Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Fears Over Google Accelerator

Posted by Zonk on from the road-to-hell-is-paved-with-web-caching dept.

Espectr0 writes "A software tool launched by Google on Wednesday that speeds up the process of downloading Web sites (covered recently on Slashdot) has caused some users to worry about their privacy. A ZDNet article discusses problems that users have been experiencing with the information that is cached by the software. On a Google Labs discussion group, one user said that 'I went to the Futuremark forums and noticed that I'm logged in as someone I don't know...'" Commentary also available on Signal vs. Noise and BlogNewsChannel.

32 of 355 comments (clear)

  1. I, for one, welcome by xmas2003 · · Score: 4, Funny

    our new Google Overlords

    --
    Hulk SMASH Celiac Disease
    1. Re:I, for one, welcome by Sinus0idal · · Score: 5, Funny

      Even more worrying, Google has two left hands.

  2. Google Privacy-b-gone! by ShaniaTwain · · Score: 5, Funny

    'I went to the Futuremark forums and noticed that I'm logged in as someone I don't know...'

    thats not a bug, its a feature.

    --
    Starsucks
    1. Re:Google Privacy-b-gone! by Silverlancer · · Score: 4, Interesting

      Thats a common proxy bug, actually, and the person who we all "appear" to be logged in as at Futuremark is St34lthW4rrior, a guy I actually know. No, we aren't actually logged in as him--its simply how the page is cached, and as our school proxy causes this problem basically every day, I'm used to it. Just disable it for dynamic pages such as forums.

  3. Aaaaaaaah! by Anonymous Coward · · Score: 4, Funny

    Its true its true! People are logging on this account and acting like me on this account on /. but it really isnt me! Imposters!

  4. All Together Now... by Future+Linux-Guru · · Score: 5, Insightful

    B
    E
    T
    A

    You'll get better results filing a report with Google as opposed to complaining on /.

    As for me, I used the 3.7 minutes I've saved so far to spend some quality time with my friends.

    1. Re:All Together Now... by Chicane-UK · · Score: 5, Funny

      As for me, I used the 3.7 minutes I've saved so far to spend some quality time with my friends.

      Rosie Palm and her 5 sisters? ;)

      --
      "Hey! Unless this is a nude love-in, get the hell off my property!!"
    2. Re:All Together Now... by arkanes · · Score: 5, Insightful

      I think a more obvious answer here is that GWA is exposing web security bugs on a wide variety of applications. It's worth noting that if GWA can compromise your security, then it can be done intentionally as well. Which is not to say that caching issues should be ignored, or that there may not be a real problem with users getting some other users cookies. But if GWA can seriously affect your website, then instead of bitching that GWA is breaking your website like SomethingAwful did, you need to realize that your security was already flawed and you need to fix it.

    3. Re:All Together Now... by Anonymous+Custard · · Score: 4, Funny

      >As for me, I used the 3.7 minutes I've saved so far to spend some quality time with my friends.

      Rosie Palm and her 5 sisters? ;)

      Probably, but then what about the other 3.2 minutes?

      --
      $8.95/mo web hosting
    4. Re:All Together Now... by MyLongNickName · · Score: 4, Funny

      Ah yes... the Palm sisters. I know them well.

      --
      See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  5. Links.... by Mz6 · · Score: 4, Interesting

    Perhaps this is just Google's way of finding morelinks to add to it's search index? Imagine gathering millions of websites that it may not have indexed or found yet. All from links that users of the GWA have visited... possible?

    --
    Hmmm.
  6. Privacy eh? by funny-jack · · Score: 5, Interesting

    I found it a bit amusing that when I clicked the story link, the destination site, as well as three other sites, each attempted to save a cookie on my computer. Four cookies. To read a news story. That's necessary.

    --
    You probably shouldn't click this.
    1. Re:Privacy eh? by baadger · · Score: 4, Interesting

      Cookies are horrendously abused. There should never be a need for cookies until you choose preferences or login to a website.

      It's about time the net at large woke up to P3P, or better yet webmasters started thinking before they mindlessly implement cookies for tracking their visitors.

  7. Does this surprise anyone? by Jailbrekr · · Score: 5, Informative

    Its a caching proxy server for crying out loud. It caches web pages and feeds you the cached version. This is not new nor is it surprising, especially for a new service offering.

    --
    Feed the need: Digitaladdiction.net
    1. Re:Does this surprise anyone? by 44BSD · · Score: 4, Informative

      It is more than a caching proxy.

      The client-side portion of the architecture aggressively prefetches content. It's a two-stage proxy, really, and the issue some people have with it is that the content in the portion on the end-user's hard drive is not content that the user asked for, but content that the proxy predicts the user will soon ask for.

    2. Re:Does this surprise anyone? by smittyoneeach · · Score: 5, Funny

      It all makes sense now.
      /.ers are worried about TFA actually being downloaded to their machine, diminishing the /. effect and utterly wrecking their cred.
      I, for one, think that in Soviet Googlia, cache prefetches you .

