Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
Rufat Nuriev2018-06-21 13:26:06
Yandex
Rufat Nuriev, 2018-06-21 13:26:06

Yandex search redirects to the site from the search through the http protocol, and not through https, is this correct and safe?

In the course of the latest recommendations from search engines, we periodically receive messages in the panels for Webmasters from Google and Yandex about the need to move the site from HTTP to HTTPS protocol.

We are looking for the following in the Yandex search engine:

https://yandex.ru/search/?text=test

With JavaScript enabled, on click, Yandex makes a substitution for each link for the found sites from the site link to its own with the HTTP protocol.

Example:
my 5th in a row is a Wikipedia page:

https://ru.wikipedia.org/wiki/%D0%A2%D0%B5%D1%81%D1%82

Yandex replaces this link with
http://yandex.ru/clck/jsredir?....

On the Yandex page, the jsredir script generates an HTML file that redirects to the page https://ru.wikipedia.org/wiki/%D0%A2%D0%B5%D1%81%D1%82

html code on the HTTP page looks like this:
<html><head><meta name="referrer" content="always"/><noscript><META http-equiv="refresh" content="0;URL='https://ru.wikipedia.org/wiki/%D0%A2%D0%B5%D1%81%D1%82'"></noscript></head><body><script>(function(e){if(/MSIE (\d+\.\d+);/.test(navigator.userAgent)){var t=document.createElement("a");t.href=e;document.body.appendChild(t);t.click()}else{if (navigator.userAgent.indexOf("YaBrowser") > -1) {try{window.opener=null} catch (exc){};}location.replace(e)}})("https://ru.wikipedia.org/wiki/%D0%A2%D0%B5%D1%81%D1%82")</script></body></html>


Thus, we have an open data transfer via an unencrypted HTTP protocol from Yandex to the user's browser at the stage between searching in Yandex and actually visiting the required page .

Therefore, I have questions:
1. Is this implementation by Yandex correct, does it contradict the recommendations of search engines?
2. Is it safe?
3. Why did Yandex do this?

Why do I need answers to these questions? I implement my web services, and learn from the giant companies Google and Yandex how to implement similar mechanisms in my web projects. And here it turns out that Yandex has a specific crap in terms of implementing user security.

To question 3, I think the answer is this: it was done so that the referer was lost during the transition https -> http, I see no other reasonable explanation.

Google does not have such a problem, everything goes through HTTPS.
The mail.ru search (go.mail.ru) has exactly the same problem. But it will not be possible to tell them, because. they do not accept requests for security requests through the go.mail.ru domain.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
R
Rufat Nuriev, 2018-06-28
@nrr

UPDATE 2018.06.28
Yandex confirmed that such mechanisms are insecure and that they are working on fixing this problem.

Similar questions
V
Valera Valerievich2021-08-03 00:23:54
Is it possible to log in to Yandex services using request? 1Reply
Y
Yuri Popov2012-09-07 05:59:40
How to prove to Yandex that I am not a spammer myself? 6Reply
S
svsova2020-05-25 18:40:46
How to connect to Yandex SMTP? 3Reply
K
kentos2021-08-06 22:39:33
How to process notifications in Yandex checkout? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question