And that alerts the user to the fact they are leaving google and ending up on another site - which hopefully reduces the effectiveness of using google docs to distribute malware.
Seriously, 9 times out of 10 when I see stuff like this, I'm happy I can go to the HN comments and see what the real deal is. I don't think Google deserves a free pass in their decisions, and lots of times I see them push things for "user safety" or "better user experience", oh and oh yeah it also happens to allow Google to better track you. But still, Google has tons of competing issues they need to balance, and I loath it when people pretend like their need is the only one that matters.
It's like the debate over Google requiring 2FA for logins. "People losing their 2FA device" is a valid concern, but so is the 10 or 100x the people who get hacked with bad passwords. Not arguing there is a single solution, but you can't argue in good faith by pretending the problem Google is trying to address doesn't exist.
Unfortunately in this case you've gone to the HN comments and been misinformed. GP misunderstood the problem. This issue is about Google adding tracking links to links in _HTML exports_ of Google docs.
I think it's fair to argue that exported files should not have redirect links enabled, but as a software engineer I can imagine the complexity involved, or that there are still reasonable malware concerns. Perhaps the decision to have the exports include the redirects should be re-evaluated, but I certainly wouldn't attribute it to malice.
When I paste a link in Google Docs, the UI tells me that it's preserving the link I pasted. Now, if it converted http://example.com to a google redirect link in the doc, then I probably would not be surprised to see it show up the same way in my export.
It is not. There is no sense at all: you could use manually crafted HTML page with malicious links, there is no benefit in using Google Docs export for this.
The benefit is as OP said: it bypasses corporate firewalls because it's a google doc.
Although I can only reproduce this redirect page in a published doc page[0], not in a pdf export (unless there's another way to download pdf via url trickery)
> edit: you can reuse the URL to download the export. tested on another network. it expires fairly quickly though, within a couple minutes it seems.
(thanks for the test)
So it's clearly not a possible real vector, and actually they thought about it being a possible vector, otherwise they would not have put the expiration.
That's for sure, but what attack vectors do you imagine? If the bad actor, for example, is the owner of the document it can easily put a link to a malware that Google will not detect.
Oh, you're right! And by that logic, Hacker News is a malware vector, too, with all these random links hanging around. Maybe we should petition the moderators to integrate Google's tracking links here as well!
That's a signature, so scammers can't send people trusted google.com links and be redirected to a malware site unless the signature verifies with the timestamp. This was standard practice circa 2005.
Google has had this open redirect forever afaict. I guess they don't consider that a serious threat.
I think the better answer is that this is tracking, just like they do on all of the search results, to see which links are most popular. There still might be a malware surveillance use case but that's not the only one.
If there is a verified signature, it skips the confirmation page. Your link does not. The user has to manually confirm that they want to visit a non-Google URL.
Ah my mistake. That would be because I long ago installed "google-no-tracking-url" extension into my Firefox. If I use a clean profile in FF or Chrome, it does indeed show a warning screen.
> This is because google docs is now widely used as a malware vector.
Sending the user via Google is fine when the user is using the google doc as a google doc. It's NOT fine when you export to some file format to share with others as not-a-google-doc. The moment you exit the Google ecosystem is the moment when this sort of protective feature becomes a tracking feature.
This article is about exported documents, i.e. the point at which you say "I am leaving the ecosystem of my chosen tool".
The wording of the interstitial page says "If you do not want to visit that page..." i.e. it's about whether you expected to visit one website or another. Surely google.com is as 'surprising' to the user as any other page.
I changed some param values, I don't know what they do. But with the original values it remembered my preference. So it seems like they're tracking and storing clicks.
>Surely google.com is as 'surprising' to the user as any other page.
The metric isn't how surprising it is, but how potentially malicious it is. The entire point of the redirect is so the user can make a conscious decision not to visit a potentially-malicious page.
Google.com and Youtube.com, operated by the same people who made the docs tool, make the entirely-fair assumption that neither contain malware.
