Wonder if this could be exploited - inurl:googlehostedservice.html.
Google Apps Domain Verification
Started by whitemark, Feb 24 2007 02:42 AM
3 replies to this topic
#2
JohnMu
-
- Hall Of Fame
-
- 3518 posts
Honored One Who Served Moderator Alumni
Posted 24 February 2007 - 03:43 AM
I doubt it. You can also find the domain verification data for many sites that use the Google Webmaster Central -- it's often just a meta-tag on the homepage. Of course if you can change the contents of that page, I'm sure you could break their usage of the services, but if you can change the contents of that page, you can probably do lots of other nasty things anyway....
Where do you see the security issue in being able to spot that information? Is it problematic to know that they're using the service?
John
Where do you see the security issue in being able to spot that information? Is it problematic to know that they're using the service?
John
#3
whitemark
-
- 1000 Post Club
-
- 1071 posts
Time Traveler Member
Posted 24 February 2007 - 04:04 PM
In some ways yes. The more a cracker knows about the system, the more avenues he has to work on - Google Security Holes.Where do you see the security issue in being able to spot that information? Is it problematic to know that they're using the service?
Edited by whitemark, 24 February 2007 - 04:06 PM.
#4
JohnMu
-
- Hall Of Fame
-
- 3518 posts
Honored One Who Served Moderator Alumni
Posted 24 February 2007 - 04:48 PM
Of course that's true - the more a hacker can find out about a site, the more possible exploits are available to play with. However, this is true all the way down to the webserver / operating system level -- you can check server headers and run attacks against that. Running attacks against the known usage of Google Apps seems as probable as running attacks against any other known system (powered by phpbb, etc)
Google Apps is a bit different though (at least as I understand it, please correct me if I'm wrong): it is hosted with Google and always up to date.
This is good: you don't have to chase patches and can't get hit with last week's exploit.
This is also bad: if you have a known exploit and can apply it in a massive, high-speed, high-penetration fashion (warhol worm, etc) you could exploit all sites using Google Apps simultaneously. That would be "really bad" ™. But at the same time, it could happen to the current batch of Linux or Windows Servers as well, it all depends on the market penetration.
I would be willing to bet that Google knows that a high-speed attack could cause problems and they almost have to have systems in place that can keep something like that from exploiting the whole infrastructure at once.
Personally, I would feel safer with a powerful and experienced application hoster keeping up with security issues than having to handle it all myself (staying informed, adjusting settings, installing patches, making sure it still works, etc). I don't know how Google will handle it for the small customer, but even though they have had security issues, they are usually very quick at fixing them.
Without a track-record, it's hard to say how fast they'll be when a security issue is known (and there are always security issues) or how often and how important those security issues will be.
John
Google Apps is a bit different though (at least as I understand it, please correct me if I'm wrong): it is hosted with Google and always up to date.
This is good: you don't have to chase patches and can't get hit with last week's exploit.
This is also bad: if you have a known exploit and can apply it in a massive, high-speed, high-penetration fashion (warhol worm, etc) you could exploit all sites using Google Apps simultaneously. That would be "really bad" ™. But at the same time, it could happen to the current batch of Linux or Windows Servers as well, it all depends on the market penetration.
I would be willing to bet that Google knows that a high-speed attack could cause problems and they almost have to have systems in place that can keep something like that from exploiting the whole infrastructure at once.
Personally, I would feel safer with a powerful and experienced application hoster keeping up with security issues than having to handle it all myself (staying informed, adjusting settings, installing patches, making sure it still works, etc). I don't know how Google will handle it for the small customer, but even though they have had security issues, they are usually very quick at fixing them.
Without a track-record, it's hard to say how fast they'll be when a security issue is known (and there are always security issues) or how often and how important those security issues will be.
John
Reply to this topic
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
