Web Informant #325, 21 April 2003:

Problems with SBC Web hosting




If you are using SBC to host your Web site, you might want to think about finding someone else. Your site may be at risk due to their lack of security.


The problem, which was brought to my attention by one of SBC's hosting customers and since confirmed by the company, has to do with the browser-based "control panel" application that users run to maintain their sites. The level of potential exposure I think is high and unfortunate.


There are several issues. First, the login process is done over an ordinary, unsecured browser link, rather than over a secured (SSL) and encrypted link. This means that anyone who monitors the path between your browser and SBC's servers can highjack your password. SBC says, "We understand that customers want the added sense of security that an SSL-based control panel access method would provide. We are working to implement a new login system that will operate using SSL. We anticipate that it will be ready for customer use later this summer." That is unacceptable, given that they have heard about this for several months. It should be fixed pronto.


Second, while a secure connection would be nice, they go a step further in terms of exposure and reveal the user's password in clear text as one of the fields on the control panel's pages. This increases the risk of an account being hijacked, because not only are customers at risk when they login, but now a hacker could monitor the SBC network and collect numerous outbound passwords of many customers quite easily. Plus, as my friend points out, since the password is displayed as part of the page, anyone walking by your office can easily see it. Again, this is unacceptable.

A third problem is that SBC sets a session cookie at login time and doesn't provide any logout function. This means anyone with access to your machine can log onto the site, even if you are no longer browsing the control panel pages. Once you have logged in, you cannot prevent further access without quitting the browser. My friend claims that SBC should at least warn its customers that this is happening, but doesn't. In fact, SBC has a privacy policy that contradicts this practice, so you could argue that they are somewhat misleading.


When I brought this to the attention of SBC (which wasn't easy, because there isn't any contact information on their Web site), they spoke about many of the security practices that they have put in place to protect their customers' data. All well and good, but these three loopholes are big enough to negate all their other practices and drive the virtual truck through. I told my friend to move to another hosting provider as soon as possible. Clearly, SBC isn't really all that interested in best security practices.


The problem with Web sites is that they are only as strong as their weakest links. And when you use a hosting provider, you are at their mercy in terms of the security policies that they choose to implement.


The security issues are compounded when you being to take advantage of more than just serving up static HTML pages, and get more involved in implementing Web services and Web-based applications that take advantage of databases, XML, and SOAP applications. This is because you have applications that are communicating with the Web server, and locking down these application-to-application pathways can become very difficult and require a great deal of expertise. Given that fairly large companies like SBC can't even deliver secure static Web hosting, what are the chances that smaller companies can step up to the task of securing these more complex situations? I'll have more to say on this topic next week. In the meantime, if your hosting provider isn't providing sufficient security, now is the time to look around for someone who does.