That being said, I also think it's the wrong argument to make. It makes very little sense that an exported document needs these interstitials. It would make more sense if it applied them to hosted Google Docs, but not things that are self-hosted by an end-user.
It would be one thing if they had an allowlist or denylist of sites that were not just their org. It's another thing entirely when they allow all Google sites through but not their competitors. I can imagine there being abuse of monopoly powers claims to be made here. Links to YouTube videos in a Google spreadsheet will take half as many clicks as links to Vimeo videos, which will result in fewer lost conversions.
If I present links on my site and show phishing warnings on click, why would I warn users about sites I own or know to not be fakes. It just ruins their experience
It is outside their trust domain. Google can verify that Google upholds strong security practices. Google cannot verify that Amazon does. For all Google knows, Amazon might have one engineer who updates their SSL cert who forgets next year.
So, this helps users that understand what the redirect page is saying to them, but don't know that clicking hyperlinks in documents takes you to a web page, and also don't know what the address bar is?
I'd like to see a flow (screenshots or video or something?) of an actual attack where the redirect page helps people that are actually capable of understanding what the redirect says.
I run the ClearURLs extension [0], so when I click that link - or most Amazon affiliate links, or an O365 tracking link, or many other tracking links, it sends me straight to the destination without hitting Google's servers.
A feature request/complaint is that it doesn't support hovering to see the target URL/check if the particular tracking domain is supported, for example Tom's Hardware uses a "georiot.com" tracker that embeds GR_URL=https%3A%2F%2Fwww.amazon.com%2Fdp... %3Dtomshardware-us-1038331347314950500-20... and doesn't successfully parse out the raw amazon.com/dp/[product ID] link.
I'm pretty sure the stated intent of the redirect is to prevent phishing (that is, provide an opportunity for Google to warn users about visiting a known dodgy site). The ability to track is just an added bonus!
Microsoft does this too with Teams. Links that my colleagues and I share with one another to _internal company sites_ get link checked then redirected. Microsoft must have a treasure trove of data about external company employee browsing habits as a result.
I would have infinitely more respect for companies that are upfront about their intentions, no matter how nefarious: "we're doing this to help protect you from phishing. But also, 99% of links are probably not phishing. So this feature really enables us to collect data to track what you do, and perform analytics to improve our bottom line".
I DESPISE these links from Outlook and Teams (not sure if it is specifically the teams implementation or something else).
I don't know about your company but mine has us do these phishing tests and training videos all the time and then we get rid of one of the safety features that they keep hammering us about.
I can't just look at the URL before clicking it. I once "fell victim" to one of our phishing tests because I clicked the link in the email. And its like... well we have been trained by our own email system that the only way to actually see the validity of the link is to click it.
Those corporate phishing tests are often administered by KnowBe4, and KnowBe4 identifies their phishing emails with custom email headers (can't remember what it is off the top of my head). So if you view the source code of an email and look for the obvious KnowBe4 header, you can tell ahead of time.
It just frustrates me that I have brought this up multiple times, wondering why we are paying to do this training and then we can't actually do the training.
Like it would be one thing if the URL then just had the full URL in it and we could still see where it was going. But no, it is a completely obfuscated URL.
The worst part is, it isn't like it takes you to a page to verify you actually want to go to this link. It just takes you right there assuming you are on a browser that has approved that it can open links from your email.
I really really want to do know what good this does AT ALL besides likely checking some checkbox for something.
In their defence, curl isn't completely benign in this case. You just confirmed to the person who sent you the link that your email address is valid and reaches a person.
Also, there's no reason to believe that you're curling the same redirect as you get from clicking the link.
There's this thing compromised webservers do where, if you type in www.example.com into your browser, and go straight there, you get the normal web page. If you click a link from Google, and have a google.com referrer in your request, you get a little bit of JavaScript included that that redirects you to another site to buy herbal remedies or fake watches or whatever.
