Slashdot Mirror
Security Fears Over Google Accelerator
Espectr0 writes "A software tool launched by Google on Wednesday that speeds up the process of downloading Web sites (covered recently on Slashdot) has caused some users to worry about their privacy.
A ZDNet article discusses problems that users have been experiencing with the information that is cached by the software. On a Google Labs discussion group, one user said that 'I went to the Futuremark forums and noticed that I'm logged in as someone I don't know...'" Commentary also available on Signal vs. Noise and BlogNewsChannel.
Using the accelerator, the webpage says, "Move along. Nothing to see here." Hmmm... Google doesn't want me to read this.
A NYC lawyer blogs. http://www.chuangblog.com/
our new Google Overlords
Hulk SMASH Celiac Disease
When they already control the information, your email, your blog .. why bother about identity while browsing the web ?
'I went to the Futuremark forums and noticed that I'm logged in as someone I don't know...'
thats not a bug, its a feature.
Starsucks
How does caching your cookies to the internet help speed up your local browsing?
Its true its true! People are logging on this account and acting like me on this account on /. but it really isnt me! Imposters!
I am the cookie monster, no more cookies for you!
problem solved.
[/joke]
-- Robi
B
/.
E
T
A
You'll get better results filing a report with Google as opposed to complaining on
As for me, I used the 3.7 minutes I've saved so far to spend some quality time with my friends.
Perhaps this is just Google's way of finding morelinks to add to it's search index? Imagine gathering millions of websites that it may not have indexed or found yet. All from links that users of the GWA have visited... possible?
Hmmm.
I found it a bit amusing that when I clicked the story link, the destination site, as well as three other sites, each attempted to save a cookie on my computer. Four cookies. To read a news story. That's necessary.
You probably shouldn't click this.
Its a caching proxy server for crying out loud. It caches web pages and feeds you the cached version. This is not new nor is it surprising, especially for a new service offering.
Feed the need: Digitaladdiction.net
Comment removed based on user account deletion
It doesn't just cache your cookies, it acts as a proxy that compresses the data as you browse, much like the ISPs that offer "high speed" compressed modem surfing.
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
Not only that, but Google will conceal real web statistics from websites.
Remember acquisition of Urchin? Here is my concern about Google Webaccelerator.
my sstream of consciousness
It works with Firefox!
I seemed to be logged in as some A. Coward. Don't know where thats coming from.
I had to remove it from my system. It hijacked my browser, and I was not able to browse my companies internal websites because it over-rode our proxy. Bummer too...it worked great
I'm not a troll, but I play one on Slashdot.
One has to worry about so many google apps and features and products in general.
Using a ton of apps from one source is a risk on it's own. Google appears to be great now. But what if they stepps to teh 'dark side' and started doing crazy stupid stuff?
Pretty Pictures!
As a forensic investegator I recently defended a (uk) client that had "prefetch" application which went to a site and downloaded loads of kiddie porn. Found not guilty. Will google open the flood gates to these kinds of cases ??
Since Google looks like it wants to become Big Brother instead of helping the masses, Microsoft can come to the rescue with their own products that does it better with no strings attached and no fishy EULAs. Yeah, right. Where's the idiot who sold me the Brooklyn Bridge?
I ran it for about an hour; turns out it's lumpy when one deals with multiple proxy servers (work vs. home) and it broke Rhapsody in a BIG way. I'm sure the good folks at Google will sort it out eventually.
OTOH, one must consider whether or not one trusts Google with one's information that way. I wanted to check it out, but probably, in the long run, wouldn't have used it. But it's worth noting that millions of people use ISP proxy servers without even knowing it (think transparent proxies) or without understanding it (think "proxy.isp.com"). I can't imagine that Google's Accelerator would expose one *more* than that.
Thinking outside my Head
Google is no longer the old small startup company. It's becoming more and more aggressive and smells as dangerous as the other Software monster that wants to control every single piece of our life.
The accelerator prefetches the links on web pages, in effect clicking on all of them (except ads), which includes links that say 'delete this' or 'unsubscribe' etc. Many webpages use GET links to do these actions, and this is causing pages to disappear. Until web apps are rewritten to take note of the prefetch header, it's probably unsafe to use the accelerator. (Which seems to be offline at the moment - the page redirects you to the toolbar)
"When the only tool you own is a hammer, every problem begins to resemble a nail." - Abraham Maslow (1908-1970)
Does anyone have experience using a caching web proxy for their home use? If so, did you see any browsing acceleration?
Support NYCountryLawyer RIAA vs People
2. Google receives and temporarily caches cookie data that your computer sends with webpage requests in order to improve performance.
3. In order to speed up delivery of content, GWA may retrieve webpage content that you did not request, and store it in your GWA cache.
Well, if Google wanted to only provide a service that speeds up your web surfing, there is no reason for them to log all your requests. The reason they are doing this is because this service is a thinly disguise way of tracking and mining web usage. Since Google are against being evil, they cant go installing spyware and toolbars to get this information, so this is their way of building a repository of web usage patterns.
this site was pretty useful for information. So was AOL webmaster resources info.
