Yahoo Makes Secure Search The Default


Yahoo has now joined Google in making all searches people do automatically go through a secure server, to help prevent eavesdropping by outsiders. Unlike Google, however, Yahoo has failed to make an important change to how “referrer” data is passed along, which will result in people thinking Yahoo Search has suddenly dropped in popularity. Goes Secure

The switch only seems to be happening on, not on other Yahoo properties I’ve checked like Yahoo UK, Yahoo Germany, Yahoo France or Yahoo Japan. Yahoo did confirm to us that the switch happened but didn’t clarify on exactly which Yahoo properties, though we specifically asked.

Rather, Yahoo said the rollout was on-going and part of plans announced at the end of last year:

As announced in November 2013, Yahoo is moving towards using https as the default for searches. We are currently in the process of rolling this out. [Our] Tumblr post [about it].

The  post doesn’t specifically talk about Yahoo Search going secure. It says that all Yahoo products will be made more secure (so that would include search), but then goes on to say that users would be given an option to encrypt data. With Yahoo’s search change, no option is given. It’s been made secure by default — which for users, is generally a good thing. Few tend to change defaults.

Yahoo did say that all its properties should see a similar change by March 31, 2014:

Yahoo will encrypt all information that moves between our data centers and offer users an option to encrypt all data flow to/from Yahoo by the end of Q1 2014. This effort will extend to all of our properties.

Yahoo didn’t say when exactly the change happened, but we were tipped to it by a reader yesterday as it being fairly recent. The Washington Post noted that Yahoo confirmed its email services would move to secure servers on January 8, so perhaps search was changed at the same time or near to it.

What Secure Search Means For Consumers

By going to secure search, Yahoo is sending all queries through a secure server, one that can’t easily be eavesdropped on by outsiders, such government agencies like the NSA or private third-parties.

You can see the change happen because if you go to (the http:// prefix representing an ordinary, unsecure server), after doing a search, you’ll see that the URL has changed to https:// (representing that a secure server was used to process the search and send results to you).

The change, as explained, should help prevent eavesdropping of searches, which can individually be sensitive but are far more a concern if someone can intercept a series of them and construct a profile of what a particular person has been searching for.

What Search Search Means For Marketers

The move to secure search also means that Yahoo no longer passes along “referrer” data that tells web sites the terms they were found for, in most cases. Think of referrer data as a “caller ID” for the web. In the past, if someone searched on Yahoo, then clicked on one of the listings, the destination site would be told that a search was done on Yahoo and the terms that were used to find them.

For example, if someone searched on Yahoo for “books” and clicked on a listing for Amazon, Amazon would be able to tell that it received a visitor from Yahoo and that the visitor searched for the word “books.”

With the change, this no longer happens. Yahoo is sending no referrer data at all from its secure server to unsecure sites (which are most sites out there). This means marketers who are getting traffic from Yahoo won’t know this at all. They’ll instead see a plunge in traffic coming from Yahoo and a rise in traffic from “direct” visitors.

One site, Marketing Champu, has already noted a drop in its logs. Many more sites will be noticing this going forward.

See our related story on Search Engine Land for more about this:

FYI, for those who run secure servers, it does appear Yahoo is following standard protocol and passing referrers to those. We’re double-checking with Yahoo about this.

How Yahoo Is Screwing Up Its Popularity, Unlike Google

As said above, Google also went to secure search by default, back in September, as our story below explains:

However, publishers did not find that as a result, Google was suddenly dropping in popularity. The reason is that Google purposely has made changes so that it passes along some referrer information — enough that people know that a search happened on Google — but not the actual search term itself.

As a result, Google continues to be accurately measured by marketers in terms of how much aggregate traffic it sends them, even if they are left in the dark about the exact terms used.

Why didn’t Yahoo do the same? My guess is Yahoo didn’t even think about it. But when asked about the lack of referrer data and how that may impact Yahoo’s apparently popularity, the company said:

As the rollout is not complete, we aren’t able to comment yet on this.

The Loopholes In Google’s Protection

Actually, there is one case where Google keeps transmitting search term data in the clear, not through any secure method. That’s for its advertisers.

Google purposely left a loophole in its security so that so that advertising terms continue to be passed on. It also left loopholes so that individual terms continue to be passed on within its Google Webmaster Tools service. Both mean that Google’s secure search isn’t as secure as it could be, but Google seems happy with that trade-off. More about this below:

What About Bing?

