Google Tests Web Bot Auth to Verify AI Agent Requests

Image credit: Search Engine Journal

Google is testing an experimental Internet Engineering Task Force (IETF) protocol called Web Bot Auth to cryptographically verify automated requests originating from bots and artificial intelligence agents.

The initiative aims to bolster cybersecurity by combating bot impersonation and spoofing, a persistent challenge for website operators and online services.

Web Bot Auth utilizes HTTP Message Signatures, defined under RFC 9421, which enables bots to sign their HTTP requests using cryptographic private keys. Websites can then validate these signatures against publicly available keys to confirm the identity of the requesting agent.

Google is authenticating a subset of signed Google-Agent requests through a dedicated endpoint at https://agent.bot.goog, according to the company.

The protocol has already garnered support from various bot-detection services, Content Delivery Networks (CDNs), and Web Application Firewalls (WAFs), Martin Splitt reported.

Thibault Meunier of Cloudflare and Sandor Major of Google co-authored the IETF draft for the protocol.

Google’s current implementation remains experimental, and not all Google user agents or requests are participating in the new verification process at this time, the company stated.

The company said the protocol seeks to provide a more reliable method for site owners to distinguish legitimate automated traffic from malicious activity.

Source: Search Engine Journal