Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Fears Over Google Accelerator

Posted by Zonk on from the road-to-hell-is-paved-with-web-caching dept.

Espectr0 writes "A software tool launched by Google on Wednesday that speeds up the process of downloading Web sites (covered recently on Slashdot) has caused some users to worry about their privacy. A ZDNet article discusses problems that users have been experiencing with the information that is cached by the software. On a Google Labs discussion group, one user said that 'I went to the Futuremark forums and noticed that I'm logged in as someone I don't know...'" Commentary also available on Signal vs. Noise and BlogNewsChannel.

14 of 355 comments (clear)

  1. Google Privacy-b-gone! by ShaniaTwain · · Score: 5, Funny

    'I went to the Futuremark forums and noticed that I'm logged in as someone I don't know...'

    thats not a bug, its a feature.

    --
    Starsucks
  2. All Together Now... by Future+Linux-Guru · · Score: 5, Insightful

    B
    E
    T
    A

    You'll get better results filing a report with Google as opposed to complaining on /.

    As for me, I used the 3.7 minutes I've saved so far to spend some quality time with my friends.

    1. Re:All Together Now... by Chicane-UK · · Score: 5, Funny

      As for me, I used the 3.7 minutes I've saved so far to spend some quality time with my friends.

      Rosie Palm and her 5 sisters? ;)

      --
      "Hey! Unless this is a nude love-in, get the hell off my property!!"
    2. Re:All Together Now... by arkanes · · Score: 5, Insightful

      I think a more obvious answer here is that GWA is exposing web security bugs on a wide variety of applications. It's worth noting that if GWA can compromise your security, then it can be done intentionally as well. Which is not to say that caching issues should be ignored, or that there may not be a real problem with users getting some other users cookies. But if GWA can seriously affect your website, then instead of bitching that GWA is breaking your website like SomethingAwful did, you need to realize that your security was already flawed and you need to fix it.

  3. Privacy eh? by funny-jack · · Score: 5, Interesting

    I found it a bit amusing that when I clicked the story link, the destination site, as well as three other sites, each attempted to save a cookie on my computer. Four cookies. To read a news story. That's necessary.

    --
    You probably shouldn't click this.
  4. Does this surprise anyone? by Jailbrekr · · Score: 5, Informative

    Its a caching proxy server for crying out loud. It caches web pages and feeds you the cached version. This is not new nor is it surprising, especially for a new service offering.

    --
    Feed the need: Digitaladdiction.net
    1. Re:Does this surprise anyone? by smittyoneeach · · Score: 5, Funny

      It all makes sense now.
      /.ers are worried about TFA actually being downloaded to their machine, diminishing the /. effect and utterly wrecking their cred.
      I, for one, think that in Soviet Googlia, cache prefetches you .

      --
      Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  5. Re:Had to remove it from my computer by Chyeld · · Score: 5, Informative

    Why didn't you just tell it not to get in ivolved when browsing that domain? It does have exclusion rules built in.

  6. Bad caching directives by Sebby · · Score: 5, Informative
    We encounted similar problems when we implemented aggressive caching on our site; mostly that we didn't set the headers properly.

    this site was pretty useful for information. So was AOL webmaster resources info.

    --

    AC comments get piped to /dev/null
  7. Cache-Control is your friend. by oneiros27 · · Score: 5, Informative
    If Google is ignoring Cache-Control headers, then that's one thing to complain about. There's also a good chance that some of these sites are using improper systems for session control (eg, using HTTP_ADDR without checking X_FORWARDED_FOR, and not setting Cache-Control on their response).

    For more info about these known issues with HTTP caching, see the following
    --
    Build it, and they will come^Hplain.
  8. caching personalized content != caching cookies by SuperBanana · · Score: 5, Informative
    How does caching your cookies to the internet help speed up your local browsing?

    Who said it was a cookie that was cached, and not the page content? Much of the discussion thusfar seemed based off what an anonymous quote in a ZDnet article. Far as I can tell, the guy saw "Welcome back, Bob!" and freaked, when he wasn't -actually- logged in as Bob. Furthermore, who says it isn't Futuremark (or their forum software- because we all know how security-conscious PHP/MySQL forum software is) tagging their pages as cacheable when they shouldn't be? If Google is ignoring "don't cache this page", now yes, we have a problem- but the ZDnet story is of a technical level I'd expect of a community newspaper, so it's kind of hard to tell. It's like a story in your city newspaper that read "somebody killed by a cop!" and going off on a rant about police brutality...only to find out later the guy was a bank robber with an Uzi.

    Before you get all excited about bank sites etc- keep in mind those often use very unique URLs for each page and other tricks.

    --
    Please help metamoderate.
  9. Re:I, for one, welcome by Sinus0idal · · Score: 5, Funny

    Even more worrying, Google has two left hands.

  10. Re:You say that, but... by nmk · · Score: 5, Insightful

    I think he's probably proposing that they should stop acting like pussies and start taking some responsibility for their software. Like he said Google has turned the very concept of the Beta into a joke. If MS was to keep a major piece of software in Beta for three or four years (as does Google), they would be accused of incompetence. I think the same should apply to Google.

  11. Response by Otto · · Score: 5, Informative
    The web accelerator ignores robots.txt.


    The web accelerator is not a robot, so this is correct behavior.

    The web accelerator ignores the NOARCHIVE meta.


    NOARCHIVE is a Google specific extension to the robots.txt specification, and again, this is not a robot.

    I believe, but have yet to confirm, that it ignores any no-cache pragma headers.


    I'd be absolutely shocked if that were actually the case. I also believe it respects the Expires header as well as the Cache-Control header.

    It avoids prefetching anything with a question mark in the URL, but what about all those PATH_INFO dynamic links we've been installing for the last four years so that our dynamic pages look like static URLs? Google prefetches many of these, and there are numerous reports that this prefetching, along with some cookie mishandling by Google, is breaking sites out there. Does Google care?


    If they're following the proper standards, then it's not their place to care or not. If your website doesn't properly specify cache-control (many don't) then you get what you get.

    For any pages with user-specific content, add the "Cache-Control: private" header and voila, problem solved for you.

    If you want to opt out entirely, then a simple "Cache-Control: no-cache" header in your HTTP responses would do the trick, as would "Pragma: no-cache", I bet.

    Furthermore, there is no cookie-mishanding I've actually seen, and I've tested it. It passes cookies through just fine, without caching them, near as I can tell.
    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.