      --
      Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  8. Had to remove it from my computer by PenguinBoyDave · · Score: 4, Informative

    I had to remove it from my system. It hijacked my browser, and I was not able to browse my companies internal websites because it over-rode our proxy. Bummer too...it worked great

    --
    I'm not a troll, but I play one on Slashdot.
    1. Re:Had to remove it from my computer by Chyeld · · Score: 5, Informative

      Why didn't you just tell it not to get in ivolved when browsing that domain? It does have exclusion rules built in.

  9. Bigger problems with web accelerator by alphakappa · · Score: 4, Informative

    The accelerator prefetches the links on web pages, in effect clicking on all of them (except ads), which includes links that say 'delete this' or 'unsubscribe' etc. Many webpages use GET links to do these actions, and this is causing pages to disappear. Until web apps are rewritten to take note of the prefetch header, it's probably unsafe to use the accelerator. (Which seems to be offline at the moment - the page redirects you to the toolbar)

    --
    "When the only tool you own is a hammer, every problem begins to resemble a nail." - Abraham Maslow (1908-1970)
    1. Re:Bigger problems with web accelerator by poot_rootbeer · · Score: 4, Insightful

      links that say 'delete this' or 'unsubscribe' etc. Many webpages use GET links to do these actions

      In which case, many webpages are BROKEN AS HELL.

      Come on, "webmasters". I knew well enough to implement any irreversible actions as a form with method=POST to prevent spiders from triggering them back in 1998. There's no excuse for a professional web developer to make that mistake in 2005.

      Google being the global aggregator that it is, though, should have expected the worst and foreseen that this kind of thing would happen and planned for it. Disappointing.

  10. Bad caching directives by Sebby · · Score: 5, Informative
    We encounted similar problems when we implemented aggressive caching on our site; mostly that we didn't set the headers properly.

    this site was pretty useful for information. So was AOL webmaster resources info.

    --

    AC comments get piped to /dev/null
  11. Cache-Control is your friend. by oneiros27 · · Score: 5, Informative
    If Google is ignoring Cache-Control headers, then that's one thing to complain about. There's also a good chance that some of these sites are using improper systems for session control (eg, using HTTP_ADDR without checking X_FORWARDED_FOR, and not setting Cache-Control on their response).

    For more info about these known issues with HTTP caching, see the following
    --
    Build it, and they will come^Hplain.
  12. Adsense clicks by broothal · · Score: 4, Interesting

    Has anyone read how google will deal with adsense clicks? Since all users of the accellerator will come from the same IP, will that IP decrease in value? (It's well known that the same IP can't just click again and again and generate revenue).

  13. NoCache directive by Sir+Pallas · · Score: 4, Insightful

    Shouldn't those sites be using the NoCache directive and shouldn't Google be honoring it? I wonder which side is at fault. At any rate, fears about information leakage are kind of silly because of the volume of traffic that Google services. The accelerator allows them to see link patterns, but no one could store, let alone process, an entire day's worth of data after the fact. The same is true for Google Mail: no person ever sees your email; an algorithm does, and tailors simple, pertinent advertising in exchange for an otherwise free service. The accelerator can only make the search engine better for everyone. Anyone that uses it is giving back, contributing to the synergistic knowledge of Google.

  14. caching personalized content != caching cookies by SuperBanana · · Score: 5, Informative
    How does caching your cookies to the internet help speed up your local browsing?

    Who said it was a cookie that was cached, and not the page content? Much of the discussion thusfar seemed based off what an anonymous quote in a ZDnet article. Far as I can tell, the guy saw "Welcome back, Bob!" and freaked, when he wasn't -actually- logged in as Bob. Furthermore, who says it isn't Futuremark (or their forum software- because we all know how security-conscious PHP/MySQL forum software is) tagging their pages as cacheable when they shouldn't be? If Google is ignoring "don't cache this page", now yes, we have a problem- but the ZDnet story is of a technical level I'd expect of a community newspaper, so it's kind of hard to tell. It's like a story in your city newspaper that read "somebody killed by a cop!" and going off on a rant about police brutality...only to find out later the guy was a bank robber with an Uzi.

    Before you get all excited about bank sites etc- keep in mind those often use very unique URLs for each page and other tricks.

    --
    Please help metamoderate.
  15. Time to try this out on EBAY! by Thud457 · · Score: 4, Funny

    SEE?!!! I told you that if these corporate identity thefts kept up, we'd all end up having the same identity!

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  16. Much more "beta" then most google betas by RebornData · · Score: 4, Interesting

    I just deleted the accelerator from my system after trying it for the last day, and I must say that it is much less mature than most of the "Beta" products google releases. It caused several significant issues with Firefox on my system, including:

    1. Links that open another window stopped working entirely (although they worked if I right-clicked and selected "open in new tab")

    2. Even after closing all Firefox windows, a firefox.exe process would remain running, and prevent any new firefox windows from being opened until it was manually killed

    3. "Proxy not available" errors when opening several pages at once, such as when using the Firefox "open in tabs" on a folder of bookmarks.

