,
14 tweets,
4 min read
Read on Twitter
Signed HTTP exchanges are now a thing before even completing the standardization process. That's because Google needs it to shove AMP in every web corner it controls (and beyond to a degree).
(Accurate) Snark aside, what is this thing and is it good?
(Accurate) Snark aside, what is this thing and is it good?
References to play along:
1. Google's announcement webmasters.googleblog.com/2019/04/instan…
2. Google's explanation developers.google.com/web/updates/20…
3. Latest draft of the spec wicg.github.io/webpackage/dra…
4. Mozilla's position mozilla.github.io/standards-posi…
5. Google's privacy comments: blog.amp.dev/2018/07/23/pri…
1. Google's announcement webmasters.googleblog.com/2019/04/instan…
2. Google's explanation developers.google.com/web/updates/20…
3. Latest draft of the spec wicg.github.io/webpackage/dra…
4. Mozilla's position mozilla.github.io/standards-posi…
5. Google's privacy comments: blog.amp.dev/2018/07/23/pri…
Let me attempt a simple explanation based on how I understand it: The web currently works when a browser connects to some server requesting content. The server responds with the content.
If the connection is over TLS, i.e. an HTTPS connection, the server's response comes with cryptographic guarantees that the browser connected to the right server and now one modified the content.
With signed exchanges, the browser connects to an intermediary, like a cache or CDN, instead of the original server.
Even if the connection to the intermediary is over TLS, there is a problem: the browser can only get guarantees it connected to the right intermediary.
Even if the connection to the intermediary is over TLS, there is a problem: the browser can only get guarantees it connected to the right intermediary.
With a signed exchange, the original server packages the content with a verifiable cryptographic signature that allows the intermediary to guarantee the response as if it came from the original server.
This signature allows the browser to pretend it connected to the original server instead of the intermediary.
For Google AMP, this solves one of the biggest complaints, that the Google AMP cache is hosted on google.com and the browsers display that URL, not the source original server.
A useful idea in principle, but it has problems right now.
It breaks many assumptions about how the web works. It breaks how the browsers' UIs and security signals currently work, the same ones we've been hammering into users to look for to establish trust in a website.
It breaks many assumptions about how the web works. It breaks how the browsers' UIs and security signals currently work, the same ones we've been hammering into users to look for to establish trust in a website.
So why the controversy? Google is acting too quickly. Other browsers and internet stakeholders have well-founded concerns, and the correct mechanism to address them is the standardization process.
Google skipped all that. Naughty.
Google skipped all that. Naughty.
Also, the one I care about the most is privacy. Google is preaching about privacy in the announcement. The premise is interesting: it's about the intermediary protecting the user from the original server (the source), until there is a clear signal the user wants that.
Let that sink in a bit: Google is saying that its intermediary, the AMP cache, will ring-fence user requests so that the original server doesn't see the user until intent is clear.
Now, I don't think that's too crazy a stance (I see its merits), but it's not problem-free: It's another pillar supporting Google's walled garden. Discussions around that are for another thread (and requires beer or similar). /End