You may have heard that Bing has gone to secure search this month, too. That’s not quite correct. Earlier this month, Bing made a secure version of its search service available for anyone who wants to use it. But if you don’t use it, then searches continue to be unsecure. The default has not changed to use secure search, as it the case with Google and Yahoo.

Our story below has more about this:

Most Secure: Yahoo, Then Google

Overall, the rundown is like this:

  • Yahoo: secure search by default, no search terms passed, no referrers passed, except for advertisers
  • Google: secure search by default, search terms passed to advertisers or through Google’s publisher tools
  • Bing: search search optional, no search terms passed, no referrers passed

Yahoo appears to provide the most security for searchers because by default it is passing no information along at all, not even individual terms. It might. however, be passing ad clicks. We’re checking further on that.

Postscript: Yahoo tells us that it is providing full referrers to advertisers.

Google provides great security by default to prevent eavesdropping in order to build a search profile of someone, but it provides no real security when it comes to the privacy of individual terms.

Bing provides security, but only for those who seek it out.

See also our Search Engine Land for more about Yahoo’s change and its impact on analytics:

Related Topics: Channel: Search Marketing | Features & Analysis | Legal: PRISM | Legal: Privacy | Top News | Yahoo: Search


About The Author: is Founding Editor of Marketing Land. He’s a widely cited authority on search marketing and internet marketing issues, who has covered the space since 1996. Danny also serves as Chief Content Officer for Third Door Media, which publishes Search Engine Land and produces the SMX: Search Marketing Expo conference series. He has a personal blog called Daggle (and keeps his disclosures page there). He can be found on Facebook, Google + and microblogs on Twitter as @dannysullivan.

Connect with the author via: Email | Twitter | Google+ | LinkedIn

Marketing Day:

Get the top marketing stories daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. You can read more about our comments policy here.
  • Nikhil Raj. R

    Dear Yahoo, atleast show some respect to the concepts of the web. Don’t break it, others will follow what you’re doing right now. Hope it’s a technical mistake and expecting the referral data to pass on. And hey Google, you’re not that evil as I thought.

  • Jason Duke

    Sorry to call you on this one Danny but Yahoo is not taking away referer information by going SSL / https.

    Referer information is sent by the browser, not by the server. All mainstream browsers take the same view on passing referer information from site A to site B when Site A is SSL enabled (https) and Site B is not (http) – They don’t pass the information.

    Whereas if Site A and Site B are both SSL enabled (https to https) then referer information can and is sent. Yahoo are not breaking this and referer information is still being sent and viewable in log files, analytics products etc as previously; as long as the page receiving the referral from Yahoo search is also SSL enabled.

    Google go one stage further and purposely break the referer to give false information by way of a redirect to deliver the infamous [not provided] but Yahoo have chosen (wisely IMO) to not break this standard and useful piece of information. To enable it, you simply need to make your site secure by default too!

    P.S. The above info is all true and accurate based on a test I’ve just done but if Yahoo change things down the line, then that may mean what I’ve typed above is wrong! :)

  • RyanMJones

    new headline: Yahoo strips all search referrers, SEOs tracking rankings instead of traffic fail to notice.

  • RyanMJones

    Yahoo knows that most websites aren’t SSL, and that in general it’s not a good idea to default to SSL (costs more, slower, more bandwith, more processing, etc) Since they know this… and they know how Google fixed the issue, the burden is on them to have done something similar.

    Also, it’s not in yahoo’s best interest to strip out referers. For a dying brand that’s so dependent on display ads across its network of sites, you’d think they would want people to know that traffic is coming from there and see the potential value of yahoo as a network.

    Everybody going to SSL by default will just make a slower internet and require more resources. I don’t think we really want that.

  • Jason Duke

    Making the web SSL as standard would deliver nothing but Nyan cat riding rainbows of unicorn fart goodness to the majority of the users of the world (NSA and GCHQ aside) by making their end to end communications as secure as possible with zero downside and even zero noticeable changes. It’s how good security should be. Invisible yet there!

    Whether it be mobile web browsers, apps, or the desktop, the SSL burden is in fact so insignificant to the end user’s processing power it doesn’t matter any more. As to the processing required server side, well.

    Yahoo are doing it right. Fair props to them!

