Usually I try to be constructive, but I just need to get this out: fuck AMP. I don't care downvote me to oblivion I'm a little buzzed but FFS who actually wants AMP and why is it even a thing? Why can't Chrome just prefetch shit from the actual servers and let ISPs handle the caching? Why does mother Google need to serve me all the content from its overly suckled teat? I know everyone working on AMP means well but why why why does Google insist on destroying the internet and entirely undermining TLS in the process? Sorry. That was therapeutic.
Bonus Quiz:
1. When I encounter an AMP link I... a) Click it. b) Don't click it. c) I don't see AMP links using FireFox.
2. When my friends send me an AMP link... a) I click it. b) I don't click it. c) Friends don't send friends AMP links.
3. Reasons I've switched to FireFox... a) I love RUst. b) I care about privacy. c) I hate AMP.
4. My ISP is... a) Google b) Chrome c) None of the above.
The answer is 'c'.
> Why can't Chrome just prefetch shit from the actual servers
The linked article explains this. Do you really want third party sites to know what you're searching for without you actively deciding to click on their page?
> and let ISPs handle the caching
ISPs can't cache the contents of HTTPS pages.
> Do you really want third party sites knowing what you searched for...?
My user agent /is/ me. If I want to prefetch results, I unerstand it means people know I'm looking at those results. I don't think it's really the privacy issue they are trying to make it out to be. And the counter consideration is that you are implicitly saying you trust Google with that info more than the actual service providers so it's not "do you want people" it's "who do you want" knowing.
Easy solution: off by default and inform users of the implication when turned on. As a user I don't actually want the internet prefetched for me mostly because it's a stupid idea catering to a subset of people who are so impatient it's baffling. If your site performs poorly on mobile let users complain to the creators so they can make better sites. Does Google really get the schtick when a mobile site has a poor UX? No. So why are they even investing effort into this?...
> ISPs can't cache the content of HTTPS pages.
Indeed. That's the point of HTTPS. As a user I don't expect that contract undermined even by a claimed benevolent Google just trying to altruistically get you content better with signed bundles that masquerade around as the original service. A few points, too. Often the static CDN content is served HTTP because it's not sensitive or it employes other means of restricting access such as GUID/signed urls etc., all of which can be cached. But even if that's a bad idea (I think people are moving away from that model, and http2) that just shifts the responsibility to the ISP and CDN providers to make sure that they have good fast connections between their networks. That's something that is in both their business models and it works just fine today. ISPs want to provide the best user experience on their network compared to others and CDNs sell their highly available global network to customers so a better CDN closer to more users means happier customers.
Why do that though when you can have your cake and eat it? Google's proposed solution allows you to prefetch results _and_ not allow the third-party to know you're looking at those results.
> the counter consideration is that your implicitly saying you trust Google with that info more than the actual service providers
If I'm using Google search, then yes, obviously I'm fine with Google knowing what I searched for. If I wasn't okay with that, I most certainly would not be using Google search. In contrast, I'm less likely to be okay with a random site in the search results page that I haven't clicked on knowing that I saw a link to their site in a search results page.
Note that if I were using DuckDuckGo instead and DuckDuckGo supported AMP, then my browser would prefetch from DuckDuckGo's AMP cache, not Google's. No additional information is being shared with any party who doesn't already possess that information. (DuckDuckGo already knows what I searched for. Me loading an AMP page from them related to that query reveals no additional information.)
> Indeed. That's the point of HTTPS. As a user I don't expect that contract undermined even by a claimed benevolent Google
Could you explain how Google's proposed solution here undermines HTTPS? Note that the OP talks about using the upcoming [Web Package standard][1] to distribute AMP pages. This standard would allow the integrity guarantees of HTTPS to be preserved even when the page in question is being served by Google's AMP cache rather than the original server.