Google is going full steam ahead with its Accelerated Mobile Pages (AMP) plans, showcased this week at the AMP Conf 2019. At the event, the company revealed its AMPs can now display the original URL from a page through Signed Exchanges. This is possible even though the site might not actually come from the same URL.
While Google announced the ability this week, Apple and Mozilla have known about it for some time. Both rival browser companies have expressed concerns about the security of webpages.
Google’s AMP webpages are served by the company itself. It hosts the website. If you were browsing an AMP version of WinBuzzer, the navigation bar would read Google.com and not WinBuzzer.com.
This has been a barrier for Accelerated Mobile Pages, although customers seemed willing to accept the trade off because of the improved speed AMP offers. However, Google’s new “Signed Exchanges” feature allows the original URL to be displayed even though the page will be hosted by Google.
Several issues arise from Signed Exchanges. Perhaps the most important is the user will never really be able to trust the navigation bar. Currently, users believe what the nav bar tells them. Right now, your navigation bar tells you this is WinBuzzer and that you are connected to this website. Under Signed Exchanges, it will tell you WinBuzzer, but you would really be connected to Google.
Apple and Mozilla Response
Perhaps many people will be ok with that, but the possibility of third-party bad actor’s hijacking the system is apparent. Currently only available on Android through Chrome 73, Google wants Signed Exchanges to become a web standard across all browsers. Apple and Mozilla disagree.
Mozilla has previously described Signed Exchanges as “harmful” and said it will not be used in Firefox:
“Mozilla has concerns about the shift in the web security model required for handling web-packaged information. Specifically, the ability for an origin to act on behalf of another without a client ever contacting the authoritative server is worrisome, as is the removal of a guarantee of confidentiality from the web security model (the host serving the web package has access to plain text). We recognize that the use cases satisfied by web packaging are useful and would be likely to support an approach that enabled such use cases so long as the foregoing concerns could be addressed.”
Maciej Stachowiak, a leader in Apple’s Safari browser division, sided with Mozilla:
“But even so, I’d say we are pretty uncomfortable with this approach, for similar reasons to Mozilla. We can see some advantages to Google re-serving the whole web from their own servers and getting browsers to present it as if it comes from the origin, but it also seems like a worrisome change to the web security model.”