AC comments get piped to
"Whenever your computer sends cookies with browsing or prefetching page requests for unencrypted sites, we temporarily cache these cookies in order to improve performance," the company wrote on its Web site.
That doesn't mean that GWA should let someone use another's cookie
Open Source Java Web Forum with LDAP authentication
I for one welcome our new Google overlords.
GET FREE APPLE STUFF!
For more info about these known issues with HTTP caching, see the following
Build it, and they will come^Hplain.
With the increasing reliance on Google and the alarming direction into which privacy matters and government prosecution of people Google could literally become Big Brother
Very soon your documents, your passwords, and maybe your credit card numbers are going to be stored there. Just wait and see.
From a users point of view:
1 - Ignores hosts file, so I end up seeing ads I normally wouldn't see
2 - Cookies work weirdly if at all, a lot more sites that I visit frequently appear to use cookies, and I've noticed some definte weirdness
3 - The time saved on a broadband connection really seems minimal, after an hr or two of surfing it takes a few seconds
4 - The pre-fetching it supports is already in firefox and probably other browsers
From a webmasters point of view:
1 - No way to limit caching of certain pages outside of moving them to SSL. Robots.txt isn't being followed (although probably rightly so, based on the application ).
2 - Because of the flawed cookie support (at least right now) a lot of affilate and different advertising methods have to be modified to support this.
I'm a big google fan, and I use most of their applications daily, but this one defintely needs some work. :)
"The service is only available to broadband subscribers."
I read the FAQ and it said it is doubtful that the Google Web Accelerator will have any affect on dialup connections as it was designed for broadband.
It doesn't say that it is not available for dialup users. Sounds like a hurried article to grab some headlines.
Cookies should be eliminated in their current form. There is just no way a third party should be able to use my "private" data to perform transactions without my specific consent, which likely requires an overhaul of the absolutely terrible security models we are now saddled with.
http://www.somethingawful.com/articles.php?a=2858
Really insightful.
Has anyone read how google will deal with adsense clicks? Since all users of the accellerator will come from the same IP, will that IP decrease in value? (It's well known that the same IP can't just click again and again and generate revenue).
This thing has saved me 6.8 seconds since I installed it when it came out. It's probably used 6.8 minutes of CPU time since then. If this thing doesn't start actually improving performance I am going to uninstall it.
Or what else would I have to do at work today?
~Someday, I hope to be an aspiring author.
Read my post, a-hole:
It doesn't just cache your cookies, it acts as a proxy that compresses the data as you browse, much like the ISPs that offer "high speed" compressed modem surfing.
I.E. In addition to compressing the cookies for performance, they also compress other crap.
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
i've had it installed at home since i saw it on slashdot... i must not go to common sites or something, because i'm still sitting at 0.0 seconds saved.
:-?
Shouldn't those sites be using the NoCache directive and shouldn't Google be honoring it? I wonder which side is at fault. At any rate, fears about information leakage are kind of silly because of the volume of traffic that Google services. The accelerator allows them to see link patterns, but no one could store, let alone process, an entire day's worth of data after the fact. The same is true for Google Mail: no person ever sees your email; an algorithm does, and tailors simple, pertinent advertising in exchange for an otherwise free service. The accelerator can only make the search engine better for everyone. Anyone that uses it is giving back, contributing to the synergistic knowledge of Google.
GMale prefetches your boys for, so you don't have to wait them to arrive. It really cuts down on latentcy. Recommended by NAMBLA.
Until the incredible security hole known as cookies is eliminated, this is the sort of thing you need to get used to. This is not "beta" behavior.
The business with appearing to be logged on isn't quite as serious as it sounds (although it is still bad).
The problem appears to be that you will sometimes be given a page that was personalised for someone else. However if you attempt to do anything from that page (for example if you find yourself looking like admin of a web board) you'll find that it doesn't work, any more than it would if someone emailed you a copy of a page where they were logged in as admin and you clicked on links (if you are on a website where doing that would work, you already have serious security problems). It also doesn't occur with SSL as google doesn't doing anything with SSL pages (as you would hope)
This is still a problem if that page shows something private of course, and should be fixed. (a password of course being the worst case, but how often do you see your actual passwords printed on a webpage?)
Combination - fun iPhone puzzling
Read about all of the username, forum, and security risks?
7 6
Since such activity could pose both a security risk to web surfers and site owners, there are some web sites which are interested in not having Web Accelerator pick up their material.
A very fast and efficacious method of denying Google Web Accelerator (GWA) funneled traffic access to your web site is blocking the IPs it is calling your pages from:
http://www.searchenginejournal.com/index.php?p=16
Not if you saw the screenys. There was one with 4 or 5 different people's name etc.
Foxed Design
Did you Read The Fine Article?
"I went to the Futuremark forums and noticed that I'm logged in as someone I don't know. Great, I've used Google's Web Accelerator for a couple of hours, visited lots of sites where I'm logged in. Now I wonder how many people used my cache. I understand it's a beta, sure, but something like that is totally unacceptable."
