Domain: clsc.net
Stories and comments across the archive that link to clsc.net.
Comments · 5
-
Won't work: Robots don't send the referrer
As also written in TFA: The search engine spiders don't send a referrer, so your method won't work. No, they can't "just send a referrer", because they could have found a link to your site on a lot of pages, so which one should they choose? Also, some popular firewalls don't send the referrer either.
-
clsc.net down? no way jose *lol*
it takes more than a little slashdotting... try again: Pagejack article
-
OK, I'll bite ...
Look, there *was* circumstancial evidence for the "Greg Duffy" thing
... i.e. just enough to make it a discussion. I agree that fearmongering is not the way to go. I appreciate that you looked into the issue (and my first instinct is to trust your explanation, that is was a DNS issue).
However, if this is Google's PR method, I think you are kind of asking for it! In the absence of information, the internet community will speculate until the cows come home. I'm not saying it's right, I'm just saying that's reality. Even though I said on my site that I thought Google didn't do anything underhanded I bet a lot of people were still not convinced. Google can do a little better than this, and although you have been fairly nice to me (thanks) this response is a little flamebaity for PR. Please understand that I mean no offense, it's just constructive criticism. Even if everything you say is true, a representative of the company should always at least attempt to sugar coat something like your last paragraph.
Also, on a more personal note, maybe Google should embrace the people that are involved in researching these problems instead of using this broken communications policy. I know that in my case I contacted you guys 5 *months* ago about the Google Print problem I described and never got any followup except for my t-shirt (which I really like). I have some great ideas about possible solutions to the problem I described, and as far as I can see Google has not fixed the root of the problem. When are you guys going to contact me?
-Greg Duffy -
Re:I've had it with Google!This is the last straw! I'm going back to MSN, where I know that my data and privacy are being protected!!
Bad luck! The only one of the major players not struck by this is yahoo, according to http://clsc.net/research/google-302-page-hijack.h
t m: Search engines vulnerable to this exploit have been reported to include Google and MSN Search, probably others as well.It seems pretty difficult to protect against, but one technique would be to ignore redirects, i.e only index 200 OK pages, not 302 Redirect and such. This would not be a big problem, but sites on the move could fall out of google for a month while google was crawling. Another thing would be to fake UA-string for the search engine bots, but still abide robots.txt. If google cross-checked 302-pages with a UA-string of i.e firefox, they could test if it was a true 302 or a falsified, for the crawlers.
The article says nothing about why yahoo is immune...:(
-
Re:302For the full details of the exploit, TFA gives a pretty decent recipe:
The technical part: How it is done
Here is the full recipe with every step outlined. It's extremely simplified to benefit non-tech readers, and hence not 100% accurate in the finer details, but even though I really have tried to keep it simple you may want to read it twice:
1. Googlebot (the "web spider" that Google uses to harvest pages) visits a page with a redirect script. In this example it is a link that redirects to another page using a click tracker script, but it need not be so. That page is the "hijacking" page, or "offending" page.
2. This click tracker script issues a server response code "302 Found" when the link is clicked. This response code is the important part; it does not need to be caused by a click tracker script. Most webmaster tools use this response code per default, as it is standard in both ASP and PHP.
3. Googlebot indexes the content and makes a list of the links on the hijacker page (including one or more links that are really a redirect script)
4. All the links on the hijacker page are sent to a database for storage until another Googlebot is ready to spider them. At this point the connection breaks between your site and the hijacker page, so you (as webmaster) can do nothing about the following:
5. Some other Googlebot tries one of these links - this one happens to be the redirect script (Google has thousands of spiders, all are called "Googlebot")
6. It receives a "302 Found" status code and goes "yummy, here's a nice new page for me"
7. It then receives a "Location: www.your-domain.tld" header and hurries to your page to get the content.
8. It heads straight to your page without telling your server on what page it found the link it used to get there (as, obviously, it doesn't know - another Googlebot fetched it)
9. It has the URL of the redirect script (which is the link it was given, not the page that link was on), so now it indexes your content as belonging to that URL.
10. It deliberately chooses to keep the redirect URL, as the redirect script has just told it that the new location (That is: The target URL, or your web page) is just a temporary location for the content. That's what 302 means: Temporary location for content.
11. Bingo, a brand new page is created (never mind that it does not exist IRL, to Googlebot it does)
12. Some other Googlebot finds your page at your right URL and indexes it.
13. When both pages arrive at the reception of the "index" they are spotted by the "duplicate filter" as it is discovered that they are identical.
14. The "duplicate filter" doesn't know that one of these pages is not a page but just a link (to a script). It has two URLs and identical content, so this is a piece of cake: Let the best page win. The other disappears.
15. Optional: For mischievous webmasters only: For any other visitor than "Googlebot", make the redirect script point to any other page free of choice.