magic wand to convince everyone that increasing privacy 90% and leaving a 10% loophole is better than 100%.

    Personally, I find it deeply disturbing that it deliberately degrades privacy for its advertising reason, but like I said, I’ve written and written and written about this.

    So, if you want to get on my back and suggest that somehow I’ve enabled Yahoo to do like Google, you go for it. But I’d suggest that rather than attacking about the only major journalist who has kept on this issue, maybe you might go out and wake up TechCrunch, The Verge, Re/code and other places that don’t do it?

  • Pat Grady

    Oops there goes another one.