If you are the business owner and go directly to your home page to see what's what, you think everything is fine; if you are a tech trying to debug it and you curl the webpage, everything looks fine [unless you curl with a referrer set]. You probably think Google has the wrong URL or something.
Likewise -- I don't know what a click-through from an email client looks like, but it wouldn't surprise me if there's an identifiable header or referrer or something. If that's the case, you could write your malicious URL shortener to redirect you to www.example.com/ if you curl it bare, or www.exam.ple.co/m/ if you have the redirect header. Curling the URL in question doesn't necessarily prove it's safe to click on.
Not that depressing. Audit your current web server configurations. You can dump the in-memory representation generally. Diff it with the on disk representation, and bam. Instant canary. If you're worried about a tainted on disk version, do the integrity check against a version invisible to the outside net.
Also, redeploy configs and reload on the regular, and you essentially force an actor to get an active foothold on your system to re-exploit and persist the compromise.
It's not impossible to defend yourself against these types of things if you're vigilant. You can also script your deployment to the point where you can nuke your site from orbit with minimal impact, and reestablish it. It's all about your threat model.
But yes. Things like nginx, apache & co are remarkably comprehensive in the things you can configure them to do. I find that my most dreaded part of standing up a new service is inevitably writing the load balancer/host web server configs.
You're completely right of course, and I hadn't considered that.
However, there's apparently people scraping and reselling (or bribing employees, dunno) corporate directories. In my case everyone has firstname.lastname@corpo.com, so judging by the high volumes of creepy ass, targeted corporate spam I get on my work mail... this is hardly a public secret.
Not necessarily? What's stopping an email server from probing links in all incoming emails regardless of valid recipient for malware analysis purposes?
In fact, I would be surprised if, e.g., Gmail, does not do this.
Our tests (outlook email) motherfucking bypass user filters too. I wrote some so I’d never have to worry about these damn things, but they go right through.
Guess I’m going to have to configure an actual user-agent email client that won’t screw me when someone else asks it to.
It's the word "win" that bothers me in this context.
Until one sees that conflicting models can make "security" a zero sum
game, in which your security is my insecurity and vice versa, there is
only psychological splitting, posturing and clamour for the "moral
high ground".
Indeed, even using the word "security" as a bare noun is a mark of
presumptuousness. One must always ask; Security for whom? Security
against whom or what? Security to what end?
Unilaterally imposing a harm (leaking of data) upon others is
disdainful, but then offering "security" as your reason/excuse, is
condescending, since you do not know what my security needs are and
how they are prioritised.
When it comes to messing with my data or devices "for my own good" the
only proper response is "I'll be the judge of that!"
Many then respond that "people are too stupid and need a firm hand",
which is not a good look, and frankly cuts to the core of so many
problems in technology today.
Companies like Google need a better moral, sociological and
psychological map of reality before putting on their boots and
marching off down the road of good intentions in the direction of
Hell.
Interesting, I wasn't aware Google had actually stated "we don't use this data for tracking, and we only use it for link protection" (does it?).
Assuming true: you are right in that it's basically no-win. The fact that Google draws so much revenue from advertising makes it difficult to reconcile.
Nothing short of a third-party code audit of Google's code against their asserted privacy policy would appease everyone. And even then, there would be doubters.
More importantly: Google is in a jurisdiction that can mandate warrantless surveillance orders that require realtime surveillance of given selectors (i.e. IPs or users). They comply or they go to jail.
Even if the stated and official policy of Google is to never track these, and everyone at Google is 100% on board with this and will never change, they are subject to being Agent Smith'd at any time by the FBI/DHS and NSA and CIA and the rest of the US IC, critically: without probable cause or a search warrant. The US has abandoned the rule of law and the constitutional protections against unreasonable search. This applies to every single US-managed services vendor.
The decision to track or not track is simply not in their hands. If they get handed an NSL, a FISA order, or a regular old search warrant, they have to start turning over everything they have.
Third-Party Doctrine nips pretty much every expectation of privacy in the bud before we even get to things like special carve-outs for Law Enforcement.