    And I haven't even checked into some of these cookie / privacy issues. Perhaps these issues are unique to my system, but my environment is pretty vanilla... I just run a few of the more popular Firefox plugins. Removing the GWA cleared up all of the problems cited above.

    Up to this point, I've always been very impressed with the level of testing that has gone into Google software products before they enter Beta. In this case, I'm not. Hope this isn't a sign of things to come.

    -R

  17. You say that, but... by Sialagogue · · Score: 4, Insightful

    How long has Google Groups been labelled Beta now, two years maybe? How many users does it have?

    If a wide number of even adventurous, risk-taking users could be exposed to a potentially significant security hole, then word should get out more widely than just Google's "thanks for the feedback" e-mail addresses.

    Beta is not the Greek word for "without responsibility." As much as we criticize Microsoft for making the idea of a "release date" (or "security") meaningless, I think Google's well on it's way to making the idea of the "Beta Release" meaningless.

    They act like a small, groovy coding lab with Beta releases and all, but seemingly aren't simultaneously recognizing that because of their prominence in consumer's minds, *anything* they do has widespread impact on ordinary Net consumers. So a true, uncontrolled Beta release? That's fine for me when I just coded a little midi tool and want to run it past my friends, but there's really no such thing when you're Google.

    I think that the number of users that adopt even their least publicized tools takes them out of the realm of the real intent of a Beta release, especially when security issues are involved.

    --
    The only acceptable defense of scientific results is to say that they were the product of the Scientific Method.
    1. Re:You say that, but... by ajs · · Score: 4, Interesting

      "How long has Google Groups been labelled Beta now, two years maybe? How many users does it have?"

      So you would have them move it out of beta sooner? Not beta it? What's the solution you're proposing?

      Are you saying that software that Google issues in beta should be bug free, or are you suggesting that Google, being a search engine and all, should be scraping all of the Web's most popular forums as their bug reporting mechanism?

      I'm really not sure what you're proposing, here.

    2. Re:You say that, but... by nmk · · Score: 5, Insightful

      I think he's probably proposing that they should stop acting like pussies and start taking some responsibility for their software. Like he said Google has turned the very concept of the Beta into a joke. If MS was to keep a major piece of software in Beta for three or four years (as does Google), they would be accused of incompetence. I think the same should apply to Google.

  18. Futuremark's problem, not Google's by Temporal · · Score: 4, Informative
    I assume Google has properly implemented the HTTP/1.1 caching mechanisms. Among these, it is possible for a server to mark a page as being "private", meaning that it should never be cached in a public cache like Google's. Another thing the server can do is set "Vary: Cookie", which indicates that the server will produce different pages for people who give it different cookies.

    Here are the headers that the Futuremark forums give me when I am logged in:
    HTTP/1.1 200 OK
    Date: Fri, 06 May 2005 18:10:16 GMT
    Server: Apache/1.3.29 (Unix) mod_perl/1.29
    Transfer-Encoding: chunked
    Content-Type: text/html
    As you can see, neither "Cache-Control: private" nor "Vary: Cookie" is given. In fact, the server doesn't even give an expiration date for the content. Under these conditions, the HTTP/1.1 protocol says that it is perfectly OK for a cache to keep this page for awhile and serve it to other people.

    This problem is firmly the fault of the people who wrote Futuremark's forums. This constitutes a major security hole in the WWWThreads forum package, because this problem will occur when using any standards-compliant HTTP cache. I would strongly recommend against the use of these forums on any web site until they fix their security problems.

    (I do not know if other forum software has this problem, but frankly it would not surprise me. It seems lots of PHP developers and other high-level web programmers have no idea how HTTP/1.1 works, and assume that headers are completely unimportant. I have written a web server and forum software myself, though, and I made damned sure that mine produces the right headers.)
  19. Response by Otto · · Score: 5, Informative
    The web accelerator ignores robots.txt.


    The web accelerator is not a robot, so this is correct behavior.

    The web accelerator ignores the NOARCHIVE meta.


    NOARCHIVE is a Google specific extension to the robots.txt specification, and again, this is not a robot.

    I believe, but have yet to confirm, that it ignores any no-cache pragma headers.


    I'd be absolutely shocked if that were actually the case. I also believe it respects the Expires header as well as the Cache-Control header.

    It avoids prefetching anything with a question mark in the URL, but what about all those PATH_INFO dynamic links we've been installing for the last four years so that our dynamic pages look like static URLs? Google prefetches many of these, and there are numerous reports that this prefetching, along with some cookie mishandling by Google, is breaking sites out there. Does Google care?


    If they're following the proper standards, then it's not their place to care or not. If your website doesn't properly specify cache-control (many don't) then you get what you get.

    For any pages with user-specific content, add the "Cache-Control: private" header and voila, problem solved for you.

    If you want to opt out entirely, then a simple "Cache-Control: no-cache" header in your HTTP responses would do the trick, as would "Pragma: no-cache", I bet.

    Furthermore, there is no cookie-mishanding I've actually seen, and I've tested it. It passes cookies through just fine, without caching them, near as I can tell.
    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.