I frankly don't know a ton about it since it fucked up my firefox install but others are giving the example of user X who has mod status browses www.popularforum.com/modforum/userspasswords and now google has a cache of that page that anyone can access. I don't know if that's true but this is exactly why companies don't knowingly open their proxies to the outside world. Here you have the Entire World granted access to almost any page a user running Google's software goes to.
If those claims are true then Google has a duty to pull this from the market immediately which they may very well do.
If you wanna get rich, you know that payback is a bitch
then don't use it, stupidheads!!!!!@#!@#
lowtax of SomethingAwful makes some interesting points amidst all his fuming but I'll have to defer to the /. tech wizards to vet his technical claims.
Of course, most browsers already support compressed (gzip) content and most servers support compressing it. Hell, my site saves about 30% on bandwidth because of it.
Anyway, I don't know what you're all bitching about. I have been using the GWA all day and I've saved 7.1 seconds! I wouldn't trade that for anything! That's 7.1 seconds more for posting to slashdot!
generaly speaking 90% of the services google currently offers are in some sort of beta phase.
The thing is that most of them worked quite perfectly right after launch. This seems to be the first one that has some serious bugs.
I guess that in the last couple of years the meaning of the term 'beta' has changed to a point where people still expect perfect functionality from a beta phase product. Or maybe just the level of the actual non beta products has deteriorated.
Don't use it! Google is a public corporation, everything they make is designed to somehow make a profit (which i see nothing wrong with, btw)...even if it doesn't cache your personal information like the article claims, there is some angle to it that will make money for them, maybe they will look at your web surfing habits and target ads to you. If you're one of those people who blindly trusts google because of their "don't be evil" mission statement, then use it and trust that Google is taking care of you. I personally don't trust them, so I won't use it. There is no free lunch.
What is the uproar about? It's not as if Google is forcing this down anyone's throat. Don't like the privacy implications? Don't use it! Worry about more insidious privacy attacking things. Google is providing a service. While altruism is great and all, I don't blame them for trying to find new avenues for making a profit - if that's what this even is.
Google doesn't care about indexing the entire web, if something is linked to they already know about it, and if its not then its not worth indexing anyways. The idea here is to track what you do, so they can sell it to advertisers. Google sells ads, that's the entire point of the company.
Who said it was a cookie that was cached, and not the page content? Much of the discussion thusfar seemed based off what an anonymous quote in a ZDnet article. Far as I can tell, the guy saw "Welcome back, Bob!" and freaked, when he wasn't -actually- logged in as Bob. Furthermore, who says it isn't Futuremark (or their forum software- because we all know how security-conscious PHP/MySQL forum software is) tagging their pages as cacheable when they shouldn't be? If Google is ignoring "don't cache this page", now yes, we have a problem- but the ZDnet story is of a technical level I'd expect of a community newspaper, so it's kind of hard to tell. It's like a story in your city newspaper that read "somebody killed by a cop!" and going off on a rant about police brutality...only to find out later the guy was a bank robber with an Uzi.
Before you get all excited about bank sites etc- keep in mind those often use very unique URLs for each page and other tricks.
Please help metamoderate.
Just like any other product of this nature, and just like the desktop search, google has this in beta, which means they are pretty much expecting you to read all the program notes AND the privacy notice. I read the privacy notice, and i realized what risks there were, so i immediately went and put any site w/message boards on the Do Not Accelerate list. BTW, i reccomend that everyone read the privacy policy. Its up to the user to know how to use this and how to protect yourself. Its not a finished version, in which it would be able to screen out dynamic content.
When I uninstalled it, it broke firefox - it wouldn't startup any more, complaining about some x-asl binding. On reinstalling firefox, I get a huge status bar with the text <key id="key_openHelp" ------------^
I don't know what it did, but my firefox is not happy now.
"When the only tool you own is a hammer, every problem begins to resemble a nail." - Abraham Maslow (1908-1970)
SEE?!!! I told you that if these corporate identity thefts kept up, we'd all end up having the same identity!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
i mean, i don't think its 'The Whole Net', but it sure feels like i only get to know most of it, through google..
USENET is a pale shanty town of what it once was. RSS and blogs are the new gophers. and so it goes, round and round.. so what does Google do, but of course go on inventing services and protocols to glue on top of it.
beh. its the internet, choose a protocol and enjoy the namespace.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
If you're afraid of something don't use it. Where's the problem here?
:)
In that case I am not using Windows!
#!/
I was afraid that Slashdot had stopped running articles about Google. I'm glad to see that someone is still taking an avid interest in a search engine.
Seriously. This isn't Microsoft Word or something similar where if you don't use it you'll be severely hampered or unable to work with others. This is a *web cache*. If you decide not to use the google accelerator, your life will not be impinged in any way. You have options! You are a free agent!
If you do decide not to use the google accelerator, then goddamnit you should be aware you're *running all of your web activity through a third party corporation's servers*, with everything that implies, and if you're not okay with that you're a fool for signing up in the first place!
Does anyone know any free alternatives for the GWA? ones that work on windows? I'm aware of squid, any others?
