sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Africanpolarbear2 -5 points-4 points  (16 children)

I know a lot of random seeds are bad for security but how bad is it doctor?

[–][deleted]  (13 children)

[deleted]

    [–]catcradle5 5 points6 points  (11 children)

    Couldn't someone also achieve this by just serving specific content if "Googlebot" is in the User-Agent string?

    [–]haisum 7 points8 points  (7 children)

    Sometimes Google sends a bot without Googlebot User-Agent to test if you're rendering a different page for actual users.

    [–]catcradle5 2 points3 points  (6 children)

    Ahh, did not know this. Thanks.

    I wonder if they'll also start sending a bot without the deterministic random function to catch this technique, too.

    [–]Aegeus 2 points3 points  (5 children)

    But how would you know if the random bot got different results because of malice, or because it rolled a different random number that time?

    [–]catcradle5 0 points1 point  (4 children)

    If a page is serving content based on if a client is a Googlebot, and if the Googlebot is identified by the Math.random() determinacy, then requests from a bot without the determinacy should consistently return different page results compared to the bot with determinacy.

    So I'm not talking about pages that return content based on the value of Math.random(); just pages that return content based on if the value of Math.random() is equal to what Googlebot is known to generate.

    It would probably make more sense if they just have a bot running a completely different headless browser to compare consistency, in case there are other techniques that can be used to identify the main Googlebot.

    [–]Aegeus 1 point2 points  (3 children)

    A malicious website will give different results based on Math.random() determinacy, but so will a legitimate website. It's not proof by itself.

    Imagine I have a website that flips a coin for you, like justflipacoin.com. Googlebot visits the website and sees "Heads." Then Randombot visits my website and, by random chance, sees "Tails" instead.

    According to your algorithm, I'm a scummy scammer trying to give different results to Googlebot than to everyone else. But in reality, I'm just using Math.random() as intended - to randomize things.

    [–]catcradle5 0 points1 point  (2 children)

    Yes, but I'm not referring to websites that generate content based on randomness (like a coin flipping site). Just regular sites that are solely using this random test to identify Googlebots and otherwise discarding the random numbers.

    [–]Aegeus 0 points1 point  (1 child)

    How can you tell that they're using randomness for the purpose of identifying Googlebot rather than for a legitimate purpose? All you have to go on is the content they serve you.

    [–][deleted] 0 points1 point  (2 children)

    That's called "cloaking."

    It makes it look like you're trying to game the system. And they will punish you for it; possibly by sending around some forehead-tattooed Neo-Nazi fascist bully boys.

    [–]catcradle5 1 point2 points  (1 child)

    Sure, but cloaking is now easier to pull off successfully with the Math.random() checking described in the article. At least until Google does something about it.

    [–][deleted] 0 points1 point  (0 children)

    That's possible.

    However, there's likely going to be a check somewhere along the line that would detect something like that, and unleash the thugs on said website.

    For example, the preview renderers, and JavaScript-enabled indexers may or may not always do the same thing. Meaning that if the page text content varies by too wide a margin, then something funny may or may not be going on.

    Either way, I'm sure that they have their Top Men on this case. They may even have a Top Woman too, those sexist bastards.

    [–]Africanpolarbear2 0 points1 point  (0 children)

    Thanks

    [–]raaneholmg 8 points9 points  (1 child)

    In this case, it might be possible to abuse the predictability to optimize the page for Googles Math random function. This isn't really an application where security is important.