  • RyanMJones

    My latest and greatest phone is already slow enough when it comes to web browsing, and I pay by the amount of data I use. an all SSL web will just increase my data. And there’s really no benefit to me, the consumer, on 90% of the sites I visit – as I am not submitting information when I’m browsing news articles and blogs. It’ll end up costing me more money, and costing providers more money, with no real value add.

  • Danny Sullivan

    Yes, I know this. That’s why I have the references in there about this being to non-secure sites and now most sites are not secure. Adn the articles I’ve referenced also explain what Google does and how it broke the standard, so that even if you had a secure server, you wouldn’t get the info.

  • Jason Duke

    We disagree Ryan. That’s OK, you’re allowed to be wrong. ;)

    Check this post in 18 months and see if more than 50% of the current web (by traffic volume) is SSL as standard or not. If not, I’ll buy a hat then eat it!

  • Danny Sullivan

    Traffic volume means nothing. Google and Yahoo, for example, might make up 50% of the traffic volume of the web. But 99% of web sites, which have little volume, might not be secure.

    What would make a difference is if the percentage of web sites doing secure servers increased. And, if Google offered to share referrers with web sites that offered secure search, that would be a big incentive.

    I’ve written about this repeatedly – it’s in several of the articles I’ve linked to above. Unfortunately, Google has shown absolutely no willingness to do so.

  • Ria Parish

    Great article, I’m definitely going to be reading up more on this…

    btw you wrote “search search” a couple of times and I didn’t know whether both were meant to say “secure search”?

    - “What Search Search Means For Marketers”

    - “Bing: search search optional”

  • Jason Duke

    Danny. I know what I said and how I said it re volume -v- site quantity :)

    I also agree that if Google had taken a different route re passing referer information then that 50% of web traffic would easily be beaten and equate to > 50% of web sites.

  • Jason Duke

    You edited and added sources and comments after I posted, albeit you linked to a Twitter post. Most likely you edited while I typed as originally it was missing.

  • Danny Sullivan

    No, Jason, I didn’t edit any sources. Certainly not while you literally typing a comment. OMG, I was so swamped yesterday with work, that was hardly top of my list.

    I mean what, you think I magically went back in time to write this:

    That’s a column I wrote last September for non-technical people to explain the whole secure-to-secure passes referral stuff. And it was referenced in this original article, along with this part of my story:

    “Yahoo is sending no referrer data at all from its secure server to unsecure sites (which are most sites out there).”

    That wasn’t added after you posted here. And also, why don’t you go back and read this:

    That’s from 2011, explaining again in detail how the whole secure-to-secure passes referrers work. You read that, then ask yourself if you really think your comment somehow told me something I didn’t know or fully understand.

    I understand it. The issue is, most people don’t. Most people are running non-secure sites, and most people are not going to get this information.

    If they would shift to secure sites, then at the moment, yes, they would get data from Yahoo. Not from Google, because it doesn’t follow the standard. And Yahoo could change at any time.

    Don’t get me wrong. I wish that Google would pass along the terms to sites if they run secure. But having written upteenbillion articles berating Google on this issue, I feel like I’ve beaten the drum as much as I can. They don’t f’ing care, and it’s not for lack of me trying or for lack of me trying to explain things clearly.

    I did, in our Search Engine Land article, make two small changes to better explain that this is something that’s happening for most searches not all, even though that also had references in the original that this involves secure-to-non-secure sites. Hopefully, that makes Joost happen, who seems to be the other person who really wanted to jump on this really minor technical issue.

    And stay tuned, because I’m virtually certain that Yahoo simply will do what Google does. Strip the referrer of search terms, so that it’s passing along referrer only. They just haven’t thought about what this will do to their traffic estimates.

    And when they do, all that secure-to-secure stuff will be just like with Google, not mattering.

  • Danny Sullivan

    Yes, it would. And I’ve written from the start of Google breaking things that they should have done the other way:

  • Jason Duke

    wow, I dont think i’ve ever seen you so worked up. :)

    I may have gotten your SE Land and Marketing land articles mixed up. Both sites are so similar after all and of course i` read both; but I definately saw a change in an article by you on the topic on one of the 2 sites.

    I also didn’t read the original article in a way that shows that https -> https can and should allow referer through; but rather as a fait accompli inferring that G’s method of stopping referer info being passed was due to the http:// to https:// change and indeed that Yahoo had followed in this standard breaking method in the same way,

    Yahoo have gotten lots wrong over the years and when they did something right, like this, I think they should be lauded.

