http://strom.com/awards/325.html
If you are using SBC to host
your Web site, you might want to think about finding someone else. Your site
may be at risk due to their lack of security.
The problem, which was
brought to my attention by one of SBC's hosting customers and since confirmed
by the company, has to do with the browser-based "control panel"
application that users run to maintain their sites. The level of potential
exposure I think is high and unfortunate.
There are several issues.
First, the login process is done over an ordinary, unsecured browser link,
rather than over a secured (SSL) and encrypted link. This means that anyone who
monitors the path between your browser and SBC's servers can highjack your
password. SBC says, "We understand that
customers want the added sense of security that an SSL-based control panel
access method would provide. We are working to implement a new login system
that will operate using SSL. We anticipate that it will be ready for
customer use later this summer." That is unacceptable, given that they
have heard about this for several months. It should be fixed pronto.
Second, while a
secure connection would be nice, they go a step further in terms of exposure
and reveal the user's password in clear text as one of the fields on the
control panel's pages. This increases the risk of an account being hijacked,
because not only are customers at risk when they login, but now a hacker could
monitor the SBC network and collect numerous outbound passwords of many
customers quite easily. Plus, as my friend points out, since the password is
displayed as part of the page, anyone walking by your office can easily see it.
Again, this is unacceptable.
A third problem is that SBC sets a session cookie at
login time and doesn't provide any logout function. This means anyone with access
to your machine can log onto the site, even if you are no longer browsing the
control panel pages. Once you have logged in, you cannot prevent further access
without quitting the browser. My friend claims that SBC should at least warn
its customers that this is happening, but doesn't. In fact, SBC has a privacy
policy that contradicts this practice, so you could argue that they are
somewhat misleading.
When I brought
this to the attention of SBC (which wasn't easy, because there isn't any
contact information on their Web site), they spoke about many of the security
practices that they have put in place to protect their customers' data. All
well and good, but these three loopholes are big enough to negate all their
other practices and drive the virtual truck through. I told my friend to move
to another hosting provider as soon as possible. Clearly, SBC isn't really all
that interested in best security practices.
The problem with
Web sites is that they are only as strong as their weakest links. And when you
use a hosting provider, you are at their mercy in terms of the security
policies that they choose to implement.
The security issues are compounded when you being to take advantage of more than just serving up static HTML pages, and get more involved in implementing Web services and Web-based applications that take advantage of databases, XML, and SOAP applications. This is because you have applications that are communicating with the Web server, and locking down these application-to-application pathways can become very difficult and require a great deal of expertise. Given that fairly large companies like SBC can't even deliver secure static Web hosting, what are the chances that smaller companies can step up to the task of securing these more complex situations? I'll have more to say on this topic next week. In the meantime, if your hosting provider isn't providing sufficient security, now is the time to look around for someone who does.