As long as SCOTUS holds that business meta-records shared with a third party intermediary waive any expectation of privacy, the 4th Amendment is basically moot unless you self host everything.
Things might change for the better if everyone can get there, it'd basically ruin the raison' de etre of many of the business models currently espoused/searched for opportunities to implement here.
The Government loves when you build a platform. The Government hates when you enable everyone to set up their own platforms.
> The US has abandoned the rule of law and the constitutional protections against unreasonable search
Those constitutional protections protect US citizens anywhere and noncitizens while they are in the US. Warrantless surveillance of communications affects noncitizens outside the US. The US is still very much a nation of laws.
Human rights to privacy do not hinge upon location or citizenship.
Indeed, the declaration (written by British crown subjects) makes it clear: “that all men are created equal, that they are endowed by their Creator with certain unalienable Rights”.
It doesn’t say “all americans”. The constitution doesn’t grant the rights, it merely recognizes the existing ones... but you already know this.
> Warrantless surveillance of communications affects noncitizens outside the US.
We have also learned, again and again, that it affects US citizens, too, in violation of the law. The IC doesn’t care that much beyond keeping up appearances that they comply with the law.
These are the same people who ran torture centers, lied to Congress, got caught, and hacked Congressional computers to delete evidence, then got caught doing that, too. Nobody went to jail or was even charged.
> Indeed, the declaration (written by British crown subjects) makes it clear: “that all men are created equal, that they are endowed by their Creator with certain unalienable Rights”.
Three problems:
1. The Declaration is not the law of the land, nor does it grant "constitutional protections."
2. None of the inalienable rights it lists are protection against warrantless wiretaps.
3. Some of the rights clearly don't apply to foreigners because the Constitution, which is the law of the land, provides for warmaking.
> The constitution doesn’t grant the rights, it merely recognizes the existing ones... but you already know this.
The Constitution says how the government works. A society can decide to require court orders for surveillance or not. The US government requires them, while the British government does not.
> We have also learned, again and again, that it affects US citizens, too, in violation of the law. The IC doesn’t care that much beyond keeping up appearances that they comply with the law.
We've learned exactly the opposite from both recent leaks and from oversight reports. They try to follow the law closely.
Since U.S. public school districts and students under the age of 18 use Google Docs pretty much exclusively these days, this seems like a privacy lawsuit waiting to happen.
I’m sure they can just print out a little pamphlet to shove in the Chromebook box that says “by being in the same room as this computer you agree to blah blah blah”. US consumer protection laws are worthless.
I encounter similar annoyances with things like "link previews" (impossible for an internal site, or one which requires authentication), and as a result have come to slightly "obfuscate" all links I send through such software. Sometimes I just don't send any links at all --- something like "HN item 37776492" suffices.
Where I work the onboarding sheet instructs you to make a custom search engine for servicenow because it's way faster to bang in the record number than to use a link in Teams.
How does the fact that most links aren’t phishing links play into anything? Maybe we don’t need AV because most files aren’t viruses? You had enough of a point without this.
> Maybe we don’t need AV because most files aren’t viruses?
Since you used that example...
How would you feel if everyone in their neighborhood got assigned a private security officer that sits in their apartment doorway all day and notes who comes and goes? The company argues that it's to protect from the thieves and fraudsters, and indeed there are always some break-ins or grandparents scammed somewhere. Oh, and everyone gets an officer free of charge - it's paid for by the ads they wear on their vests and that play regularly on their walkie-talkies. Would you trust the security company that all the notes, taken by a person in the privileged position of observing everything in your home, will only be used to prevent crime and nothing else, ever?
Back to your example - AV companies are quite shady these days, and their products not all that useful relative to costs/damage and snooping they do.
This is a weird example you posed because it's a real thing. It's called a doorman and it's very popular in new york (it's considered a luxury to have one)
Indeed. Except in that poster's example, imagine the doorman isn't merely looking over the building. Every door in the building has a doorman. The doorman to the building is more palatable because it's beyond their capacity to monitor all activity and movement through the building.
