Google hits brand slam stamping AMP with more crypto glam
All your URLs are belong to us
On Tuesday Google renovated its Accelerated Mobile Pages (AMP) web publishing format, making it more secure with less Chocolate Factory branding – a change certain to be welcomed by publishers committed to AMP.
Launched in 2016 as a Google-specific publishing scheme to rival Facebook Instant Articles and Apple News, AMP provides a way to build web pages that load quickly. Because Google makes speed a factor in mobile search ranking, AMP appeals to publishers as a way to improve the visibility of their articles in search results, not just in Google Search but Bing too.
Creating an AMP page involves using AMP HTML, a library of components for building interactive sites that precludes the implementation of certain performance bottlenecks. One disadvantage of doing so is that publishers have to craft and maintain AMP pages alongside standard HTML web pages.
There's also the downside of participating in a scheme that gives Google more power over how web pages – ideally open and vendor-neutral – get written, a concern the Chocolate Factory last year tried to address by reforming the AMP governance structure.
Google's latest improvement to the AMP format is that pages can now be linked to Signed HTTP Exchanges (SXG), one of several specifications for packaging websites, so they can be viewed offline in conjunction with a way to prove site authenticity.
SXG is a specification for returning a cryptographic signature in a response to a web request that lets the user's browser trust a page cached by a third-party domain as if it were served from the originating publisher's domain.
"This allows you to use first-party cookies and storage to customize content and simplify analytics integration," explained Google software engineers Devin Mullins and Greg Rogers in a blog post. "Your page appears under your URL instead of the google.com/amp URL."
Publishers can already serve AMP pages from their own servers but AMP makes use of cached web pages for better performance. When users search for those pages and find them in, say Google News, they may see the Google-hosted cache URL, instead of a URL that points to the original publisher's website.
Google kicks itself out of its own cache when serving AMP pagesREAD MORE
The separation SXG makes possible between the origin of content with those distributing it also improves privacy by eliminating information disclosure when prefetching is used. Prefetching loads resources before they're required to avoid page load delays.
But the downside of doing so is that these preloads can reveal information about a web visitor who never actually chooses to load the site hosting the fetched file. With SXG, AMP pages can implement prefetching in a way that preserves privacy by prefetching cross-origin resources without disclosing information in advance of a user's decision to visit.
In conjunction with the debut of SXG, content delivery network Cloudflare announced its own implementation called AMP Real URL that it plans to make available to its customers in the coming weeks.
"Google's AMP Crawler downloads the content of your website and stores it in the AMP Cache many times a day," explained Cloudflare engineer Zack Bloom and CTO John Graham-Cumming in a blog post. "If your site has AMP Real URL enabled Cloudflare will digitally sign the content we provide to that crawler, cryptographically proving it was generated by you."
For visitors using Chrome on Android – the only mobile browser supporting this at the moment – to websites supported by Cloudflare, following a Google search result will lead to an AMP page that displays the publisher's domain rather than Cloudflare's. The biz expects broader browser support, eventually. ®
- App stores
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Google AI
- Google Cloud Platform
- Google Nest
- G Suite
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Privacy Sandbox
- Tavis Ormandy
- Trusted Platform Module
- Zero trust