Closed Bug 946697 Opened 11 years ago Closed 10 years ago

Force TLS for analytics

Categories

(Websites :: Web Analytics, task)

Product:
Websites
Component:
Web Analytics
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sjw+bugzilla, Assigned: sjw+bugzilla)

Details

(Whiteboard: [kb=1389612][qa-]) 

I propose to remove the http support for web analytics.
E.g. Google-Analytics:
 -  ga.src = ('https:' == d.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
 +  ga.src = 'https://ssl.google-analytics.com/ga.js';
(In reply to sjw from comment #0)
> I propose to remove the http support for web analytics.
> E.g. Google-Analytics:
>  -  ga.src = ('https:' == d.location.protocol ? 'https://ssl' :
> 'http://www') + '.google-analytics.com/ga.js';
>  +  ga.src = 'https://ssl.google-analytics.com/ga.js';

Won't this cause mixed content issues on sites that cannot use https for whatever reason? For example, we cannot force https on mozilla.org because the CDNs that we use are not SSL-enabled and we have seen mixed content blocking stopping Firefox downloads. We are currently discussing the cost of SSL CDNs for Firefox downloads and thus we could force SSL on www.mozilla.org.
Mixed content is only a problem is a secure site has unsecured content. And if a client doesn't support TLS he can still see the site (doesn't support mozilla.org HSTS?), the only thing is we couldn't track him. But I think this scenario is very unrealistic and it wouldn't affect the statistic.
Assignee: nobody → sjw
Status: NEW → ASSIGNED
I believe the ga.js file needs to be served using the same protocol as the document it's used in (hence why Google don't just use https:// all the time anyway), so probably the most appropriate fix for this bug would be to switch www.mozilla.org over to using https by default.
I use the same practice for my http-only websites and I didn't notice any regression. So there is no reason to use http.
Of course, HSTS on all Mozilla sites would be the best solution.
Here is some interesting info on the protocol check that also has a lot of discussion around it:

http://mathiasbynens.be/notes/async-analytics-snippet#protocol-check

Seems the main reason is down to the way Google (apparently) segment IP pools and optimize the download speed of ga.js. It's also worth noting that the protocol check is no longer present in the new Universal Analytics snippet, which uses a protocol relative URL instead. We (may) be moving to that soon anyway.

So, unless I can find a piece of official Google Analytics documentation detailing that this change is in-fact OK, I'd be hesitant to make this change.

I'm cc'ing Gareth Cull who may know some more info here.
Flags: needinfo?(garethcull.bugs)
Gareth, this may be safe to do, but it would be good to get some info from someone at Google if possible? Thanks
A third pull is also affected: https://github.com/mozilla/mozillians/pull/961
But I'll wait now until this one is considered.

It would make sense to update the analytics script on every Mozilla site. Maybe we should move all of them to a place, where we can make global changes (See also bug 946705).
(In reply to sjw from comment #9)
> A third pull is also affected: https://github.com/mozilla/mozillians/pull/961
> But I'll wait now until this one is considered.

Mozillians is https only so we can, and we did, force https for google analytics.
Whiteboard: [kb=1389612]
Alex, we are hoping to upgrade to Universal Analytics in the near future. Let me talk with cmore about an updated timeline to upgrade our snippets to UA.
Flags: needinfo?(garethcull.bugs)
Ok, I'm going to leave this bug open but close the current PR.

We will either address this when we upgrade to Universal Analytics (Comment 13), or this bug will become obsolete when we switch to https by default on mozilla.org. Whichever happens first, we can then close this bug.

:swj thank you for the PR nonetheless!
Status: ASSIGNED → NEW
Whiteboard: [kb=1389612] → [kb=1389612][qa-]
Good news - mozilla.org now defaults to https, so we can mark this as resolved!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.