Google Analytics on a secured site

Question

Just read this article on Google Analytics and the risk of forged certificates, where it said:

Sooner or later it's going to happen; obtaining forged SSL certificates is just too easy to hope otherwise. What can we do about it? Don't load the Google Analytics javascript when your site is accessed via HTTPS. This is easy to do: Just throw a if("http:" == document.location.protocol) around the document.write or s.parentNode.insertBefore code which loads the Google Analytics javascript. On the website for my Tarsnap online backup service I've been doing this for years — not just out of concern for the possibility of forged SSL certificates, but also because I don't want Google to be able to steal my users' passwords either!

The thing is, one of the best things about Google Analytics is the ability to track goals -- getting users to interact with the site in specific ways.

If I turn off this functionality for SSL, it means that many of the goals -- getting them to sign up and getting them to buy things -- are going to necessarily be blocked.

So, I'm torn. Is there any way to continue using Google Analytics for this purpose while maintaining some semblance of security for my website? Is it just an impossible tradeoff of functionality vs. security?

Answer 1

Essentially yes it is risk. If you choose to use a third party hosted JavaScript (one example is Google Analytics) in a secure page you open the door for information to be collected. That may involve a maliciously forged certificates or simply a change in the ga.js script by Google.

You could consider the flow of you web application to try and push people through sections that don’t require security to capture analytic data, alternatively you could consider a Google Analytics for Mobile devices implementation.

Devices that do not support JavaScript would not normally be able send analytic data to Google. In this case Google provide alternative server-side implementation samples. See http://code.google.com/apis/analytics/docs/mobile/mobileWebsites.html

In this case if you have access to change the code or extend your web application you could send only the information you want to Google. This will obviously require you server to initiate a connection to Google which may induce load and should be carefully secured.

This design was not the intended for web clients that support JavaScript so you should verify that it does not violate Google’s service terms.

Answer 2

That article is just silly. Although today there is still a chance someone can forge a certificate there are still a lot of hoops to jump first

First just because they have a cert, they still can not do anything with it. They would have to change your DNS to use their servers (possibly through DNS poisoning which should not be a problem in the future) so they can present you their certificate on their false machine.

Next is their code must be specialize to your site. Lets say its generic and they add evil code to the 3rd party javascript the most noteworthy thing they can do (without knowing what your site is) is steal your cookies, steal the DOM/html. Provided that you use http only cookies they will not be able to steal/clone the session to your site. Essentially all they have is read support. Assuming it is generic sending the DOM to their servers would perhaps be to much bandwidth for their machines since a lot of site use google analytic.

For generic attacks i don't see a problem. Now if you are asking for a targeted standpoint than there may be one. Assuming the person can both get a cert and poison the DNS it is possible for code to grab sensitive data from the DOM and make queries via ajax. But in all likelihood it is far easier to hack your software, server, hosting company (including use of social engineering) than to do that and target your site specifically. I consider it as a non issue. Like someone breaking into your datacenter with guns and stealing your harddrive. Is it possible but do you actually care about a chance that small?