Mozilla returns crypto-signed website packaging spec to sender – yes, it's Google
Ad giant's site slurping tech complicates web security model, could give more power to search engines and social networks, Firefox maker warns
At its developer conference earlier this month, Google engineers talked up the tech, which consists of several related projects – Signed Exchanges, the web packaging format and changes to the fetch specification – that allow website resources to be packaged and cryptographically signed for redistribution by third parties. Making websites portable, Google contends, facilitates more efficient delivery, easier sharing and offline access.
"With [web] packaging, the model for loading web pages changes from today's model, which we all understand, where the browser requests a page from an origin server, to a new model where developers create a signed package that contains the page," explained Ben Galbraith, senior product director at Google, during Google I/O.
"And the browser can load it from anywhere, even potentially other peer devices. And this can enable privacy-safe preloaded models because the data to fetch the package doesn't go back to the origin server. And it gives the browser tremendous flexibility to preload pages more of the time."
Mozilla developers have fretted about the potential security consequences for several years because it complicates the same-origin policy that limits how resources (e.g. scripts) loaded in one origin (domain) can interact with resources associated with a different origin.
"At its core, origin substitution enables a fundamental change to the way the web works," Mozilla says in its position paper. "Content is no longer constrained to follow connections to origins, where that content is produced and where it is obtained can become completely decoupled."
The Firefox maker worries that allowing aggregators to host content for others opens new security risks, for example a scenario in which an attacker compromises a server key or obtains a certificate through fraud, for the purpose of creating unauthorized or malicious content for the targeted origin.
Given that said content may be cached or stored multiple places, there would be a time lag of several days between certificate revocation and the invalidation of malicious distributed web packages.
Mozilla nonetheless appears to be optimistic that more robust security measures can be put in place. The company also voices several other concerns about the risk of reduced personalization arising from the pressure to keep package sizes small, the security cost of added complexity, the performance cost imposed by signed exchanges and the storage overhead for publishers and aggregators.
While further refinements may be able to overcome the cited technical concerns, Mozilla remains unconvinced web packaging is good for the web.
"The question remains about whether this fundamental change to the way that content is delivered on the web represents a problematic shift in the power balance between actors," the browser maker muses. "We have to consider whether aggregators could use this technology to impose their will on publishers."
This is Mozilla wondering whether web packaging will just make Facebook and Google more powerful as content distributors and kingmakers.
Given the way other technologies and market choices have affected the balance of power online – Google's Accelerated Mobile Pages, Facebook Login, Google Search ranking changes, browser market share, and the like – Mozilla wants the implications of web packaging explored further before it signs on.
"The increased exposure to security problems and the unknown effects of this on power dynamics is significant enough that we have to regard this as harmful until more information is available," the company concludes.
The Register asked Mozilla to elaborate on its position but the company declined. Google did not respond to a request for comment. ®