26 comments

[ 2.3 ms ] story [ 57.0 ms ] thread
Why on earth are people still allowing their referers to be sent to third party websites?

It should be the first thing you disable.

If a site insists on referers use an automatic spoofing plugin like RefControl.

Why on earth are people still allowing their referers to be sent to third party websites?

Because they don't care? You might consider it a privacy must but plenty don't. I, for one, don't have a huge problem with sites knowing where I came from.

ck2 has 11K+ karma but a blank about section, which leads me to believe that he probably has exaggerated privacy expectations to begin with. Almost nobody outside of this vocal 'minerdity' cares about things like this.
I wouldn't consider any privacy expectations to be exaggerated— you can't have too much. I'm also sad to see you used ck2's karma/profile page to discredit their argument.

ck2 could have phrased their post better (it came off somewhat condescending), but the meat of it is solid: Disabling referrer headers should be the first thing a privacy-minded person does.

I didn't use his karma and profile to discredit his argument. I used his (perceived) exaggerated expectations of privacy -- which I garnered from both reading his comment and looking at his profile -- to discredit his argument.

You are free to agree with him that you should disable your HTTP referrer header but it breaks the Web and is probably a sign of paranoia on some level or another. It really is quite innocuous.

> I didn't use his karma and profile to discredit his argument. I used his (perceived) exaggerated expectations of privacy -- which I garnered from both reading his comment and looking at his profile -- to discredit his argument.

You assumed the type of person ck2 was from their karma and profile page and then discredited their comment because of that assumption; specifically, you called them a "vocal minerdity". To be honest, your reply to ck2 was little more than verbose name-calling and offered nothing of substance to the discussion.

My apologies to the other HN readers for this derail.

edit: That came off kind of harsh. I'm sure you meant well by your comment, but I don't think an appropriate reply to ck2 was to point to their profile and call them paranoid.

I don't mean any disparage on ck2, though I do completely disagree with him. "minerdity" (which I thought was rather clever, actually) is perfect for describing the minority of highly technical users that have deep-seated privacy issues. That determination didn't come from his profile. His comment said it all. He makes it sound like you'd have to be nuts or ignorant to not block the referrer and that's simply not the case. Sometimes you have to look at the person doing the talking and determine if they are biased or not.

Like when someone with "I hate Microsoft" in their about is in a thread about Microsoft trying to explain to you why Windows is dying off.

That was my determination, for better or for worse, I can't take it back now.

What does having a blank about section have to do with privacy.

I've got less karma, ~2k or so, and my about section is blank as well. It's not a privacy thing, it's just that I'm not all that interesting.

He's a top 100 user and he has a blank profile. You don't have to dig too deep to figure out why I believe that's unusual. Take a glance at the leaderboard and see how many people spend huge chunks of their days on here but don't even mention a Twitter account or name. Which is fine. I don't want this to turn into some thing where people think I'm bashing the guy for his profile.
I recommend anyone interested in learning about online tracking to install Mozilla Collusion http://www.mozilla.org/en-US/collusion/ After seeing the amount of seemingly disparate information certain organizations can track (Google/Doubeclick, Discuss, Facebook, Twitter, etc) consider installing Ghostery http://www.ghostery.com/

Collusion takes seconds to install and you can forget about it for months while it builds an interactive web of tracking.

Ghostery protects your privacy by blocking a large list of web spies.

I've checked this out. It was pretty crazy to see how many domains get pinged when I visit a site.

Just remember, o consumer of things but blocker of ads yet payer of nothing, that when enough people are gyping site owners out of what little revenue you even can earn from advertising you will cease to get your freebies but the agencies will not stop gathering your information.

Because fuck advertising. Site owners are not advertising companies.
Is something similar to collusion available for Chrome?
No, but a privacy conscious user would prefer to use Chromium which doesn't come with the Google privacy invasion built-in.
It's generally good for the web to know where traffic is coming from. For example, it would be quite frustrating to be linked on say Hacker News and not know it but still see your server sending out thousands and thousands of additional page views an hour.
that's like parking a mile away from a mcdonalds so no one knows where you came from. There's privacy and then there's paranoia...
You can park by the door, it still doesn't tell them where you came from.
That's why I park at the wendy's across the street. That way no one knows I went to McDonalds.
How often do you run into third-party websites that break without referer header?
In the 3 or so years I've used RefControl, I've added 5 exceptions. Sourceforge used to break (but not any more). NYT relies on the referrer to determine whether you're allowed through the paywall. Some image hosts use the referrer to detect hotlinking (and subsequently block the image). I regularly use a webshop that uses a payment processor that relies on the referrer to do something (I'm not sure what).

So it's fairly rare, but it happens, on occasion.

Because if it will make one site invest better in market after I gladly used its content for free, why not?

I couldn't care less.

Now, let's talk about sites that uses it, and other user inputs, for security...

For those with SEO concerns:

"This change will only affect the subset of SSL search referrers which already didn’t include the query terms. Non-HTTPS referrals will continue to behave as they do today."

Scrape away my friends, scrape away.

Anyone know why Google doesn't show the referrer if you're logged in and it's organic result, but they do show it if they click on Adwords?
> nyone know why Google doesn't show the referrer if you're logged in and it's organic result, but they do show it if they click on Adwords?

Disclaimer: I'm a google engineer but don't know the answer at all and am just making a completely shot in the dark: maybe our new privacy policy has something to do with it?

But yeah, since when you're logged in in the US you use SSL search, the current state of affairs is that you won't send referrers to organic results since you're on SSL. This change will make it so you send referrer data in both cases.

AdWords customers paid to get it.
The refereer header is So important for google that

1) they actively removed 4 attempts to disable it chromium (the open source project, not their build of chrome)

2) they are now eliminating competition on their new analytics market by monopolizing it