The League of Meticulously Documenting Doormen on the other hand is a much greater threat to privacy. We're increasingly in jeopardy with regards to implementing that. The more we don't push back against unnecessary logging, the bigger the problem we're building socio-technically.
I see your point, but comparing this with an off-line AV scanner with a regularly updated internal database (assuming that's what you meant) is not an apt comparison.
The analog would be an AV scanner that sends a list of your files/hashes to a centralised server somewhere, so that the company can target ads related to your file contents (or sell your data...), in addition to warning you about viruses.
Agreed that % true positive is not a factor in whether or not to have a given security feature. But it is merely convenient that the vast majority of the usage of this "link protection" feature would benefit Google/MS and not the customer/user (assuming that Google/MS are data mining, which is yet unproven in this use case).
> The analog would be an AV scanner that sends a list of your files/hashes to a centralised server somewhere, so that the company can target ads related to your file contents (or sell your data...), in addition to warning you about viruses.
Is there an antivirus program that doesn't do this? I've been assuming for a very long time that windows defender does, Norton/McAfee/Avast too. I'd be shocked if they didn't
I largely agree with you, but GP didn't specify they are talking about an off-line AV scanner. In fact Google itself has an online AV scanner that scans attachments in gmail, files downloaded in Drive, etc.
> I'm pretty sure the stated intent of the redirect is to prevent phishing (that is, provide an opportunity for Google to warn users about visiting a known dodgy site). The ability to track is just an added bonus!
The company I work for has a team developing CryptPad, which can be seen as an open source (AGPL) [a], E2EE alternative to Google Docs.
You can edit documents with multiple people in realtime, and the server does not have access to your content. You can self-host of course, but the team also provide an instance [1], and several other people also provide theirs.
It does not have such misfeatures. It has sheets, documents (using an ONLYOFFICE fork running in the browser), Diagrams (using Draw.io), forms, polls, a kanban module, pads, among other things. There's some storage too (a "drive").
It obviously does not provide all the features of Google Docs and its office suite is not as complete, but it can still be useful for a whole host of use cases.
(edit: btw CryptPad has been mentioned in several replies in this thread, it's not us so far but I've sent the link to our chat, they might chime in as well)
How do I make a new slide? I had to rtfm to find out about "---"
What language does code want? I eventually correctly guessed "HTML".
I want it to have a little dropdown menu in the style of godbolt.org for code snippets. That would be great for collaboration flows like: "This high-level code compiles to an integer increment, so don't worry about the lambdas".
Godbolt also does a good job of populating pages with hello-world examples. It might make sense to do that, at least the first few times a document of a given type was created.
For it to be my daily-driver backend dev environment, it would need git integration and the ability to ssh to a dev environment that I configured in the style of okteto. That feels like a different product.
If I was going to use this on a day-to-day basis, I'd want to be able to back up the data (in case your E2EE blew up, or I lost my password).
My next question would be how to use it while disconnected (For three reasons: (1) I want to host your backend server on a LAN that isn't exposed to the internet, and still use it for things like bank account info, and (2) I want to store travel itineraries in it, and be able to access them if my cell plan doesn't work overseas, (3) if the server dies, I have the data on my device, and would want to "copy" it all to a new server).
Anyway, I've been looking for something like this for years, and it looks like you hit most of my requirements.
How does conflict resolution work? CRDT's? Something else?
I'll be sure to transmit your feedback to the CryptPad team.
I'm not an expert myself so while I might know some stuff, it'd be better to talk to them directly.
Come say hello on the Matrix #cryptpad-general channel [1], don't hesitate to open issues on the bug tracker, and to browse the CryptPad's website [2], and in particular its documentation. About conflict resolution, you may want to read part about ChainPad [3] which details this a bit.
Google also rewrites URLs in emails at Gmail accessed via IMAP to use the Google URL redirector service if you have Advanced Protection turned on. This means that the PGP signatures break, etc, because they are rewriting the message body.