They didnt launch the proxy wednesday, they made it available for the public to test. It's just like GMail folks, it's in BETA. If you dont know what that means, you probably shouldn't be using it in the first place. I'm pretty tired of all the ignorance on the web these days, it almost wants me to pull a Snake Pliskin and EMP the world for the good of humanity. Almost...
Most users will be too ignorant to realize what the implications of this accelerator are. Who knows what horrible consequences might descend upon these people at a future date? But there's a good way to warn people so that they can make an informed decision - talk loudly and publicly about the risks. So that's what people are doing. You talk as if this is a weird thing to do.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
http://search.msn.com/
I just deleted the accelerator from my system after trying it for the last day, and I must say that it is much less mature than most of the "Beta" products google releases. It caused several significant issues with Firefox on my system, including:
1. Links that open another window stopped working entirely (although they worked if I right-clicked and selected "open in new tab")
2. Even after closing all Firefox windows, a firefox.exe process would remain running, and prevent any new firefox windows from being opened until it was manually killed
3. "Proxy not available" errors when opening several pages at once, such as when using the Firefox "open in tabs" on a folder of bookmarks.
And I haven't even checked into some of these cookie / privacy issues. Perhaps these issues are unique to my system, but my environment is pretty vanilla... I just run a few of the more popular Firefox plugins. Removing the GWA cleared up all of the problems cited above.
Up to this point, I've always been very impressed with the level of testing that has gone into Google software products before they enter Beta. In this case, I'm not. Hope this isn't a sign of things to come.
-R
this is really going to blow a hole in the marketing schemes of aol, earthlink, netzero, netscape, and others who depend on the accelerator feature. google has leveled those in one fell swoop. i expect the stocks of dialup-centric companies to drop significantly.
"I thought I could organize freedom. How Scandinavian of me."
How long has Google Groups been labelled Beta now, two years maybe? How many users does it have?
If a wide number of even adventurous, risk-taking users could be exposed to a potentially significant security hole, then word should get out more widely than just Google's "thanks for the feedback" e-mail addresses.
Beta is not the Greek word for "without responsibility." As much as we criticize Microsoft for making the idea of a "release date" (or "security") meaningless, I think Google's well on it's way to making the idea of the "Beta Release" meaningless.
They act like a small, groovy coding lab with Beta releases and all, but seemingly aren't simultaneously recognizing that because of their prominence in consumer's minds, *anything* they do has widespread impact on ordinary Net consumers. So a true, uncontrolled Beta release? That's fine for me when I just coded a little midi tool and want to run it past my friends, but there's really no such thing when you're Google.
I think that the number of users that adopt even their least publicized tools takes them out of the realm of the real intent of a Beta release, especially when security issues are involved.
The only acceptable defense of scientific results is to say that they were the product of the Scientific Method.
Next!
I noticed that GA caused Yahoo Messenger (latest version) to take forever to connect. That was unacceptable to me, so I uninstalled Google. When using GA, I didn't notice an appreciable difference in surfing speeds, anyway.. After using for around 6 hours, I was up to a whopping 3 seconds of savings. (buckeye-express cable modem). While I find Gmail to be an excellent product, I'm not so sure about GA. Maybe Google missed the home run with this one?
A witty saying proves nothing. Voltaire (1694-1778)
Technically I have DSL, but it's only 128kbit. Do you think there's any point in installing GWA?
One that hath name thou can not otter
Stop calling people names. Especially when you've missed the whole point of the discussion, as in this thread. You're just making yourself look like a sour idiot.
As long as google is honoring pragma, this is the webmaster's faults. Proxy cache has been around a long time, in use by some major ISPs and especially big corps.
What google did is create a juxtaposition of sites that were originally put up as hobbies and a bunch of their users using the same proxy at the same time. But that isn't google's fault. The prefetching, I believe, accelerates finding these problems but doesn't really cause them.
I expect google will end up adding in an automated tool that checks for commonly used password fields and cookies and automatically nocache's those sites... but that will really only hide the problem.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
Google Desktop called, it wants its media circus back.
i tried using it on two different networks, and in both cases it actually slowed down my browsing..
MABASPLOOM!
I too figured that this info would be basicly the same as your ISP has, hence why I decided to use the accelerator despite the security concerns. Letting people have access to your accounts on the other hand is a much greater concern. I hope more info is released/the bug is fixed as I have noticed a great performance boost and would hate to quit using it.
Sounds good to me! Linux for all!
I like muppets.
Here are the headers that the Futuremark forums give me when I am logged in:As you can see, neither "Cache-Control: private" nor "Vary: Cookie" is given. In fact, the server doesn't even give an expiration date for the content. Under these conditions, the HTTP/1.1 protocol says that it is perfectly OK for a cache to keep this page for awhile and serve it to other people.
This problem is firmly the fault of the people who wrote Futuremark's forums. This constitutes a major security hole in the WWWThreads forum package, because this problem will occur when using any standards-compliant HTTP cache. I would strongly recommend against the use of these forums on any web site until they fix their security problems.
