Redirecting you to
Click if you are not redirected within 5 seconds
USD
Support
Contact Us
Podcast Aug 27, 2020

Root Causes 115: Signed HTTP Exchange (SXG) Certificates

Accelerated Mobile Pages, or AMP, is a Google standard for packaging web content for consistent and usable display on mobile devices. SXG certificates enable the display of the original publisher's authenticated URL in the mobile reader. Join us as we explain the potential benefits of SXG to readers and content publishers.

  • Original Broadcast Date: August 27, 2020

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    So, Jason, I think we want to talk about a fairly new development in the technology landscape, which is signed HTTPS exchanges.

  • Jason Soroko

    Yeah, Tim. Signed HTTP exchanges, or SXG certificates are part of a wider group of technologies known as web packages. And really, Tim, where this stems from is Google AMP, which I'm sure you've heard of, sure you've used. In fact, I bet most people listening to this have used it, whether they know they've used it or not.

  • Tim Callan

    Right. And they may not. So, what's Google AMP?

  • Jason Soroko

    Right. Google, for various reasons, has defined a new markup technology so that certain types of web content and let's use a news reports as an example.

  • Tim Callan

    Okay.

  • Jason Soroko

    So, you know, New York Times, Washington Post, pick your newspaper of choice. They make a newspaper or a newspaper article and the context of that is usually very similar, right? There's a title, there is a, you know, the text of the article, etc. So, the context of it, and how it should be shown onto the internet within a browser or mobile application should typically be standardized, depending on what you want to do with it. So, what Google has done is create this markup technology, Google AMP, which essentially does that, which is to standardize certain types of web content. And it's specifically meant for the acceleration of that content on mobile devices, rather than say, you know, contrasting that to a desktop device. So, when you go to say, Google News, right, news.google.com, you click on a news article with the browser on your mobile device, chances are you're going to be viewing that as a Google AMP - the way that it's actually being shown on your screen, which is a standardized way of showing it.

  • Tim Callan

    Yeah. So, let me make sure I'm getting this right. You're saying that it is less data intensive to tag something, author, than to give layout information about where to put this particular string so that it's obvious to the human eye that that's the author and instead, on the other end on the mobile device, the mobile device knows to put this tagged data author in this place and present it in this way. Is that right?

  • Jason Soroko

    I would say that's a small part of it, Tim. But you are right in that certain types of web content definitely are standardized using the Google AMP markup technology. That's a part of it. I would say one of the big parts to this is that all Google AMP packages, if you will, that are available are actually cached by Google.

    So, let's think about this for a moment. When you download a page on the internet, let's say on your desktop browser, for example. I'm sure, Tim, you've come up with some websites that take an awfully long time to render and part of that, part of the issue with that rendering is sometimes because some of the graphics are slow to load, you might be reading the article, and that article starts to shift on your browser even before you're done reading a paragraph. I'm sure that's happened.

  • Tim Callan

    Yes. Absolutely.

  • Jason Soroko

    Right. So, part of what Google is trying to do is not just say, hey, here's the content, you know, context of who the author is. What they're really trying to do, part of what they're trying to do, is to standardize how the layout occurs and standardizing even what the speed of that layout will be on a mobile device.

  • Tim Callan

    Okay.

  • Jason Soroko

    So that the user experience of reading a particular piece of content is essentially not just fast, but also standardized. As you can imagine, Tim, there's advantages and disadvantages to that.

  • Tim Callan

    Sure.

  • Jason Soroko

    One of the early disadvantages - and this is where we're going to get into the signed HTTP exchanges. One of the big disadvantages, if you're - - say, you know, if I'm using iOS, for example, and I've gone to Google News, I'm reading an article, chances are the URL on my browser bar in my say, Safari, for example, will actually show Google because I'm actually reading a cached Google AMP content.

  • Tim Callan

    Right.

  • Jason Soroko

    But the article may have come from New York Times, Washington Post, you know, Fox News, whatever you happen to want to be reading.

  • Tim Callan

    Yeah.

  • Jason Soroko

    And so, what they did as part of the markup, part of the rendering, is they would actually show who the content publisher was right below the address bar.

  • Tim Callan

    Okay. Gotcha.

  • Jason Soroko

    And that's sort of okay. Because, you know, if I'm reading a ZDNet article, if I'm reading, you know, if I'm reading something that I want to be reading from a particular content provider, chances are I can read that but it's not completely obvious because it is - definitely the address bar is obfuscated by that Google address. That cached Google address.

