I've read a few posts here indicating those running this WA are seeing
cached pages from other users, esp. in various forums on the net.

If Google's proxy is showing the same cached page when the request has
changed, this is serious indeed. At the very least, a request's
uniqueness should be determined by looking at the URL and any
querystring or POST data, and the cookies. If any of these things are
different, the request can result in a different page customized for a
specific user. Obviously it should not be cached by a proxy.

Google states this WA will not cache sites protected by HTTPS, but many
private members-only sites only use HTTPS to protect their login forms.
Once you are logged in, you are using an HTTP connection to reduce the
load on their CPUs. The site knows you are still logged in and allowed
to view the content based on your cookies (in many cases). These sites
are now at risk to being cached by Google's WA, and apparantly, served
to other users. And worse?

It would also be nice if Google clarified what exactly it is caching on
its servers, versus what it is caching in the local cache on the user's
computer. The privacy FAQs are not clear. From my reading, they are not
caching page content on their servers, but they are caching cookies.
Why do they need to cache cookies on their servers to speed things up?
It doesn't make sense to me. And if they are caching page content on
their servers, they need to explicitly specify how they
are deciding when to serve it up to multiple users, and that they are
not using that content for any other purpose.

I think people are worried mostly because a huge search engine is now
getting access to a ton of private websites that it normally could not
reach.

It would also be nice if their proxy would pass a header indicating
what IP address the user's request is coming from. After all, this is
not meant to be an anomymizing proxy, but just one to speed up
browsing. IP address statistics are very useful to website admins. Now
anyone using this WA is using Google's set of IPs. Admins already have
to deal with this issue with AOL's sizeable user base, and now Google
is opening this problem up to potentially a much larger set of web
users.

Unless this service quickly improves, I will continue to discourage my
family, friends, and co-workers from using this product.

Thomas Samoht

Right. That's my concern. I've already gone through a few sites, and am
adding more to the list as I browse, to take them off web accellerator.
However, as most of my internet traffic is on Livejournal and Neopets
(don't laugh), I'm not seeing much of a benefit because I've had to
remove those from web accelerator. Almost everything else I do online
is on news sites, which are pretty speedy anyway, so what's the point?
The one thing worth noting is that preloading still happens, even on
sites that don't go through Google, so I am seeing a speed benefit from
that. I'm just not sure if it's a big enough benefit to make keeping
the software, with this security concern, installed. We're all asleep
at the wheel online occasionally, and when I am, it's almost inevitable
that a site I hop onto with a login will slip through.

I'm less concerned about large-scale privacy issues and with Google
having my data than I am that a friend will inevitably see a journal
page I'd rather not because Google's cached it and then inadvertently
served my private information up on a plate to them.

For those webmasters that want to block this application, there are a
few things you can do.

1. If your website is normally password protected and Google should
never need to index your site for their search engine, you should be
able to block all of Google's netblock, and redirect to a page telling
your users to add your domains to the Google WA exclusion list in the
preferences. Their netblock is: 64.233.160.0/19 (netmask:
255.255.224.0).

2. If your site mostly needs to be indexed by Google, consider adding
some code to your CGI module (such as the Perl CGI module) that looks
for any requests from that netblock, and if the HTTP USER AGENT does
NOT contain "Googlebot", you can assume it is the Google WA proxy, and
redirect them to your "how to disable WA for our domains" page.

Thomas

Here are all four netblocks assigned to Google:

http://ws.arin.net/cgi-bin/whois.pl?queryinput=N%20.%20GOOGLE

Google Inc. GOOGLE (NET-216-239-32-0-1) 216.239.32.0/19 (netmask:
255.255.224.0)

Google Inc. GOOGLE (NET-64-233-160-0-1) 64.233.160.0/19 (netmask:
255.255.224.0)

Google Inc. GOOGLE (NET-66-249-64-0-1) 66.249.64.0/19 (netmask:
255.255.224.0)

Google Inc. GOOGLE (NET-72-14-192-0-1) 72.14.192.0/20 (netmask:
255.255.240.0)