Yes, but I think you may be missing the point they were trying to make. This is simply a form of caching for content delivered over HTTPS that preserves the key properties of HTTPS. The browser gets the blob and confirms cryptographically the origin of the blob. It can then show the user that origin information so they can know where the content came from. This is the thing browser UI is supposed to communicate to the user.
This is why Google is analogous to Comcast here. Neither can mess with the content or impact its origin. They are just part of the packet transmission system in between.
Hence this is a huge win. Previously, AMP was served off of Google servers where Google was the man in the middle aware of and even able to manipulate the content. The scripts were running on their origin, etc.
Now with this signed exchange tech, the contract is between browser and origin server. The Google cache is now super dumb, which is a big improvement from a privacy and security perspective.
> Now with this signed exchange tech, the contract is between browser and origin server. The Google cache is now super dumb, which is a big improvement from a privacy and security perspective.
Transparently serving content from google when the url says something else is a complete loss of privacy and security from a user-perspective.
Only if the user doesn't understand how cryptographic signing and verification works. Otherwise, they'll know that doing things this ways actually creates stronger guarantees of privacy than what previously was done.
Once they've been encrypted, it's all just gibberish to the intermediaries. If you truly do see this as a massive loss of privacy, then why are you not outraged at Comcast and others that regularly act as middlemen with your encrypted data today?
The lack of this option is the single most eloquent statement of Google's coercive intentions for AMP. It's incredibly easy to implement, and if they were really about improving user experience they'd provide it in a heartbeat.
"The answer to the AMP URL problem are "signed exchanges", which allow a publisher's domain to be displayed in the browser address bar, even though the content is loaded from Google's cache when a user clicks on an AMP link in Google Search results."
Someone smart thought this was a good idea.
"This allows you to use first-party cookies and storage to customize content and simplify analytics integration. Your page appears under your URL instead of the google.com/amp URL."
Creating opacity in security and misdirection in trust is unwise for users. Making the address bar lie is dangerous.
I just don't get how the smart people at Google allow this to happen. The developers of Chrome and AMP can try to rationalize bad behavior but I'm surprised how all their coworkers let it stand. There was once a Google that would have been displeased with this kind of action.
How is the signed exchange materially different than just having the browser make the request when you click on a link?
Google hits the page beforehand, gets a cryptographically signed package of assets, verifies its contents and returns that to the user when the user clicks a link versus having the browser make the request itself at that time.
Agreed. As long as it's crypto-signed byte-for byte and matches exactly what the original website published, then the actual TCP connection used to deliver the data is irrelevant.
Google needs to deliver it or the browser wouldn’t be able to pre-cache the content for the user since it would leak to the publisher that the content was shown in a search result.
We don't need to pre-cache results. We just need faster loading websites without the bullshit JavaScript that does... Nothing.
Google can, and has since inception, shown a 2-sentence description plus a title. If I as a searcher find that useful, I click through to the publisher site. This is a good system.
AMP simply steals the entirety of the content from the publisher and serves it for them. That's not Google's job. And that's absolutely terrible for publishers.
The solution is to provide tools and guidelines for publishers to follow for a better user experience, not cut them out completely. Fix the problem at the root.
How is showing a page in < 100ms versus 2+ seconds a made up problem? There is no way without pre-fetching to deliver an instant experience.
Also, what do you mean that google steals content from publishers? Publishers are in control of the ads running on amp pages (and receive the revenue), with over 100 ad networks supported by it.
I don't need a page to show up in 100ms. 2 seconds isn't a problem. 5 seconds is, but I'll wait it out for something I'm really interested in.
Regardless, this stuff can all be done externally with current tech. Fairly easily. Serving up cached pages and lazy loading images resolves 90% of pagespeed issues. Removing JavaScript where it's not needed (almost everywhere) is another huge step.
There is no legitimate reason - zero - for Google to go so hamfisted with this. The only reason it's being shoved down everyone's throat is because it gives them more control over publishers.
Tech should be instant. 100ms is near enough instant in my book. Anything more is sub-par. It's wasting human time and attention. It's slowing people down from doing what they want to do.
Imagine pages loaded in 100ms. You could flick through them by holding down a key like scrubbing through a video for a scene you like. You could eliminate tabs in a browser because there's no need to have many open at once when you can switch to any webpage with no delay. Think about it - tabs are simply a crutch to have a small set of webpages ready-loaded and quick to switch to! Thats how badly we need instant load webpages - we have invented workarounds!
Just because people have become normalized to something taking too long isn't a reason to not strive to make it better.
