Earlier this week at AMP Conf 2019, Google announced that it was now possible for their Accelerated Mobile Pages to display the original page’s URL, despite the site not actually being “served” from that URL. However, in the months that Google has been planning that announcement, Apple and Mozilla have been sharing their concerns about the feature’s impact on the future security of the web.
When viewing an AMP-powered page, that page is hosted by Google instead of the original source. For example, when viewing this article via AMP, your browser’s navigation bar will show “Google.com” instead of “9to5Google.com.”
This is obviously not great, but, for many, the drastic improvement in speed justifies the potential confusion. At AMP Conf 2019, Google unveiled a new feature for AMP called “Signed Exchanges” which allows the original domain to be displayed.
The trick is that while the domain “appears” like the original, the site is still being served via Google.com or AmpProject.org. While not inherently wrong, the method Google uses to accomplish this, called Signed Exchanges, has clear consequences for the web as a whole.
Most significantly, the ability to deliver a website from a completely unrelated server makes it impossible to fully trust your browser’s navigation bar. When your navigation bar shows a particular URL, you expect to have connected to that website, not a copy of it from a third-party (such as Google). If the future of the web really is AMP and similar technologies, the navigation bar is likely a relic of a previous era, but as it stands today, this is a radical change to our understanding of web browsers.
For now, these Signed Exchanges are only enabled in Chrome for Android (starting with version 73), but Google has proposed that the other major browsers adopt it as a proper web standard. This proposal was met with negativity and skepticism from Mozilla and Apple as far back as January 2018, with both pointing to the severity of the many “security considerations” that Google themselves have publicly listed in their draft proposal.
In one given scenario, if an attacker is able to obtain the private key used to sign a particular website for Signed Exchanges, that attacker can then deliver false websites that appear in almost every way to be legitimate. Considering this false page in no way connects to the valid server, it would be difficult for admins to even detect.
Additionally, Mozilla has publicly shared its stance that Signed Exchanges are “harmful” and will not be implemented in Firefox as currently specified. In particular, they take issue with a browser serving a particular website without connecting to its original source (or “authoritative server”).
Mozilla has concerns about the shift in the web security model required for handling web-packaged information. Specifically, the ability for an origin to act on behalf of another without a client ever contacting the authoritative server is worrisome, as is the removal of a guarantee of confidentiality from the web security model (the host serving the web package has access to plain text). We recognise that the use cases satisfied by web packaging are useful, and would be likely to support an approach that enabled such use cases so long as the foregoing concerns could be addressed.
A leader of Apple’s Safari development team, Maciej Stachowiak, recently backed Mozilla’s stance, adding an almost humorously phrased explanation of what Signed Exchanges for AMP really is.
But even so, I’d say we are pretty uncomfortable with this approach, for similar reasons to Mozilla. We can see some advantages to Google re-serving the whole web from their own servers and getting browsers to present it as if it comes from the origin, but it also seems like a worrisome change to the web security model.
While other use cases exist for Signed Exchanges, such as securely delivering a web page “offline” (via a USB stick, for example), it seems clear that improving AMP is the driving force behind Google’s development of it.
In the last few months, Google has attempted to change Mozilla’s stance on Signed Exchanges, but thus far no progress has been made.
FTC: We use income earning auto affiliate links. More.