I came across the headline on TechMeme last night. Tony Ruscoe discovered a Google security hole that allowed him to steal someone else's cookie and access a wide range of services on the other person's account, including Google Docs and Google Analytics.
Tony posted complete details on his exploit here. The security hole was related to a just-released feature on Blogger. Google began supporting custom domains last week. Tony noticed that Blogger had somehow allowed a customer to enter "ghs.google.com" as his blog's domain name (possibly by mistake). He then signed up for a blog at "ghs.l.google.com". When his friend Philipp loaded this URL in his browser, Tony was able to "borrow" Philipp's Google cookie data:
"This can be easily achieved using some simple JavaScript that would read the cookie and place the data into a hidden form field element. The form could then be automatically submitted to another server which would be hosting a server-side script capable of logging the form data to a database, text file or send it in an email."
To Google's credit, it fixed the problem immediately. (Update: Philipp's thoughts on Google security are well worth reading.) Still, the incident reminded me of a recent conversation with Lance Crosby over at SoftLayer about why hosting is hard. Lance said that Google and Microsoft and Amazon have tons of smart people, but they work from a different perspective compared with web hosting companies' employees. When you're building and managing infrastructure for internal projects, you're serving a much more forgiving audience. For one, your co-workers will not comb your system for security loopholes. And they'll put up with many shortcomings in their development environment - because what choice do they have?
In contrast, once you open up your hosting platform to the general public, suddenly you're accountable for all kinds of issues that your internal user base would have overlooked. I think that's one reason why Dan Golding from Tier 1 Research said that Amazon hasn't developed competency as a hosting provider. They aren't used to thinking like one. Yet.
What does this mean? First of all, Lance is totally right. Contrary to what everyone else keeps saying, web hosts don't make better web hosts because of "better customer service". You're NOT ahead of Google because you offer 24/7 phone support. Instead, you have a bit of an advantage for the time being because your operations are optimized for maintaining a multi-user hosting environment.
But Google/Microsoft/Amazon (and other new players) are learning. In time, some - if not all - of them will improve their technology platform and update their operational procedures. Meanwhile, what are you doing to stay ahead of the game?
Staying ahead of the game is a great way of provoking thought and perhaps a fundamental methodology. The question is, to be afraid of the larger entities, or perhaps outwit them with quick and nimble methods with our more flexible organizations and teams? Niche “web hosters” should form a stronger community together so that when that time comes we are able to combat the “larger forces” of the industry. I’ve heard Google called worse.
In Netcraft's latest web server survey, 46% of the new hostnames that appeared online last month came from Microsoft and Google. I think that's pretty extraordinary.
As for being quick and nimble with our more flexible organizations? I think that's a great idea. Unfortunately, I feel like most web hosting providers are innovating *less* quickly than Google, Amazon and Microsoft.
Would it help if web hosters banded together? I'm not sure I see how that would help combat new competition. For instance, I was reading a New York Times article about corporate workers who are auto-forwarding emails from their companies' Exchange servers to Gmail and Yahoo! mail accounts.
http://www.nytimes.com/2007/01/11/technology/11ema...
As you see, size is not what drives adoption. Microsoft is bigger than Google, but it was not able to combat end users' desire to use Gmail.
So the question for hosting providers is, what kind of services would end users really, really like? For instance, it seems people might not be attracted by the hundreds - or even thousands - of POP mailboxes that every shared hosting company offers, when they seem to be forwarding their messages to Gmail anyway??