Blogger.com gets a "D" and yes, that's a problem

-

Moral: implement security before something bad happens

So here I am, starting a blog about web security on Blogger.com. I figured it made sense to check out the web site I'm blogging on… sort of the blogging equivalent of eating your own dog food. So I headed over to The Mozilla Foundation's Observatory service and typed in the domain www.blogger.com.

The results were not good:

OK, wait… isn't Blogger run by Google? Y'know, the world dominating web site run by yuppies sipping fancy coffee drinks? The site that's getting tougher about alerting people about insecure websites?

I was a little surprised.

An obvious question is who to believe. Blogger.com isn't some little home grown website. It's one of the biggest blogging platforms in the world and it's run by Google, one of the biggest websites in the world. Google has an excellent reputation for security. As I pointed out, they're getting aggressive about encouraging everyone to use HTTPS (and not everyone likes it).

But… Google is - not - perfect. Yes, Google can be hacked too. Let's not assume that just because they're Google they don't make mistakes.

In an effort to get Google's thoughts on this poor security rating, I posted on their products forum. I didn't hear from Google themselves, but I did get a thoughtful response from Adam * Blogger TC, a regular on Blogger. Adam asked the reasonable question "What vulnerabilities worry you?", to which I said that Observatory's report can answer that much better than I can, and referred him to their page.

I'm going to stick by my response that Mozilla gives the best explanations about the pronblems, but to summarize, Blogger's poor content security policy does little to reduce the risk of cross site scripting, which is a common way to change or take control of a web site.

After quite accurately pointing out that security is also the blogger's (i.e., my) responsibility, he said that the blogger's security is "a security problem that is real, not just theoretical".

That's exactly the sort of thinking that gets us in trouble. Security isn't "theoretical". It's what you do to avoid real-world problems.

One of the biggest challenges with security is motivation. Security doesn't usually give you that satisfied feeling like you get from a pretty web page. Bosses rarely look at your web design and say "Wow, that sure is secure!". In fact, the problem is so significant that I made a meme to get the point across.

My point here is simple: security is proactive. You have to do it before something bad happens. Don't wait until theoretical becomes problematic. If security efforts seem annoying, think how much worse getting hacked would be.

Comments

Post a Comment

Popular posts from this blog

An Irishman's view of web security

-
Image
Sometimes I joke that I know about web security because I'm Irish. Think that's silly? Consider what happened just last week... I needed some information from a government website. I went to their search page, typed in my name, and found myself in a familiar situation: I knew the signs right away, but just to be sure, I typed in a different name: Smith . The search worked just fine. Robinson : fine. Blahblahblah : no problem. Then I tried my name again: O'Sullivan . Sure enough: search error. So what's going on there? Why does my name trigger an error but the Smith's, Robinson's, and Blahblahblah's have no problem? I told you, it's because I'm Irish. OK… maybe I could be a little more specific. See, it's that apostrophe in my last name. Somebody wrote a database query for that website, and they did a lousy job of it. When that poorly written query hits an apostrophe it blows up, and those of us with Irish surnames like O'
Read more