Blogger.com gets a "D" and yes, that's a problem

Moral: implement security before something bad happens

So here I am, starting a blog about web security on Blogger.com. I figured it made sense to check out the web site I'm blogging on… sort of the blogging equivalent of eating your own dog food. So I headed over to The Mozilla Foundation's Observatory service and typed in the domain www.blogger.com.

The results were not good:

OK, wait… isn't Blogger run by Google? Y'know, the world dominating web site run by yuppies sipping fancy coffee drinks? The site that's getting tougher about alerting people about insecure websites?

I was a little surprised.

An obvious question is who to believe. Blogger.com isn't some little home grown website. It's one of the biggest blogging platforms in the world and it's run by Google, one of the biggest websites in the world. Google has an excellent reputation for security. As I pointed out, they're getting aggressive about encouraging everyone to use HTTPS (and not everyone likes it).

But… Google is - not - perfect. Yes, Google can be hacked too. Let's not assume that just because they're Google they don't make mistakes.

In an effort to get Google's thoughts on this poor security rating, I posted on their products forum. I didn't hear from Google themselves, but I did get a thoughtful response from Adam * Blogger TC, a regular on Blogger. Adam asked the reasonable question "What vulnerabilities worry you?", to which I said that Observatory's report can answer that much better than I can, and referred him to their page.

I'm going to stick by my response that Mozilla gives the best explanations about the pronblems, but to summarize, Blogger's poor content security policy does little to reduce the risk of cross site scripting, which is a common way to change or take control of a web site.

After quite accurately pointing out that security is also the blogger's (i.e., my) responsibility, he said that the blogger's security is "a security problem that is real, not just theoretical".

That's exactly the sort of thinking that gets us in trouble. Security isn't "theoretical". It's what you do to avoid real-world problems.

One of the biggest challenges with security is motivation. Security doesn't usually give you that satisfied feeling like you get from a pretty web page. Bosses rarely look at your web design and say "Wow, that sure is secure!". In fact, the problem is so significant that I made a meme to get the point across.

My point here is simple: security is proactive. You have to do it before something bad happens. Don't wait until theoretical becomes problematic. If security efforts seem annoying, think how much worse getting hacked would be.

Comments