Update: Google has clarified this will not impact the visible URLs that searchers see. This change mostly affects non-user visible cache URLs. I asked for further clarification if Google would be changing away from the Google.com URLs, but that doesn’t seem to be any update on that becoming a possibility.
Google will begin showing the AMP cache URLs as coming from https://cdn.ampproject.org instead of https://www.google.com/amp/ according to a joint announcement by Google and the AMP Project. However, this is more of a backend change, the visible URL will still be the google.com/amp/ URL.
It was a problem I highlighted last month, how some hackers and phishers were using AMP URLs in order to disguise their malicious URL, since it showed it was coming from a Google.com URL. However, this specific change won’t address that.
Google Search is planning to begin using the new URL scheme as soon as possible and is monitoring sites’ compatibility. In addition, we will be reaching out to impacted parties, and we will make available a developer testing sandbox prior to launching to ensure a smooth transition.
They will be adding subdomains that are similar to the exisiting site’s domain.
The subdomains created by the Google AMP Cache will be human-readable when character limits and technical specs allow, and will closely resemble the publisher’s own domain.
When possible, the Google AMP Cache will create each subdomain by first converting the AMP document domain from IDN (punycode) to UTF-8. Every “-” (dash) will be replaced with “–“(2 dashes) and every “.” (dot) will be replaced with a “-” (dash). For example,
pub.comwill map to
pub-com.cdn.ampproject.org. Where technical limitations prevent a human readable subdomain, a one-way hash will be used instead.
Google says they will continue to support existing URLs – there are links to those Google AMP URLs that are active – but Google says those URLs will eventually direct to the new URL scheme.
This transition is primarily from https://cdn.amporject.org to the new subdomain scheme of https:[pub-com].cdn.ampproject.org
Sites that are aware of links going to the https://www.google.com/amp/ URLs might want to contact those sites and ask the links to be updated, as it could affect canonicalization of those links in the future. It is a security loophole for as long as Google keeps redirecting those Google.com URLs, so I cannot see Google redirecting those links (and the link juice) forever, and it could potentially mean those AMP URLs could be targeted by hackers as long as they are active. But the vast majority of AMP links I have seen are from social sharing, which wouldn’t pass link value anyway. There are many sites that do this as a best practice already.
This is great news for security reasons. The ability for phishers to disguise Google related email links with actual Google.com URLs was a major security loophole so this being corrected – and the speed of the change – will help in Google’s mission to secure the web.
Latest posts by Jennifer Slegg (see all)
- Google Adds Autoplay Video Preview Clips to Search Results - August 21, 2017
- Cloudflare Credentials Stolen in Web Developer Chrome Extension Hack - August 18, 2017
- Google Search Console Sends Security Warning Notices for HTTP Sites - August 18, 2017
- Bing Testing Blended Local Mini One Pack in Search Results - August 15, 2017
- Google Still Ignores Last-Modified Meta Tag - August 11, 2017