(I do not know if other forum software has this problem, but frankly it would not surprise me. It seems lots of PHP developers and other high-level web programmers have no idea how HTTP/1.1 works, and assume that headers are completely unimportant. I have written a web server and forum software myself, though, and I made damned sure that mine produces the right headers.)
Search (Google). Browse (Accelerator). Read/Write (Blogger). View (images.google and photo-blogging). Buy (froogle). Go (maps.google). Inform (news.google).
Ubiquitous tomorrow: what you listen to; how you sell things; what you wear; how you learn; who you vote for.
And ultimately, Omnipresent.
With PHP and $_SESSION websites don't even *need* cookies -- at all. Info is saved on the server instead.
The dangers of knowledge trigger emotional distress in human beings.
(Nelson pointing at Google's most stupid mistake ever)
HA HA!
I tried this thing out all this week and got nothing for results.
ZERO.ZERO
Apparently this tool doesn't help with cable modems or T1 lines at all. Anyone else get the same experience?
How will this affect Wikipedia?
I'll stop when people stop deserving it. I haven't missed the whole point of this discussion at all, infact I was the one who originally instructed the parent why he was wrong. Google caching might cache cookies, but not ONLY cookies; understand, comprende?
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
Here's some code to add to your web pages to block GWA. This will leave static media alone, which is fine.
] ))
PHP:
if(array_key_exists($_SERVER['HTTP_X_MOZ'
{
if(strtoupper($_SERVER['HTTP_X_MOZ']) == 'prefetch')
{
header("HTTP/1.x 403 Forbidden");
header("Content-Type: text/html; charset=iso-8859-1");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-store, no-cache,
must-revalidate");
header("Cache-Control: post-check=0, pre-check=0",
FALSE);
header("Pragma: no-cache");
header('Accept-Ranges:');
exit();
}
}
CFML:
Damien
I went to my netbux account
:)
http://netbux.org/?r=107845
and checked my stats and it gave my name as something else. Said that "I" had earned 8 bucks, and I knew that I hadn't actually earned that much.
So, needless to say, I quickly turned off the accelerator and won't be using it again until I know it has fixed that. The 27 seconds it had saved me wasn't worth that.
I need to be making my own money!
http://www.WinWithRealEstate.com/
and unistalled today. It just doesn't give me much more speed. GMail and Search History are useful, Desktop Search is a mixed bag but Web Accelerator is simply useless.
If you're worried about your privacy, then don't use their product, just because it exists doesn't mean that we all need to run and use it. For the casual internet browser, it may be helpful. If one insists on using it, then simply disable it whenever you need to login somewhere. Google has already said that it will not proxy any SSL site.
it doesn't. dumbass
Compare to Marketscore who also claims to be an internet accellerator. At least Google doesn't proxy SSL sessions too.
e tscore/
http://www.cit.cornell.edu/computer/security/mark
Does this operate the way the rsync developers tried once which was to only push diffs of web page changes across the wire instead of the whole page?
Of course there was complex problems to be solved such as how to properly diff files across hordes of users in different cache-states, but if Google is doing this now.. it would be a huge bandwidth saver.
Better than just normal web proxy cache logic (which uses expiry codes), or gziping content, etc...
Maybe a month or more ago I posted a /. comment telling of my concern that Google were producing too many products at too high of a rate...I wasn't the first and these concerns have been echoed by many others.
Google released a bad product. But that isn't the real news. It isn't even news that they have done anything intentionally evil. The real news here is they released a product as beta that should have been an internal alpha. IMHO they are pushing out their toys too fast and now they're suffering for it. Too cocky for their own good.
I can't help thinking that Bill Gates will may have a smirk on his face right about now. Bill is obviously a savvy man when it comes to business or he wouldn't be the man he is today and I wouldn't be surprised if he was expecting something embarassing like this to happen. I think it's simply brilliant that the "Gates on Google" article came only a day before this calamity.
It's not always a bad thing when the good guys get a slap and have to suck it up. This could actually do Google good, is it me or were people starting to become paranoid and resentful of Google?
Maybe Google will start refining their products now and getting them out of beta? It will be interesting to see Google's reaction.
Everytime Google releases something new (and usually cool) people start complaining about security problems. Look what happened with Gmail and Google maps. For cryin' out loud, there's a security problem everytime I turn on my stupid computer (even if it is behind two firewalls). People should really be more concerned with Microsoft's products than Google's. I'm not saying we don't need to ask questions about security but we don't need to put on our tinfoil hats either.
Really insightful.
LOL, good one!
After I installed and used Google Web Accelerator for a day or so, my Firefox built headline reader returns "Your Headline Reader has been banned" from Slashdot. Thanks a lot Google! Also thanks to Slashdot for promoting it!
I'm a Google fan. Downloaded this yesterday. Uninstalled it 15 minutes later because it slowed my connection down too much.
http://xs4.xs.to/pics/04481/p556222.gif
Why is Google doing this?