>Think about it - tabs are simply a crutch to have a small set of webpages ready-loaded and quick to switch to!
Usually not because the page takes long to load, but because we need to quickly switch between contexts. The biggest slow down here is not the page load speed, but the _human_ interactions required to get to that other context. Tabs exist because we don't have enough screen real estate to display all the multiple contexts we need at the same time.
Frankly I don't perceive a performance difference between AMP results and regular results. There are abysmally slow pages, but those are the minority of pages I visit, and they often do not invest in AMPifying their page.
I mean really, if AMP was so valued by users, Google wouldn't have to artificially pin all AMP results at the top of their search results. They wouldn't have to limit the ability to opt-out. They could offer an AMP sibling result and see which one wins out the SEO war. But by forcing AMP links to the top, they force publishers to give over their content to Google's servers or be dropped from search results. This is a monopolizing play, not an openness play.
> I just don't get how the smart people at Google allow this to happen.
We'll probably never get a true answer to this, can only speculate. This appears to be group(s)think in action, where the involved parties feel justified, even entitled, to make this change for the 'betterment of the web'.
Think back to when the Chrome/ium team decided to hide 'www' and 'm' from URLs and had to roll back that decision pretty quickly. I cannot find the post where an engineer indicated that in their internal discussions this seemed like a good idea.
Given the massive browser share that Chrome/ium commands, the decisions being made around tampering with the address bar and making it behave in a way that does not reflect the underlying protocols, would not occur in a team with healthy debate around the merits and dangers of such actions - so I believe that debate is either not happening or simply being suppressed at multiple levels within the organisation.
> Think back to when the Chrome/ium team decided to hide
> 'www' and 'm' from URLs and had to roll back that decision
> pretty quickly. I cannot find the post where an engineer
> indicated that in their internal discussions this seemed
> like a good idea.
Wasn't it Apple who started with this? I seem to recall seeing their web browser only showing the main domain of the website.
The only positive constant users have had since 1994 is that the URL doesn't lie. You can look at it and figure out if you're safe or not. Now Google wants to hide that from users by this masquerading going on. That is simply terrible and doomed to be exploited in the years to come.
The only people who win here are the scammers who will defraud users.
You can‘t really, though. Many people have been fooled by fake URL‘s. Nobody checks the cert. To say nothing of the non-human-readable token URL‘s in emails.
Password managers and hardware tokens (Android phones too now) are actually a much better defense against phishing.
Maybe not directly scamming exploiting this mechanism, but it might destroy the healthy habit of URL checking and being aware of what is going on. Instead people are given a false "seamless" experience. In the future similar white lies might be adopted by other companies, and eventually exploited. Just like the endless bombardment of cookies warnings trained people to just click through "OK"s and "Accept"s. Paired with introduction of the new Google portals, people might get used to opening a site within a site, or a site that is not the site. Now you can scam people by making them believe your shady website has a seamless Paypal/Visa portal, but it's just a css copycat and a private database of fools.
I don't know why I'm always weary of increased levels of abstraction in interfaces.
Why is google unable to work with CNAME again, I’m sure amp.washingtonpost.com would suffice? This seems like a Rube Goldberg machine for something with tons of existing solutions...
42 comments
[ 2.8 ms ] story [ 98.3 ms ] threadOn the contrary, this makes the problem much, much worse by the url-bar no longer being a reliable indicator of the url actually fetched.
Can’t AMP just die already? That would actually solve the problem.
By your argument, all URL's should say "Comcast", because all webpages you load at home are from Comcast...
Routers, switches and repeaters in the middle are serving nothing, they are relaying IP packets at the transport layer.
If you can’t tell the difference, you may want to read up on basic network layers.
This is why Google is analogous to Comcast here. Neither can mess with the content or impact its origin. They are just part of the packet transmission system in between.
Hence this is a huge win. Previously, AMP was served off of Google servers where Google was the man in the middle aware of and even able to manipulate the content. The scripts were running on their origin, etc.
Now with this signed exchange tech, the contract is between browser and origin server. The Google cache is now super dumb, which is a big improvement from a privacy and security perspective.
Transparently serving content from google when the url says something else is a complete loss of privacy and security from a user-perspective.
That’s a massive loss of privacy right there. How is that even debatable?
Also given how Google works, I think it’s reasonable to assume that enabling this additional Google-tracking was the primary intention behind AMP.
My isp cannot do that because the url is part of an encrypted transfer, but a transfer google now has allowed themselves to snoop into.
https://www.ctrl.blog/entry/amp2html-extension.html
I opted out of this bullshit when it came out, works on Android Firefox too!