It's terrible.
FAA702 was enough, but if for some reason warrantless surveillance of all data held at Google wasn't for you personally, the terrible behavior of Google since their government mandated backdoors were installed should be. It's time to de-google your life.
I routinely receive email messages from gmail that do not render in standard html mail clients and with attachments that are hosted on google servers (where they presumably expire and are available for easier bulk-surveillance use cases).
It also bears repeating that the big cloud vendors all supported mandating the government backdoors you mention.
As far as I can tell, it was a regulatory capture move, where they wanted to have the power that comes from spying on + selectively informing on their customers, but they wanted to make sure that no companies that serve the US market could provide meaningfully better privacy or security:
> The CLOUD Act received support from Department of Justice and of major technology companies like Microsoft, AWS, Apple, and Google.[12][13] The bill was criticized by several civil rights groups, including the Electronic Frontier Foundation, the American Civil Liberties Union, Amnesty International, and Human Rights Watch. These groups argued that the bill stripped away Fourth Amendment rights against unreasonable searches and seizures, since the government could enter into data rights sharing agreements with foreign countries and bypass U.S. courts, and affected users would not have to be notified when such warrants were issued.[13][14] Some of these groups feared the government would not fully review requests from foreign countries for their citizens' stored on servers in the U.S., potentially allowing such data to be used in bad faith in those countries.[15]
There are trivial browser add-ons that fix that, but, yeah, this behavior is annoying, distasteful and borderline deceitful. Not that it'd be shocking though given its origin.
I don’t see it as deceitful and I’d eat my hat if most other users didn’t agree with me.
I expect that when I click a search result link, that Google will be tracking that I’ve done this.
I also appreciate being able to search for something, right-click-copy a link, and send it to someone, without it being covered in tracking cruft.
> right-click-copy a link, and send it to someone, without it being covered in tracking cruft.
That’s exactly the use case Google breaks, though: The link gets covered in tracking cruft and it gets very hard to tell where it even leads from just looking at it.
This may be a Chrome vs Firefox issue, as Firefox doesn’t support the ping attribute for a (link) elements in HTML. The ping attribute allows sending a POST request in the background to arbitrary URLs when a link is clicked.
This post really highlights what happens when a user with a set bias against a company notices a common feature and presumes the worst of that company by default.
I don't think this is for tracking. If this was just for tracking, there are much simpler and discreet ways to do it (just add a background ping). I think this is to allow intercepting the user if Google determines that the link destination is harmful (eg malware distribution).
Slightly more benignly, the links seem to trigger a redirect notice and open in a new tab, which seems like good behavior for inside the Google docs editor. I can’t know for sure, but there is probably also tracking in there. What else would an opaque string of text in the query params be for?
I assume the link rewrites come from this, and weren’t
added just for the exported version. It is disappointing it isn’t stripped out, but I’m guessing it’s just such a corner case no one is paying attention on the team. Also, if it does contain tracking, we dont know how/when that gets updated - eg is it vestigial behavior or was it updated in export, do
unique users get unique tracking numbers when exporting the same doc?
I don’t think anyone is using any google products should still be concerned about privacy or tracking their activities, it’s like using Facebook, these companies business is built around mining your/users data, stop using them.
This has been there from the start. It's to hide the referer from the page you land on. It used to be standard practice for anyone writing a web application to avoid inadvertently leaking user information in the referer header. There are better ways to do this if the user is on a modern browser. https://duckduckgo.com/duckduckgo-help-pages/results/rduckdu...
I like that when I sit on toilet surfing the web, Google likes to oblige and shows me ads to all kinds of toilet paper. It's great to have a big brother, even if you were born without one.
Send the user to a google docs page, and because it is on the google domain it is trusted by corporate firewalls and AV scanners.
The 'tracking' is in fact this page:
https://www.google.com/url?q=https://wikimediafoundation.org...
And that alerts the user to the fact they are leaving google and ending up on another site - which hopefully reduces the effectiveness of using google docs to distribute malware.