AlanBarber.Org
Sunday, May 08, 2005
Google Web Accelerator Security Issues
Those crazy boys and girls at Google have release yet another tool. Called the Google Web Accelerator, it’s basically a proxy server/cache system. It’s for broadband users only also.
The basic premise of the thing is this. With Google having huge datacenters full of computers all over the place, you probably have a faster and more stable connection to Google’s systems then the random webservers floating out in the net. So, instead of directly accessing websites you connect to the Google system and have it download the pages for you. Then Google caches the pages and should another Web Accelerator users request the same page they just send the cached page.
In theory it sounds like a nice system but there are a few issues I have with it, and there’s one helluva big but too.
1) The boys and girls at Google know two things really well. Searching and selling strategic ads for the searches. I find it hard to believe that Google would offer this server if it doesn’t in some way allow them to incorporate one or both of these points.
My guess would be that they are monitoring all the pages that you visit using the Web Accelerator. Why? To improve search results of course. Think of the raw data you can get from monitoring browsing habits of people. If certain sites get lots of hits then there’s a good reasoning that the content of those sites are considered better quality to web users. So give those sites a boost in their rank for their page content. Do some sites draw in many visitors that only follow links to other sites? In a similar reasoning you might decided that these sites link to good content that web users find useful. So why not give these sites an improved rank worth to.
The paranoid might say that Google will get people hooked on the Accelerator and then start slipping in their Google ads into sites. That’s what spyware programs do and I don’t think Google would be that low to pull a stunt like that. They’ve taken a lot of time and money to convince people that they’re an ethical and upstanding company. Pulling crap like that would kill them.
2) Since Google is working as basically a proxy server as a website operator and system admin I’m not too happy about that. Website operators and system admin many times compile stats from their webserver logs. The webservers log every page access and include the ip addresses of every computer that connects to the site. You can do what’s called an ip lookup and find out some handy info about your visitors. You can find out what ISP or company owns the IP address. This lets you know a few facts such as the country the visitor is probably from and if they’re using broadband or not. As a website developer these facts help you design your site better for the users.
Problem is, Google is acting as a proxy server for users. That means all the access logs show the users coming from a Google datacenter. Now I have no ability to process those logs to get useful info from them.
The other part of this proxy thing that bothers me is the fact that I don’t like Google downloading my site content once, caching it and feeding it to others. Well this is a good and bad thing. The good being that it does reduce bandwidth and system load on my server but the bad is that I want visitors to access my site. I like to know how many people are actually visiting my website! I know I got one hit to my site from Google but no idea if 10 or 10,000 people visited my site today because they get their pages from Google’s servers not mine.
3) This is the big BUT that I have. This isn’t 1995. Web pages aren’t just static html pages that people upload to a server. Most page content is built on the fly. Web scripts pull content from databases and build custom pages for every visitor. Many sites have people log in to view these pages too. Currently, the Google Web Accelerator caches these dynamic pages and feeds them to other users.
Do you see the problem with this? I sure hope you do! This is a horrible security issue. If you visit a page with the Accelerator, say a message board for example. It caches the message board pages and will send them to someone else!
Wait I still don’t see the problem with that you say? People are actually get cached pages of other users. Joe User is logged into the message board. At the top of the page it says “Welcome Joe User”. Sue User visits the message board too. Guess what she sees at the top of the page, “Welcome Joe User”! That’s right she’s seeing Joe’s pages and not her own!
Again Sue clicks to view her private messages. Good ol’ Google Web Accelerator gladly sends a cached page and Sue sees Joe’s Private Message inbox instead of hers!
Now luckily Sue is never actually logged into Joe’s account. She could never change his password or post messages as him but she’s seeing his private pages.
This isn’t theory either people! It’s actually happening! There are posts at message boards where people are posting screen shots of their browsers with private message inboxes of other users!
Now as I said you are never actually logged in as another user but you still manage to see pages that are not really for your eyes. Also, the Web Accelerator doesn’t cache encrypted https pages so there should be any stories of people’s credit card info, etc showing up on retailers’ sites. Thankfully!
Now I’m no Google hater so don’t think I’m being mean for the sake of bashing Google. I only use Google for searches and I do have a few GMail accounts, still, there are some terrible security issue here folks! I won’t be using the Web Accelerator anytime soon and I highly advise others to think before just blindly installing it because it comes from Google.
on 05/08/2005 at 04:26 PM