Slashdot Mirror
Security Fears Over Google Accelerator
Espectr0 writes "A software tool launched by Google on Wednesday that speeds up the process of downloading Web sites (covered recently on Slashdot) has caused some users to worry about their privacy.
A ZDNet article discusses problems that users have been experiencing with the information that is cached by the software. On a Google Labs discussion group, one user said that 'I went to the Futuremark forums and noticed that I'm logged in as someone I don't know...'" Commentary also available on Signal vs. Noise and BlogNewsChannel.
How does caching your cookies to the internet help speed up your local browsing?
Perhaps this is just Google's way of finding morelinks to add to it's search index? Imagine gathering millions of websites that it may not have indexed or found yet. All from links that users of the GWA have visited... possible?
Hmmm.
I found it a bit amusing that when I clicked the story link, the destination site, as well as three other sites, each attempted to save a cookie on my computer. Four cookies. To read a news story. That's necessary.
You probably shouldn't click this.
Comment removed based on user account deletion
It doesn't just cache your cookies, it acts as a proxy that compresses the data as you browse, much like the ISPs that offer "high speed" compressed modem surfing.
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
Not only that, but Google will conceal real web statistics from websites.
Remember acquisition of Urchin? Here is my concern about Google Webaccelerator.
my sstream of consciousness
Has anyone read how google will deal with adsense clicks? Since all users of the accellerator will come from the same IP, will that IP decrease in value? (It's well known that the same IP can't just click again and again and generate revenue).
The business with appearing to be logged on isn't quite as serious as it sounds (although it is still bad).
The problem appears to be that you will sometimes be given a page that was personalised for someone else. However if you attempt to do anything from that page (for example if you find yourself looking like admin of a web board) you'll find that it doesn't work, any more than it would if someone emailed you a copy of a page where they were logged in as admin and you clicked on links (if you are on a website where doing that would work, you already have serious security problems). It also doesn't occur with SSL as google doesn't doing anything with SSL pages (as you would hope)
This is still a problem if that page shows something private of course, and should be fixed. (a password of course being the worst case, but how often do you see your actual passwords printed on a webpage?)
Combination - fun iPhone puzzling
Read about all of the username, forum, and security risks?
7 6
Since such activity could pose both a security risk to web surfers and site owners, there are some web sites which are interested in not having Web Accelerator pick up their material.
A very fast and efficacious method of denying Google Web Accelerator (GWA) funneled traffic access to your web site is blocking the IPs it is calling your pages from:
http://www.searchenginejournal.com/index.php?p=16
lowtax of SomethingAwful makes some interesting points amidst all his fuming but I'll have to defer to the /. tech wizards to vet his technical claims.
I just deleted the accelerator from my system after trying it for the last day, and I must say that it is much less mature than most of the "Beta" products google releases. It caused several significant issues with Firefox on my system, including:
1. Links that open another window stopped working entirely (although they worked if I right-clicked and selected "open in new tab")
2. Even after closing all Firefox windows, a firefox.exe process would remain running, and prevent any new firefox windows from being opened until it was manually killed
3. "Proxy not available" errors when opening several pages at once, such as when using the Firefox "open in tabs" on a folder of bookmarks.
And I haven't even checked into some of these cookie / privacy issues. Perhaps these issues are unique to my system, but my environment is pretty vanilla... I just run a few of the more popular Firefox plugins. Removing the GWA cleared up all of the problems cited above.
Up to this point, I've always been very impressed with the level of testing that has gone into Google software products before they enter Beta. In this case, I'm not. Hope this isn't a sign of things to come.
-R
If it is prefetching everything, then I would have a problem with that, from a different perspective. That increases the amount of bandwidth used by fetching a lot of pages that might not be followed. That means increased bandwidth costs unless enough users use the system such that Google's caching means that it most of the given files are already in their cache.
Thats a common proxy bug, actually, and the person who we all "appear" to be logged in as at Futuremark is St34lthW4rrior, a guy I actually know. No, we aren't actually logged in as him--its simply how the page is cached, and as our school proxy causes this problem basically every day, I'm used to it. Just disable it for dynamic pages such as forums.
Why is Google doing this?
If the purpose is to speed up web access, then why couldn't all this gzip compression, prefetching, and so forth, be handled on your local drive without going through Google? Wouldn't that be faster? Not everyone lives next door to a Google data center (not yet, anyway), and there is latency when you hop around the web to get stuff from Google. The accelerator installation file isn't exactly lean (1.4 meg), so I don't understand why Google has to broker all of this stuff on their servers.
Google claims that there's no more of a privacy issue with this thing than there is with your ISP. However, I think most ISPs are a bit different than Google.
My ISP has no reason to store it's logs indefinitely. Google has every intention of storing everything about me forever. My ISP rotates their logs regularly, while Google indexes and compresses their logs using globally-unique IDs, and stashes it away for future reference. My ISP is not the world's largest advertiser, but Google is determined to "know more about you" (Eric Schmidt's words) for profiling purposes. My ISP has a real privacy policy, and I believe that they would demand a subpoena before giving out information about my surfing behavior. Google has never suggested that they even require a subpoena from officials, so I have to assume that they have a very cozy relationship with various governments.
All that is from the user's perspective. What about webmasters?
The web accelerator ignores robots.txt. The web accelerator ignores the NOARCHIVE meta. I believe, but have yet to confirm, that it ignores any no-cache pragma headers. It avoids prefetching anything with a question mark in the URL, but what about all those PATH_INFO dynamic links we've been installing for the last four years so that our dynamic pages look like static URLs? Google prefetches many of these, and there are numerous reports that this prefetching, along with some cookie mishandling by Google, is breaking sites out there. Does Google care?
Why isn't there a sitewide opt-out option for this monster? Heck, it's so bloody dangerous for both the user and the webmaster that it ought to be opt-in instead of opt-out.
All webmasters should block this thing. If a user cannot get to your site because of this block, then at least you as a webmaster won't be complicit. We have to protect users from Google's megalomania, because they've been so dumbed-down by Google worship over the last few years that they can no longer think straight.
If you're changing state with a GET request, you're doing it wrong. It really is that simple.
"How long has Google Groups been labelled Beta now, two years maybe? How many users does it have?"
So you would have them move it out of beta sooner? Not beta it? What's the solution you're proposing?
Are you saying that software that Google issues in beta should be bug free, or are you suggesting that Google, being a search engine and all, should be scraping all of the Web's most popular forums as their bug reporting mechanism?
I'm really not sure what you're proposing, here.
We recommended that our users NOT use proxies such as GWA. We did not do this because it's buggy (though it may be), but more because it is a public proxy being marketed as a web accelerator. Most web users do not understand what a proxy is much less the serious security and privacy implications using one can have.
GWA seemed to not always honor cache headers as the RFC describes, though I couldn't see any real pattern.
Ken
It's not a bug with the proxy software, it's a bug with those forums.
Caching proxies have been around for several years now, and this is not a new problem. Any webmaster worth his salt should know about this, and any dynamic content (especially a piece of forum software) should know damn well to properly implement expiration dates and cache control directives.
If the WWWBoard software at Futuremark was doing the right thing in the first place, this wouldn't be a problem. It's Futuremark's and WWWBoard's security bug, not GWA's or any other caching proxy's.
The only reason people are bitching about this is because GWA is one of the first caching proxy systems out there to hit widespread use by people who've never used one before. The concept itself is not new by a long shot, and there are established guidelines to follow when you develop web software to deal with them. If you fail to follow these guidelines, then yeah, your site will break and you create a security risk like WWWBoard has clearly done. Upgrade/fix your forum software.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.