, 14 tweets, 4 min read Read on Twitter
Signed HTTP exchanges are now a thing before even completing the standardization process. That's because Google needs it to shove AMP in every web corner it controls (and beyond to a degree).

(Accurate) Snark aside, what is this thing and is it good?
References to play along:

1. Google's announcement webmasters.googleblog.com/2019/04/instan…

2. Google's explanation developers.google.com/web/updates/20…

3. Latest draft of the spec wicg.github.io/webpackage/dra…

4. Mozilla's position mozilla.github.io/standards-posi…

5. Google's privacy comments: blog.amp.dev/2018/07/23/pri…
Let me attempt a simple explanation based on how I understand it: The web currently works when a browser connects to some server requesting content. The server responds with the content.
If the connection is over TLS, i.e. an HTTPS connection, the server's response comes with cryptographic guarantees that the browser connected to the right server and now one modified the content.
With signed exchanges, the browser connects to an intermediary, like a cache or CDN, instead of the original server.

Even if the connection to the intermediary is over TLS, there is a problem: the browser can only get guarantees it connected to the right intermediary.
With a signed exchange, the original server packages the content with a verifiable cryptographic signature that allows the intermediary to guarantee the response as if it came from the original server.
This signature allows the browser to pretend it connected to the original server instead of the intermediary.
For Google AMP, this solves one of the biggest complaints, that the Google AMP cache is hosted on google.com and the browsers display that URL, not the source original server.
A useful idea in principle, but it has problems right now.

It breaks many assumptions about how the web works. It breaks how the browsers' UIs and security signals currently work, the same ones we've been hammering into users to look for to establish trust in a website.
For example, looking at the animation in Google's announcement, the searcher asked for the website amp.dev, got the AMP content served from Google's cache, but notice how the browser URL bar shows it's amp.dev.
So why the controversy? Google is acting too quickly. Other browsers and internet stakeholders have well-founded concerns, and the correct mechanism to address them is the standardization process.

Google skipped all that. Naughty.
Also, the one I care about the most is privacy. Google is preaching about privacy in the announcement. The premise is interesting: it's about the intermediary protecting the user from the original server (the source), until there is a clear signal the user wants that.
Let that sink in a bit: Google is saying that its intermediary, the AMP cache, will ring-fence user requests so that the original server doesn't see the user until intent is clear.
Now, I don't think that's too crazy a stance (I see its merits), but it's not problem-free: It's another pillar supporting Google's walled garden. Discussions around that are for another thread (and requires beer or similar). /End
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Pierre Far
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!