Sooner or later it's going to happen; obtaining forged SSL certificates is just too easy to hope otherwise. What can we do about it? Don't load the Google Analytics javascript when your site is accessed via HTTPS. This is easy to do: Just throw a if("http:" == document.location.protocol) around the document.write or s.parentNode.insertBefore code which loads the Google Analytics javascript. On the website for my Tarsnap online backup service I've been doing this for years — not just out of concern for the possibility of forged SSL certificates, but also because I don't want Google to be able to steal my users' passwords either!
I don't understand - if you are uncomfortable loading the GA javascript into your pages when users are using https to visit your site, why are you ok with loading the GA JS when visitors are using http?
Or is it implied in here that the analytics is used on http only pages because the sensitive pages on your site are https only? In other words, you are only using GA on non-sensitive portions of your site?
I don't understand - if you are uncomfortable loading the GA javascript into your pages when users are using https to visit your site, why are you ok with loading the GA JS when visitors are using http?
Or is it implied in here that the analytics is used on http only pages because the sensitive pages on your site are https only? In other words, you are only using GA on non-sensitive portions of your site?