Hacker News new | ask | show | jobs
by foobarding 2552 days ago
Yes, but I think you may be missing the point they were trying to make. This is simply a form of caching for content delivered over HTTPS that preserves the key properties of HTTPS. The browser gets the blob and confirms cryptographically the origin of the blob. It can then show the user that origin information so they can know where the content came from. This is the thing browser UI is supposed to communicate to the user.

This is why Google is analogous to Comcast here. Neither can mess with the content or impact its origin. They are just part of the packet transmission system in between.

Hence this is a huge win. Previously, AMP was served off of Google servers where Google was the man in the middle aware of and even able to manipulate the content. The scripts were running on their origin, etc.

Now with this signed exchange tech, the contract is between browser and origin server. The Google cache is now super dumb, which is a big improvement from a privacy and security perspective.
1 comments
josteink 2552 days ago
> Now with this signed exchange tech, the contract is between browser and origin server. The Google cache is now super dumb, which is a big improvement from a privacy and security perspective.

Transparently serving content from google when the url says something else is a complete loss of privacy and security from a user-perspective.

link
lawrenceyan 2552 days ago
Only if the user doesn't understand how cryptographic signing and verification works. Otherwise, they'll know that doing things this ways actually creates stronger guarantees of privacy than what previously was done.
link
josteink 2552 days ago
But now Google gets to track my requests where they previously couldn’t, because my request goes to their server.

That’s a massive loss of privacy right there. How is that even debatable?

Also given how Google works, I think it’s reasonable to assume that enabling this additional Google-tracking was the primary intention behind AMP.

link
lawrenceyan 2551 days ago
Once they've been encrypted, it's all just gibberish to the intermediaries. If you truly do see this as a massive loss of privacy, then why are you not outraged at Comcast and others that regularly act as middlemen with your encrypted data today?
link
josteink 2551 days ago
They see the URL I’m requesting. It’s trivial for them to request that same content.

My isp cannot do that because the url is part of an encrypted transfer, but a transfer google now has allowed themselves to snoop into.

link