Security Blog

The latest news and insights from Google on security and safety on the Internet

Content hosting for the modern web

August 29, 2012
Share on Twitter Share on Facebook
Google

18 comments :

oam said...

Interesting...
What about using a subdomain and having authentication cookies tied to *.domain.com with the HTTPOnly flag set? It does sound risky but I can't think of any attack.

August 29, 2012 at 1:37 PM
Unknown said...

It not only sounds risky, hosting user content on sub domains is risky. I've seen several times that this has opened the way to exploitation of session fixation issues. There are further attack vectors as cross domain policies, CORS or document.domain for such setups.

So putting user provided content in a separate domain is an very good idea.

August 29, 2012 at 2:09 PM
Michal Zalewski said...

oam: it's an improvement, but there are at least two problems with just using something like http[s]://userfiles.example.com/predictable_URL.pdf:

1) If the attacker knows the URL of any interesting private document within userfiles.example.com, and can host his own malicious file in the same origin, it is fairly easy to steal sensitive data.

2) Although httponly cookies can't be read back by scripts (spare for semi-frequent plugin bugs), they can be typically overwritten with some minimal effort - which will often have very serious consequences, especially for complex web apps.

August 29, 2012 at 2:25 PM
oam said...

Yeah it makes sense. Thanks !

August 29, 2012 at 2:37 PM
Unknown said...

Was the "Byte Order Mark (BOM) vulnerability reported to us by Masato Kinugawa" described anywhere in more detail?

August 29, 2012 at 6:35 PM
Michal Zalewski said...

Probably not in English :-) But the basic idea is that Internet Explorer would give precedence to BOM indicators in the file over charset= value present in Content-Type or META, allowing many documents to suddenly become UTF-7 or so.

I believe that Microsoft folks changed this behavior earlier this year.

August 29, 2012 at 7:02 PM
Will Sargent said...

To oam's question about subdomains, I believe that if you allow this and you have loose cookie rules, you are vulnerable to cookie tossing, aka "Same Origin Policy Abuse Techniques".

http://webapp-hardening.heroku.com/cookietossing

August 30, 2012 at 4:34 AM
Nathan Belomy said...

The internet takes the path of Linux/Unix. All the design flaws will be changed in time. Changing the entire internet protocol suite is option 2. Think about writing a replacement for TCP/IP, it's a funny one.

August 31, 2012 at 2:31 PM
Anonymous said...

Very informative post! Thanks a lot!

September 13, 2012 at 4:53 AM
Unknown said...

very informative point here.

September 15, 2012 at 4:20 AM
Web Hosting India said...

Security is one of the major issue with my website, I had my website with only HTML and was not using any dynamic feature expect some little things. After a good start I start to get success online and decide to go with a wordpress website, but within a few week after my new website launch, I felt real setback because my website was showing error and showing some hack message. Don't know enough about these, my developer fail to handle the situation so I got the website restored by my web host, but I am still worried if it will became much worse then ?

July 28, 2013 at 1:32 PM
Unknown said...

It’s great to see good information being shared and also to see fresh, creative ideas that have never been done before.

Hosting Services Karachi

October 31, 2013 at 7:21 AM
Unknown said...

I would like to say this is an excellent site that I have ever come across. Very informative. Please write more so that we can get more details.

Web Hosting

November 20, 2013 at 6:26 AM
Chris said...

Hey! This post couldn’t be written any better! Reading through this post reminds me of my good old room mate! He always kept talking about this. I will forward this article to him. Pretty sure he will have a good read. Many thanks for sharing!

Check also domeinnaam check Thanks!

January 5, 2014 at 9:48 PM
Unknown said...

Thank you buddy for sharing this stuff..

Linux Reseller

January 26, 2014 at 7:36 AM
Unknown said...

Ideally i think companies begin up with shared hosting services and move up to VPS /dedicated hosting. A nice brief on all types of hosting!

April 7, 2014 at 1:15 AM
Unknown said...

I think the web takes the way of Linux/Unix. All the outline defects will be changed in time. Changing the whole web convention suite is alternative 2. Ponder composing a swap for TCP/IP, its an amusing one. for more detail Click Here

May 21, 2014 at 9:27 AM
Unknown said...

At first glance cheap web hosting may seem unenchanting, however its study is a necessity for any one wishing to intellectually advance beyond their childhood. Though cheap web hosting is a favourite topic of discussion amongst monarchs, presidents and dictators, cheap web hosting is not given the credit if deserves for inspiring many of the worlds famous painters. The juxtapositioning of cheap web hosting with fundamental economic, social and political strategic conflict draws criticism from the easily lead, many of whom blame the influence of television.

July 17, 2014 at 1:13 PM

Post a Comment

  

Labels


  • #sharethemicincyber
  • #supplychain #security #opensource
  • android
  • android security
  • android tr
  • app security
  • big data
  • biometrics
  • blackhat
  • C++
  • chrome
  • chrome security
  • connected devices
  • CTF
  • diversity
  • encryption
  • federated learning
  • fuzzing
  • Gboard
  • google play
  • google play protect
  • hacking
  • interoperability
  • iot security
  • kubernetes
  • linux kernel
  • memory safety
  • Open Source
  • pha family highlights
  • pixel
  • privacy
  • private compute core
  • Rowhammer
  • rust
  • Security
  • security rewards program
  • sigstore
  • spyware
  • supply chain
  • targeted spyware
  • tensor
  • Titan M2
  • VDP
  • vulnerabilities
  • workshop


Archive


  •     2023
    • Mar
    • Feb
    • Jan
  •     2022
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2021
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2020
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2019
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2018
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2017
    • Dec
    • Nov
    • Oct
    • Sep
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2016
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2015
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2014
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • Apr
    • Mar
    • Feb
    • Jan
  •     2013
    • Dec
    • Nov
    • Oct
    • Aug
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2012
    • Dec
    • Sep
    • Aug
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2011
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
  •     2010
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • May
    • Apr
    • Mar
  •     2009
    • Nov
    • Oct
    • Aug
    • Jul
    • Jun
    • Mar
  •     2008
    • Dec
    • Nov
    • Oct
    • Aug
    • Jul
    • May
    • Feb
  •     2007
    • Nov
    • Oct
    • Sep
    • Jul
    • Jun
    • May

Feed

Follow
Give us feedback in our Product Forums.
  • Google
  • Privacy
  • Terms