    Re Joost (Yoast) and I both picking this up, it probably shows that although your intent was to show the true picture that maybe (just maybe?) you missed it out and 2 technically versed search guys wanted to make sure that clarity was shown.

    As to Yahoo changing to the same method of Google and breaking / falsifying referer information. I think that’s likely now you’ve essentially given them a green light by saying its “expected”

    I can hear the board meeting now, “Damn search retargeting companies taking all our data. Let’s break and falsify referer information in the same way Google did. They got away with it and Danny says everyone thinks we’ll do it anyway”

  • Danny Sullivan

    About fifteen minutes after the SEL article posted, I added this:

    “By the way, when it comes to searches that lead to secure servers, Yahoo appears to be following standard protocol and passing along full-referrers. However, as most sites are not secure sites, most publishers won’t receive this information.”

    Since the SEL article was a companion to the ML article, with a reference that the ML article had more details on how all this happens, I didn’t think getting into the often confusing world of secure-to-secure passing was important. That’s especially because, to me, the far bigger issue was this:

    “How is it that Google secure search still lets you know someone came from Google but Yahoo secure search doesn’t? That’s because Google carefully constructed its secure search to actually make it less secure, to allow for general referrer information to pass (so you know an unnamed search happened on Google) and for actual search terms to pass for Google’s advertisers.”

    IE, that Google degraded its security to please advertisers. Of course, as it turns out, Yahoo’s doing the same.

    About three hours after the story went up, when Joost kept hammering away on Twitter about the secure-to-secure issues, I changed the SEL article’s lead from:

    “By default, searches on are now done through a secure server. That means more protection for searchers but less data for search marketers about how they are receiving traffic. *ANY* visits from Yahoo done via search will appear as if someone came to a site directly”


    “By default, searches on are now done through a secure server. That means more protection for searchers but less data for search marketers about how they are receiving traffic. *Most* visits from Yahoo done via search will appear as if someone came to a site directly”

    Because yes, it’s accurate to say that most visits will have referrers stripped, not all of them.

    Similarly, I also changed:

    “So is Yahoo’s change going to cause a spike in “not provided.” No. That’s because Yahoo’s not sharing anything at all. A search on Yahoo that leads to a publisher will reveal nothing”


    “So is Yahoo’s change going to cause a spike in “not provided.” No. That’s because Yahoo’s not sharing anything at all. ***In most cases***, a search on Yahoo that leads to a publisher will reveal nothing”

    And I guess I’m worked up because I’ve written about the secure-to-secure stuff and no one seems to care. So when I’m not getting down into those details that no one has previously really cared about, getting hammered by you and Joost, yeah, not exactly great.

    As for me giving Yahoo some type of green light, hey, they already green lit themselves. They already are passing data to advertisers as part of all this despite the searches being done on a secure environment. I didn’t cause that. They did it themselves.

    Of course, they did it because they’re not really thinking any of this through. They probably send the ad click internally to their secure server, process it, then spit out from an insecure route to an insecure destination site. Which goes against the promise they’ve made everything that leaves the sites should be secure by the end of Q1, but they have some time, so we’ll see.

    And I think the board / executive meetings go something like this, in particular at Google: “Hey, we’re going to make secure search by default for everyone, which means even less data will go out to people — and we’ll keep all the privacy loopholes for our advertisers and other places going. About the only person who will notice is Danny, but every time he writes about all our loopholes, nothing happens, so I think we’re good.”

    If I come up at all. I mean Jason look:

    I have tried and tried and tried on this issue, including even writing it up on CNET. No one cares. Google has managed to wave a magic wand to convince everyone that increasing privacy 90% and leaving a 10% loophole is better than 100%.

    Personally, I find it deeply disturbing that it deliberately degrades privacy for its advertising reason, but like I said, I’ve written and written and written about this.

    So, if you want to get on my back and suggest that somehow I’ve enabled Yahoo to do like Google, you go for it. But I’d suggest that rather than attacking about the only major journalist who has kept on this issue, maybe you might go out and wake up TechCrunch, The Verge, Re/code and other places that don’t do it?

  • Pat Grady

    Oops there goes another one.

Get Our News, Everywhere!

Daily Email:

Follow Marketing Land on Twitter @marketingland Like Marketing Land on Facebook Follow Marketing Land on Google+ Subscribe to Our Feed! Join our LinkedIn Group Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Marketing News!

Marketing Day is a once-per-day newsletter update - sign up below and get the news delivered to you!