If the purpose is to speed up web access, then why couldn't all this gzip compression, prefetching, and so forth, be handled on your local drive without going through Google? Wouldn't that be faster? Not everyone lives next door to a Google data center (not yet, anyway), and there is latency when you hop around the web to get stuff from Google. The accelerator installation file isn't exactly lean (1.4 meg), so I don't understand why Google has to broker all of this stuff on their servers.
Google claims that there's no more of a privacy issue with this thing than there is with your ISP. However, I think most ISPs are a bit different than Google.
My ISP has no reason to store it's logs indefinitely. Google has every intention of storing everything about me forever. My ISP rotates their logs regularly, while Google indexes and compresses their logs using globally-unique IDs, and stashes it away for future reference. My ISP is not the world's largest advertiser, but Google is determined to "know more about you" (Eric Schmidt's words) for profiling purposes. My ISP has a real privacy policy, and I believe that they would demand a subpoena before giving out information about my surfing behavior. Google has never suggested that they even require a subpoena from officials, so I have to assume that they have a very cozy relationship with various governments.
All that is from the user's perspective. What about webmasters?
The web accelerator ignores robots.txt. The web accelerator ignores the NOARCHIVE meta. I believe, but have yet to confirm, that it ignores any no-cache pragma headers. It avoids prefetching anything with a question mark in the URL, but what about all those PATH_INFO dynamic links we've been installing for the last four years so that our dynamic pages look like static URLs? Google prefetches many of these, and there are numerous reports that this prefetching, along with some cookie mishandling by Google, is breaking sites out there. Does Google care?
Why isn't there a sitewide opt-out option for this monster? Heck, it's so bloody dangerous for both the user and the webmaster that it ought to be opt-in instead of opt-out.
All webmasters should block this thing. If a user cannot get to your site because of this block, then at least you as a webmaster won't be complicit. We have to protect users from Google's megalomania, because they've been so dumbed-down by Google worship over the last few years that they can no longer think straight.
Are you a mutant? Rosie and her five sisters means you have 6 fingers.... how does that feel?
While I am sure the privacy concerns are going to continue, I'm also trying to look at it from another angle. Google may be trying to set itself up as an infrastructure play so it can start indexing the Deep Web.
Shameless self-promotion link: I've posted an entry on this on my site last night.
Check out http://www.tnl.net/blog
Usually these sessions are stored on the server.
Where exactly does it cache these "unvisited" pages?
It would be nice to have all this "unsafe" material cached on my local machine without my having visited these sites.
BTW, 18.8 seconds saved so far. Firefox has a plugin, but not Mozilla???
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
I figured that saving a few seconds browsing wasn't worth relinquishing one of the few tools I have to detect unusual net traffic. The tool lasted perhaps 2 hours on my machine before I removed it.
Signal vs. Noise has a discussion about how Google Web Accelerator can break web applications that rely on making state changes (i.e. deleting todo list items) over the GET protocol.
Even though the w3c reccommends using POST for state changes, GET is used all the time for practical reasons.
And for end-users, disable GWA while using a web application, or you may find items magically deleting themselves.
to install this Webaccelerator thing because there is a fairly slight chance I will be able to post on Slashdot as CmdrTaco. Hmm...still not working...
This sig donated to Pater. Long live
Your ISP could do the same stuff people claim google can do (as far as tracking).
Except my ISP is much smaller and is in the internet service business rather than the advertising business.
It trashed my norwegian localized installation of Firefox. Get a XML-chrome error when I start it now.
Heck, I saw a portable DVD player at the "Brand Smart" store for $29. Yep, it had a color screen!
IIRC they were in the $1000+ range two years ago.
Now you won't know if the message, "Mr Sai, your order will ship as soon as you confirm your address", is a phishing expedition or someone elses double chin repair kit.
Now I'm the grandest Tiger in the Jungle!
I would not be very happy to have to use buttons for everything. First off, it means I have to query the name and value of the Button as a request value, since it will submit the entire form. This is a mess, unless you invest heavily into some i8n solution.
I guess one could work around this problem for links named "delete", but what about that IE will calculate the width of the button in fixed width font, so that long links will suck as buttons.
Am I supposed to somehow force the button width with CSS? Then I'd also have to make the user unable to change font size. So my page will be unaccessible to anyone with a vision handicap and then I'll be violating yet another Web Design Mantra.
Maybe I would even welcome your ideas, Mr. Anonymous Coward, if I could expect appreciation for the extra work I have to invest. However, I think beyond a certain level there is not much to gain. After that threshold, people pay and appreciate you to solve problems they have, not problems they might have in the future.
I would suggest that pages that MAY be prefetched MUST be marked as such. Similar to pragma NO-CACHE.
To solve one of my initial problems, forms would need to be nested, then buttons would be useful. Or you'd have to use the javascript workaround with otherForm.submit() the other AC talked about.
I'm still trying to figure out what people mean by 'social skills' here.
Google has removed its original post from the Google Blog, but the original story is still available via ATOM.