  • Tim Callan

    Yeah. Yeah. I mean, you can think of a few ways that it's not ideal, right? It's, first of all, you know, it does sort of obscure the source. It might not be intuitive to somebody how to marry this, you know, they know that New York Times isn't Google and it says Google there and New York Times there and you might decide that you don't trust this word that says New York Times or, in fact, trust this at all. And, you know, ultimately, there is some amount of communicative value in URLs and that's stripped away. People don't get that anymore. Plus, it uses screen real estate for no good reason.

  • Jason Soroko

    That's exactly right, Tim.

  • Tim Callan

    Right.

  • Jason Soroko

    And so, you can imagine that these content publishers wanted to regain control of the address bar to say, hey, if you happen to be on a Yahoo, you know, content site, we want Yahoo to be in the address bar, not just on some tag below. And so, enter the concept of SXG certificates or signed HTTP exchanges. So that's when one of these content publishers can now use a certificate to actually sign the content and then when Google is now rendering this, it will see the fact that it's utilizing an SXG certificate to sign the content, when that signed content is verified, you know, back to the root of where it comes from, then you will go back to the normal user experience of seeing the content publisher’s URL in the address bar.

  • Tim Callan

    Okay. So, does that mean is this in, to use public. Is this an OV certificate. Are these certificates - - Is someone validating that this certificate really belongs to New York Times or are they just validating this is the URL that the originating source is and I'm going to display that URL?

  • Jason Soroko

    I would say, Tim, if you look at the SXG standard, right, the signed HTTP exchanges, IETF standard, really, it's very close to a DV equivalent.

  • Tim Callan

    Gotcha. Okay. So, pull the URL across but there's no claim about this is actually New York Times? We're just saying this came from nytimes.com?

  • Jason Soroko

    Right. And I think the rationale behind that is because of the fact that the New York Times, for example, they already own a domain and all that we're really doing here is showing a domain in the address bar therefore, if as long as you own the domain, you can validate that you're good to go.

  • Tim Callan

    Sure. Yep. Makes perfect sense. And it's still better than saying Google.

  • Jason Soroko

    Exactly right. That's exactly right.

  • Tim Callan

    What is the status of these certificates? Is this a real thing? Is this a future initiative? What is this?

  • Jason Soroko

    It's a real thing? I mean, obviously, Google AMP has become very popular in the sense that Google kind of forced anybody doing publishing content, like if you're a news provider, you pretty much have to put your stuff in Google AMP because Google is really controlling who gets to see what through their search engine and if you want to show up in the carousel of news at the top of the of the search results, if you don't have your stuff in Google AMP, then chances are you're not going to be seen.

  • Tim Callan

    Yeah.

  • Jason Soroko

    So therefore, it was pretty much a forcing of a lot of these content providers to do that. Now, what's interesting, Tim, is what about everybody else? So, you know, if you look at Google's point of view, they'd like all content or a lot more content than just news to be put into Google AMP. And there's a lot of arguments, you know, pro and con to that, and we won't get into that here except to say that WordPress, for example, now has a very easy capability to turn a WordPress site into Google AMP content. And, to me, that's a bit of a game changer because all of a sudden, what used to just be a New York Times article is now going to be tons and tons and tons of websites potentially. And therefore, the need for SXG certificates as well as your DV/OV/EV certificate, whatever you're using for your website, I think that that'll be the time at which this becomes, you know, the issuance of SXG certificates will go far beyond just the, you know, the X number of dozen or 100 news publications out there that use Google AMP all the time,

  • Tim Callan

    Right. So, you can imagine the more that your content might be benefiting from Google AMP or presented in an interface that depends on Google AMP, all kinds of people could be motivated to do it. I might have a corporate information site, right. I might have a brochure site and I want to make sure that that information is presented most often in the best possible light and I might go ahead and support Google AMP and at that point, I might want to get one of these certificates.

  • Jason Soroko

    That's exactly right, Tim.

  • Tim Callan

    Okay. And so, but this - - but I mean that's not a common practice today. Can I even - - can I get one of these certs if I want to? Or is this coming in the future?

  • Jason Soroko

    Yeah. You can.

  • Tim Callan

    Okay.

  • Jason Soroko

    You can but I think that the wider CA community will start to issue these kinds of certificates down the road, and it will start to look more like the public trust community that we know today with the other more commonly used certificates.

  • Tim Callan

    Okay. So that's something we need to keep our eyes on for sure.

  • Jason Soroko

    Yeah. I think in our line of business, Tim, absolutely and in the public trust world, absolutely.

  • Tim Callan

    All right. Well, thank you, Jay. I think that's been a great informative topic, and I appreciate it.

  • Jason Soroko

    Thank you, Tim.

  • Tim Callan

    All right. Thank you, Listeners. This has been Root Causes.

Root Causes - A PKI & Security Podcast

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All Root Causes