I never realized how much I would come to love Bing in the last year. I don’t use it, but now that Google is pretty much 100% secure search across the, almost all of the search phrases that we end up logging are from Bing. Yay for being able to tell what people searched for when coming to our site!

Earlier today I saw this announcement that Bing is now testing secure (HTTPS) searches.

It’s different than Google’s though, at least right now. For a small number of sites, it changes nothing. But for most sites, it’s much worse. Why?

On Google, when do a search over HTTPS, when you click the result it actually sends you through an intermediate, non-HTTPS page. For example if you go to https://google.com and search for “Clicky” and click the first result, the URL you actually go to is this:

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CC4QFjAA &url=http%3A%2F%2Fclicky.com%2F&ei=5fvWUrbSIOiqyAHyr4Fo &usg=AFQjCNFOPVnz4LaWTBeOHfeCOADfndg5BA&sig2=vLGsm0mdBFXCn-4n_CQ11Q&bvm=bv.59378465,d.aWc&cad=rja

And then you are redirected to our web site. You can see they hide the search paramter (“q=”) but because this intermediate page is handled with standard HTTP, at least we still know they came from Google. Better than a kick in the pants, right?

The problem with Bing’s new secure search is that there is no intermediate page. This means that unless your site uses forced HTTPS across the board, not only will no searches get logged, you won’t even know they came from Bing in the first place (because browsers don’t send referrers when going from HTTPS -> HTTP). Since there will be no referrer, they will get logged as “direct” visitors.

For those of you with forced HTTPS on your site, you will still be able to see the actual search phrases used. But since very few sites use forced HTTPS, this will impact the vast majority of web sites out there.

This hasn’t been technically “released” yet so things might change, but as they stand now, this is how it is. To be clear, it doesn’t appear Microsoft is doing this to hide data from web site owners like Google is intentionally doing, but rather, as a way to protect users from NSA spying. That’s a great reason for this change, I just really hope they also understand the negative impact this will have on most site owners and add some kind of way for us to detect that the visitor at least arrived from Bing. Hiding the search phrase is one thing, but hiding the source of traffic entirely is just really bad for site owners.

There is a small amount of hope they might make it so it works like Google: This change is really going to hurt Bing’s marketshare numbers as reported by various services, including us. For this reason alone, I think Microsoft will change things around. They don’t want to start seeing headlines about Bing’s marketshare plummeting to zero.

I wanted to add that all of this secure search stuff impacts all trackers, not just Clicky. And I also wanted to let you know that we have a plan to deal with this, at least when we know the source of traffic is a search engine. As far as I know, no other tracker does anything special with these secure searches. We want to be the first to offer a solution, so I’m not going to go into details now, but I think our proposed solution will work well for most of our customers. Stay tuned.