This is also a way for Google to leverage other people's computers to do their crawling for them to find pages their own internal crawlers may not have known about before. Think about it:
1) Browser requests a page from Google cache
2) "Not here, you go get it Mr. Browser"
3) Browser gets it from the origin site directly
4) GWA plug-in uploads the content to the Google index
5) Tell Google crawlers to scour the rest of the site
...of of G-Unit, which would probably only run on Power Mac G5 systems.
I tried it 3 hrs back. Seemed like working fine, until I found out I could not do remote-login to my office machine thru' my companies access webpage!
:-(
Now I know I could explore the preferences a bit more, But why it had had problems opening a remote connecton to a citix box?
Had to uninstall it.
There are a lot of web servers that don't have compression enabled or are behind slow links. So, going through Goggle can speed up your surfing.
We recommended that our users NOT use proxies such as GWA. We did not do this because it's buggy (though it may be), but more because it is a public proxy being marketed as a web accelerator. Most web users do not understand what a proxy is much less the serious security and privacy implications using one can have.
GWA seemed to not always honor cache headers as the RFC describes, though I couldn't see any real pattern.
Ken
First off, it means I have to query the name and value of the Button as a request value, since it will submit the entire form.
That depends on the context. Often it is better to use multiple forms.
Am I supposed to somehow force the button width with CSS?
WTF are you talking about? Just use display: inline and don't set a width.
Then I'd also have to make the user unable to change font size.
Nope, setting a width on something doesn't mean that they are unable to change the font size. Example: width: 10em.
So my page will be unaccessible to anyone with a vision handicap
Again, wrong. Blind people wouldn't be affected at all.
Maybe I would even welcome your ideas, Mr. Anonymous Coward, if I could expect appreciation for the extra work I have to invest.
Not cutting corners by going out of spec isn't extra work, it's work that should have been done in the first place. Developers that put out quality work and remain in spec will have preemptively protected their clients from this problem. Developers that cut corners and ignore the spec and common sense will be exposing their clients to data-losing risks.
Why worry? Google is safe. It's not like they can search my desktop, view my house from miles away and see my surfing habits.. oh wait..
Well at least they can't see everything I've posted on usenet for the past 10 years.
And thankfully they can't find images of me posted on the web either. hmm.
well.. on the bright side at least if I ever die they can reconstruct me.
Seriously, folks. Don't like it? Don't use it. Don't like the violence in the latest video game? Don't play it. It's not that difficult.
I see it as a draw regarding the multiple forms needed to emulate links as actions, since it limits my choices.
I think you misunderstood why I think IE buttons work bad with very long button texts.(font-family:Arial;) There is extra space left and right. In addition it sux graphically because IE has a single image for the buttons, so that the corners are stretched as well, looking very ugly and pixelated.
You are of course right with the "width:10em" but I just don't feel happy diving into technical complications that may or may not break with some browser version. Handcrafting every single CSS for every element is such a complication.
It is nice that you protect your clients from data loss, but somehow I feel a client should not let an Accelerator crawl a web site that is protected by a login. Just imagine what this accelerator would do to http://www.everything2.com/s softlinking feature. I know, you would have worked around the problem, but I guess you get paid well by the minute and don't have to invest essentially free time into this like other people.
I'm still trying to figure out what people mean by 'social skills' here.
What about the more sinister but equally obvious, rewriting the pages before serving them back local?
Google could do their own "smart tags" and hook it directly to their AdWords. Since they see all your surfing habits they should be able to know the keywords to convert to paid advertising links to specifically target you. Could make DoubleClick.com and similar look rather impotent at tracking you.
Beyond "smart tags" Google could easily extended rewriting to other things to their advantage.
I sure hope their "Do No Evils" montra holds.
Those who can do. Those who can't sue.
If your security can be bypassed through a simple cache then your security is nonexistant. There are many ways to implement security regardless of caches and any major site does so. Even if you close your caching proxy to only your lan, do you still want employess having access to areas the boss has access to? Or how about the many dial-up providers who cache content to increase speeds? This is not a problem with google, this is a problem with web security. This is why qualified people should be hired to write any kind of secure web app, too many kiddies grab some php scripts set up a mysql server and think everything is great. There is a right way to do it and a wrong way, this is a result of a lack of education and I can only hope that this popular web proxy of google's brings it to everyone's attention. Hell even some web servers will dynamically cache often visited pages and just serve them up from the cache, people need to become more security minded.
Regards,
Steve
What kind of security is going to stop someone with a valid username and password from logging in and downloading the pages? Does God himself handle your security?
It's not a bug with the proxy software, it's a bug with those forums.
Caching proxies have been around for several years now, and this is not a new problem. Any webmaster worth his salt should know about this, and any dynamic content (especially a piece of forum software) should know damn well to properly implement expiration dates and cache control directives.
If the WWWBoard software at Futuremark was doing the right thing in the first place, this wouldn't be a problem. It's Futuremark's and WWWBoard's security bug, not GWA's or any other caching proxy's.
The only reason people are bitching about this is because GWA is one of the first caching proxy systems out there to hit widespread use by people who've never used one before. The concept itself is not new by a long shot, and there are established guidelines to follow when you develop web software to deal with them. If you fail to follow these guidelines, then yeah, your site will break and you create a security risk like WWWBoard has clearly done. Upgrade/fix your forum software.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Can we use GWA to get free porn?