Someone smart thought this was a good idea.
"This allows you to use first-party cookies and storage to customize content and simplify analytics integration. Your page appears under your URL instead of the google.com/amp URL."
Creating opacity in security and misdirection in trust is unwise for users. Making the address bar lie is dangerous.
I just don't get how the smart people at Google allow this to happen. The developers of Chrome and AMP can try to rationalize bad behavior but I'm surprised how all their coworkers let it stand. There was once a Google that would have been displeased with this kind of action.
Google hits the page beforehand, gets a cryptographically signed package of assets, verifies its contents and returns that to the user when the user clicks a link versus having the browser make the request itself at that time.
Amp is a solution that creates more problems than it helps. But it's a strategic move for Google to exert more control over publishers.
We don't need to pre-cache results. We just need faster loading websites without the bullshit JavaScript that does... Nothing.
Google can, and has since inception, shown a 2-sentence description plus a title. If I as a searcher find that useful, I click through to the publisher site. This is a good system.
AMP simply steals the entirety of the content from the publisher and serves it for them. That's not Google's job. And that's absolutely terrible for publishers.
The solution is to provide tools and guidelines for publishers to follow for a better user experience, not cut them out completely. Fix the problem at the root.
Also, what do you mean that google steals content from publishers? Publishers are in control of the ads running on amp pages (and receive the revenue), with over 100 ad networks supported by it.
Regardless, this stuff can all be done externally with current tech. Fairly easily. Serving up cached pages and lazy loading images resolves 90% of pagespeed issues. Removing JavaScript where it's not needed (almost everywhere) is another huge step.
There is no legitimate reason - zero - for Google to go so hamfisted with this. The only reason it's being shoved down everyone's throat is because it gives them more control over publishers.
Tech should be instant. 100ms is near enough instant in my book. Anything more is sub-par. It's wasting human time and attention. It's slowing people down from doing what they want to do.
Imagine pages loaded in 100ms. You could flick through them by holding down a key like scrubbing through a video for a scene you like. You could eliminate tabs in a browser because there's no need to have many open at once when you can switch to any webpage with no delay. Think about it - tabs are simply a crutch to have a small set of webpages ready-loaded and quick to switch to! Thats how badly we need instant load webpages - we have invented workarounds!
Just because people have become normalized to something taking too long isn't a reason to not strive to make it better.
Usually not because the page takes long to load, but because we need to quickly switch between contexts. The biggest slow down here is not the page load speed, but the _human_ interactions required to get to that other context. Tabs exist because we don't have enough screen real estate to display all the multiple contexts we need at the same time.
Frankly I don't perceive a performance difference between AMP results and regular results. There are abysmally slow pages, but those are the minority of pages I visit, and they often do not invest in AMPifying their page.
I mean really, if AMP was so valued by users, Google wouldn't have to artificially pin all AMP results at the top of their search results. They wouldn't have to limit the ability to opt-out. They could offer an AMP sibling result and see which one wins out the SEO war. But by forcing AMP links to the top, they force publishers to give over their content to Google's servers or be dropped from search results. This is a monopolizing play, not an openness play.
But AMP is too high of a cost to pay. It's just not the right answer. The negatives greatly outweigh the benefits.
We'll probably never get a true answer to this, can only speculate. This appears to be group(s)think in action, where the involved parties feel justified, even entitled, to make this change for the 'betterment of the web'.
Think back to when the Chrome/ium team decided to hide 'www' and 'm' from URLs and had to roll back that decision pretty quickly. I cannot find the post where an engineer indicated that in their internal discussions this seemed like a good idea.
Given the massive browser share that Chrome/ium commands, the decisions being made around tampering with the address bar and making it behave in a way that does not reflect the underlying protocols, would not occur in a team with healthy debate around the merits and dangers of such actions - so I believe that debate is either not happening or simply being suppressed at multiple levels within the organisation.
Wasn't it Apple who started with this? I seem to recall seeing their web browser only showing the main domain of the website.
This x1000.
The only positive constant users have had since 1994 is that the URL doesn't lie. You can look at it and figure out if you're safe or not. Now Google wants to hide that from users by this masquerading going on. That is simply terrible and doomed to be exploited in the years to come.
The only people who win here are the scammers who will defraud users.
Password managers and hardware tokens (Android phones too now) are actually a much better defense against phishing.
The page shown to user is cryptographically verified to have been fetched from the url shown to the user in chrome’s url bar.
I don't know why I'm always weary of increased levels of abstraction in interfaces.
B/c people at Google have the delusion that they are the internet.