I came across the headline on TechMeme last night. Tony Ruscoe discovered a Google security hole that allowed him to steal someone else’s cookie and access a wide range of services on the other person’s account, including Google Docs and Google Analytics.
Tony posted complete details on his exploit here. The security hole was related to a just-released feature on Blogger. Google began supporting custom domains last week. Tony noticed that Blogger had somehow allowed a customer to enter “ghs.google.com” as his blog’s domain name (possibly by mistake). He then signed up for a blog at “ghs.l.google.com”. When his friend Philipp loaded this URL in his browser, Tony was able to “borrow” Philipp’s Google cookie data:
“This can be easily achieved using some simple JavaScript that would read the cookie and place the data into a hidden form field element. The form could then be automatically submitted to another server which would be hosting a server-side script capable of logging the form data to a database, text file or send it in an email.”
To Google’s credit, it fixed the problem immediately. (Update: Philipp’s thoughts on Google security are well worth reading.) Still, the incident reminded me of a recent conversation with Lance Crosby over at SoftLayer about why hosting is hard. Lance said that Google and Microsoft and Amazon have tons of smart people, but they work from a different perspective compared with web hosting companies’ employees. When you’re building and managing infrastructure for internal projects, you’re serving a much more forgiving audience. For one, your co-workers will not comb your system for security loopholes. And they’ll put up with many shortcomings in their development environment – because what choice do they have?
In contrast, once you open up your hosting platform to the general public, suddenly you’re accountable for all kinds of issues that your internal user base would have overlooked. I think that’s one reason why Dan Golding from Tier 1 Research said that Amazon hasn’t developed competency as a hosting provider. They aren’t used to thinking like one. Yet.
What does this mean? First of all, Lance is totally right. Contrary to what everyone else keeps saying, web hosts don’t make better web hosts because of “better customer service”. You’re NOT ahead of Google because you offer 24/7 phone support. Instead, you have a bit of an advantage for the time being because your operations are optimized for maintaining a multi-user hosting environment.
But Google/Microsoft/Amazon (and other new players) are learning. In time, some – if not all – of them will improve their technology platform and update their operational procedures. Meanwhile, what are you doing to stay ahead of the game?
No related posts.