Heh nice comment. But in all seriousness, passwords should only be sent over https so the proxy never knows what it really is, just the encrypted form, and session ids that expire after 30 minutes or so of no activity along with a unique session ID that is apart of all urls during your session or something along those lines would help immensely. Someone would have to a) be using the same cache as you, b) guess your session ID out of oh lets say at least 2^128 possibilites at a minimum and c) Do all of this before your session time runs up (or if all they want to do is view your data they can skip this step). Good security is hard and might be taxing on the server, but worth it :)
Regards,
Steve
What's the difference between this and your ISP?
Eh... OK, since the article wasn't clear enough, let's spell it out:
User A and User B use this Web Accelerator.
User A may suddenly get logged in as User B on a forum both of them visits, or vice versa. Especially for popular forums this can end up as a huge security problem. People get randomly logged in as others, and can view all their account settings and post in their name, etc.
And although Google doesn't do this to https, I can sure think of even worse scenarios than simple forums.
Beware: In C++, your friends can see your privates!
The web accelerator is not a robot, so this is correct behavior.
NOARCHIVE is a Google specific extension to the robots.txt specification, and again, this is not a robot.
I'd be absolutely shocked if that were actually the case. I also believe it respects the Expires header as well as the Cache-Control header.
If they're following the proper standards, then it's not their place to care or not. If your website doesn't properly specify cache-control (many don't) then you get what you get.
For any pages with user-specific content, add the "Cache-Control: private" header and voila, problem solved for you.
If you want to opt out entirely, then a simple "Cache-Control: no-cache" header in your HTTP responses would do the trick, as would "Pragma: no-cache", I bet.
Furthermore, there is no cookie-mishanding I've actually seen, and I've tested it. It passes cookies through just fine, without caching them, near as I can tell.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
...before it is detected by M$ AntiSpyware?
Rediculous is ridiculous!
- sshd / ssh access on a machine "at work" (preferably, don't use port 22)
- Install rabbit
- Tunnel the port 9666 to your browsing machine
For tunnelling in 'doze, I use putty (which allows encryptes/compressed tunnels) and follow the instructions here or here (instructions for tunnelling samba traffic, but you'll get the picture, rabbit works of port 9666, so use 222.222.222.222:9666 as your web proxy).This could be quite useful if you connect via GPRS and pay data by the megabyte... or if you're travelling to an unfriendly country and don't want unfriendly people to snoop on your browsing habbit.
bundaegi is good for you
True, I can see that. It's unfortunate though, because on the fly gzip compression on the server side is damned simple. It'd be the simplest way to cut a massive amount of web traffic overnight the world over. :)
Simple reply: tough. GET requests must be idempotent, they should not change state and absolutely must not change state destructively. You should be able to make the same GET request multiple times without affecting anything.
This is because with a POST request, if you hit refresh, the browser warns you that you're about to submit information, and that there may be undesirable consequences - Firefox explicitly mentions resubmitting an order for example. With a GET request there is no such warning. What if someone accidentally bookmarks the result of a GET that deletes some data, or similar? They may not even realise the damage they're causing while they empty the database.
As for extra effort, I really don't see it I'm afraid. I've been working on web-based applications for 6 years, and of all the things that have caused me pain, POST vs GET simply isn't one of them; it's a non-issue, once you understand when it is appropriate to use GET and when you should use POST.
It's official. Most of you are morons.
knowledge is fact, hence immutable. Synergy requires a dynamic system.
Maybe you ment synergistic knowledge growth?
It's pretty simple, really.
1) Bob installs Google Web Accelerator.
2) Bob visits (let's say) Slashdot, and logs in as username "Bob."
3) Bob loads a couple of pages, maybe posts a message or two, then he goes to sleep. Meanwhile, Google caches all of the pages he visits.
4) George, who also uses Google Web Accelerator, visits the same page a few minutes after Bob did.
5) No new stories have been posted since Bob visited, so as far as Google is concerned, there's no need to update the cache.
6) George sees "Bob's version" of the page, complete with "You are signed in as: Bob" type link, and other customizations.
This hit SomethingAwful pretty hard the other day when GWA first went public. Google was caching a lot of pages that admins were viewing; then regular non-admin users with GWA were getting the admin versions of pages from the cache. People were able to see each others' private messages, etc. Quite the mess.
I'm going to repost something that I posted here last night. I believe it's relevant to the discussion. Repost as blockquote.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
If you're doing a destructive action based on a GET request, then your application is broken.
h tml
I could quote the chapter and verse, but I'll instead assume that you can read, especially the last sentence of section 9.1.1.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.
That 7.1 seconds isn't a valid figure. You will waste far more than 7 seconds posting on slashdot to explain why other people have been posting to slashdot under your moniker.
--
WHO ATE MY BREAKFAST PANTS?
Well, you are right. Not everything that results from this is straightforward tho, but workable.
I'm still trying to figure out what people mean by 'social skills' here.