Slashdot Mirror
Security Fears Over Google Accelerator
Espectr0 writes "A software tool launched by Google on Wednesday that speeds up the process of downloading Web sites (covered recently on Slashdot) has caused some users to worry about their privacy.
A ZDNet article discusses problems that users have been experiencing with the information that is cached by the software. On a Google Labs discussion group, one user said that 'I went to the Futuremark forums and noticed that I'm logged in as someone I don't know...'" Commentary also available on Signal vs. Noise and BlogNewsChannel.
When they already control the information, your email, your blog .. why bother about identity while browsing the web ?
B
/.
E
T
A
You'll get better results filing a report with Google as opposed to complaining on
As for me, I used the 3.7 minutes I've saved so far to spend some quality time with my friends.
Do you think Slashdot will ever arive to a time where a joke about the error message '"Move along. Nothing to see here.' Isnt made on /every/ single article and modded +5 /every/ single time?
Shouldn't those sites be using the NoCache directive and shouldn't Google be honoring it? I wonder which side is at fault. At any rate, fears about information leakage are kind of silly because of the volume of traffic that Google services. The accelerator allows them to see link patterns, but no one could store, let alone process, an entire day's worth of data after the fact. The same is true for Google Mail: no person ever sees your email; an algorithm does, and tailors simple, pertinent advertising in exchange for an otherwise free service. The accelerator can only make the search engine better for everyone. Anyone that uses it is giving back, contributing to the synergistic knowledge of Google.
Did you Read The Fine Article?
"I went to the Futuremark forums and noticed that I'm logged in as someone I don't know. Great, I've used Google's Web Accelerator for a couple of hours, visited lots of sites where I'm logged in. Now I wonder how many people used my cache. I understand it's a beta, sure, but something like that is totally unacceptable."
I frankly don't know a ton about it since it fucked up my firefox install but others are giving the example of user X who has mod status browses www.popularforum.com/modforum/userspasswords and now google has a cache of that page that anyone can access. I don't know if that's true but this is exactly why companies don't knowingly open their proxies to the outside world. Here you have the Entire World granted access to almost any page a user running Google's software goes to.
If those claims are true then Google has a duty to pull this from the market immediately which they may very well do.
If you wanna get rich, you know that payback is a bitch
It helps because the site you are browsing will require your cookie to display correctly.
What i *think* might have happen to the user in the above article is that the site used the IP address, not a cookie, to identify the user. Thus there was no cookie being misplaced but rather the site assumed google's ip belonged to the same user.
- These characters were randomly selected.
Don't use it! Google is a public corporation, everything they make is designed to somehow make a profit (which i see nothing wrong with, btw)...even if it doesn't cache your personal information like the article claims, there is some angle to it that will make money for them, maybe they will look at your web surfing habits and target ads to you. If you're one of those people who blindly trusts google because of their "don't be evil" mission statement, then use it and trust that Google is taking care of you. I personally don't trust them, so I won't use it. There is no free lunch.
How long has Google Groups been labelled Beta now, two years maybe? How many users does it have?
If a wide number of even adventurous, risk-taking users could be exposed to a potentially significant security hole, then word should get out more widely than just Google's "thanks for the feedback" e-mail addresses.
Beta is not the Greek word for "without responsibility." As much as we criticize Microsoft for making the idea of a "release date" (or "security") meaningless, I think Google's well on it's way to making the idea of the "Beta Release" meaningless.
They act like a small, groovy coding lab with Beta releases and all, but seemingly aren't simultaneously recognizing that because of their prominence in consumer's minds, *anything* they do has widespread impact on ordinary Net consumers. So a true, uncontrolled Beta release? That's fine for me when I just coded a little midi tool and want to run it past my friends, but there's really no such thing when you're Google.
I think that the number of users that adopt even their least publicized tools takes them out of the realm of the real intent of a Beta release, especially when security issues are involved.
The only acceptable defense of scientific results is to say that they were the product of the Scientific Method.
links that say 'delete this' or 'unsubscribe' etc. Many webpages use GET links to do these actions
In which case, many webpages are BROKEN AS HELL.
Come on, "webmasters". I knew well enough to implement any irreversible actions as a form with method=POST to prevent spiders from triggering them back in 1998. There's no excuse for a professional web developer to make that mistake in 2005.
Google being the global aggregator that it is, though, should have expected the worst and foreseen that this kind of thing would happen and planned for it. Disappointing.
I made the point a while ago about Google. I know others have said it too. Google is amazing, I rely on Google daily. Before Google went public, I was less afraid of them going bad, but now...I'm not so sure. If Google out grows itself, it becomes Microsoft. If the left hand no longer knows what the left is doing, then its bad news for everyone, especially the consumer. The difference (for now) between Microsoft and Google is that Google is not a standard install on nearly every consumer computer.
Is G-os coming?
--sig fault--
I'll stop when people stop deserving it. I haven't missed the whole point of this discussion at all, infact I was the one who originally instructed the parent why he was wrong. Google caching might cache cookies, but not ONLY cookies; understand, comprende?
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
Your ISP could do the same stuff people claim google can do (as far as tracking).
Except my ISP is much smaller and is in the internet service business rather than the advertising business.
Never heard of the slashdot effect? Well if everyone is using this, it will eliminate it. Google downloads the site's content, everyone downloads from google, site stays up.
Come on, "webmasters". I knew well enough to implement any irreversible actions as a form with method=POST to prevent spiders from triggering them back in 1998.
So did these people. But this isn't a spider. This is a monkey piggy-backing on an AUTHENTICATED USER SESSION.
And I, for one, say it is time to punch that monkey.
Ironically, the word ironically is often used incorrectly.
No. Your site shouldn't add the prefetching tag to the "logout" links.
Pre-fetching is an opt-in thing by webmasters/web designers. It's not evil.
You know that <form>s can be modified too, right? If you're writing application that works through HTTP/Web browser then you just have to do a lot of checking (that's where the "if" comes in) to make sure that the client (browser/user agent/the real user) isn't trying to hack your system. If you don't do input validation for everything you might as well use GET for everything.
I do sometimes use GET for state changing actions in web applications I write. In some cases some toggle actions that reflect only data display result in much better user interface if I use normal links instead of <button>s. Sometimes you have to accept some compromises when you're writing webapps that have to work without CSS, images and javascript and still be usable.
_________________________
Spelling and grammar mistakes left as an exercise for the reader.