Entries from July 2008 ↓
July 25th, 2008 — Sites
We know our users like to be able to customize their websites and wikis to their own style, and with our recent release we have added more flexibility and control over the layout of Google Sites. Now you can change the width of your sidebar and header (previously the height of the header was defined by the logo) or turn off the sidebar and header entirely. You now have control over the width of your site, which previously was always 100% of the browser width. You can also set the width of text boxes if you do not want your content to fill the whole space of the page by default.
Also in the latest release is tighter integration with Google Docs and Webmaster Tools. When you want to embed one of your Google Docs documents, spreadsheets or presentations, you can now conveniently select it from a list rather than pasting the URL into the document. With Google Webmaster tools, it is easier to see how Google indexes your content and if you enable the integration, you can also auto-generate a sitemap to submit to Google. (Learn more.)
There are several other small improvements in Google Sites that you may notice. Site editors can preview their site as it would look to a regular viewer. To do so just select, “More actions -> Preview as viewer.” In addition, if you don’t want viewers to have visibility into site activity, simply remove the element from the sidebar and the link will also be removed from the footer.
Posted by Adam Howell, Software engineer
July 16th, 2008 — Security
Written by Thomas Duebendorfer
In view of mass defacements of hundreds of thousand of web pages – with the intent to misuse them to launch drive-by download attacks – security researchers from ETH Zurich, Google, and IBM Internet Security Systems were interested in looking at the other side of the attack: the web browser. By analyzing the web browser versions seen in visits to Google websites, they have shown that more than 600 million Internet users don’t use the latest version of their browser.
Slow migration to latest browser version
The researchers’ paper, entitled “Understanding the Web Browser Threat”, shows that as of June 2008, only 59.1% percent of Internet users worldwide use the latest major version of their preferred web browser. Firefox users are the most attentive: 92.2% of them surfed with Firefox 2, the latest major version before the recently released 3.0. Only 52.5% of Microsoft Internet Explorer users have updated to version 7, which is the most secure according to multiple publicly-cited Microsoft experts (among them Sandi Hardmeier). The study revealed that 637 million Internet users worldwide who use web browsers are either not running the latest version of their preferred browser or have not installed the latest patches. These users are vulnerable to exploitation due to their web browser’s “built-in” vulnerabilities and the lack of more recent security mechanisms such as improved phishing protection.
Neglected security patches
Over the past 18 months, the study also shows, a maximum of 83.3% of Firefox users were using the latest major version of the web browser and also had all current patches installed (i.e. latest minor version). Only 56.1% and 47.6% of Opera and Internet Explorer users, respectively, were similarly utilizing fully-patched web browsers. Apple users are no better: since the public release of Safari 3, only 65.3% of users operate the latest Safari version.
Maximum measured share of users surfing the web with the most secure versions of Firefox, Safari, Opera and Internet Explorer in June 2008 as seen on Google websites.
Obsolete browser warning
The study’s most important finding is that technical measures now in place do not sufficiently guarantee browser security, and that users’ security awareness must be further developed. The problem is that most users are unaware that they are not using their browser’s latest version. It must be made clear to web browser users that outdated software is associated with significantly higher risk. The researchers therefore suggest that, as a critical component of web software, a visible warning be instituted that warns the user of missing security patches in a way analogous to the ‘best before’ date in the perishable food industry. Software updates must also be made easier to find. The resulting transparency would go far in contributing to end user awareness of software weaknesses, and allow users to better evaluate risks.
Example “best before” implementation on a Web browser
As a side effect, having users migrate faster to the latest browser version would not only increase security but also make the lives of webmasters easier, as they would need to test and optimize websites for fewer older versions of web browsers.
July 10th, 2008 — Sites
The most popular request we have had since our launch has been the ability to change site URLs, and we are excited to announce our first set of features in this area. Now Google Apps domain administrators can map public sites hosted on Google Sites to their own domains. Sites can be mapped individually to a specific URL, like http://www.example.com, and as a group under a specific URL, like http://sites.example.com/[name of site].
Map a site to a specific URL
The standard URL of a site in Google Apps currently looks like http://sites.google.com/a/example.com/site-name, but now you can let users access your site at a URL on your domain that is easier to remember. The new location can be your domain home page or any sub-domain in your domain (e.g. http://www.example.com, http://info.example.com, http://wiki.example.com, etc.), and can be set up on the “Web Addresses” tab of the Sites service settings in your Google Apps control panel.
Change the root URL for all sites
If you have several sites, you can also make them automatically accessible at a designated URL on your domain. For example, instead of being at http://sites.google.com/a/example.com/site-name, the administrator can make them available at http://sites.example.com/site-name or at any other sub-domain.
Remember these new features are currently only available for public sites in Google Apps (mapped URLs to private sites will redirect to the standard URL). Stay tuned for more exciting domain mapping news for private sites and sites created under http://sites.google.com/site.
For more details on this topic and specific setup instructions, see our online help center.
While writing this post I learned about RFC 2606, which designates example.com as a domain that can be used for, well, examples. Doesn’t that make a lot of sense? I sure thought so.
Posted by Di Wang, Software Engineer
July 2nd, 2008 — Talk
Attention iPhone owners! You can now chat with all your Google Talk buddies while on the go. Our new version of Google Talk is designed specifically for the iPhone and runs in the iPhone’s browser, so you don’t need to download or install anything. Just visit http://www.google.com/talk on your iPhone, sign in, and start chatting. And because it is built for the browser, it will work on today’s iPhones as well as on tomorrow’s 3G iPhones.
If your businesses, school or organization uses Google Apps, you can instant message using your Google Apps account on your iPhone. From your iPhone’s browser, visit http://talkgadget.google.com/a/your-domain.com/talkgadget/m, but be sure to replace ‘your-domain.com’ with your actual domain name.
Happy mobile chatting!
Leo Dirac,
Product Manager
July 1st, 2008 — Security
Posted by Michal Zalewski
We’re happy to announce that we’ve just open-sourced ratproxy, a passive web application security assessment tool that we’ve been using internally at Google. This utility, developed by our information security engineering team, is designed to transparently analyze legitimate, browser-driven interactions with a tested web property and automatically pinpoint, annotate, and prioritize potential flaws or areas of concern.
The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more. (A more-detailed discussion of these features and information on securing vulnerable applications is provided here.) Compared with more-traditional active crawlers, or with fully manual request inspection and modification frameworks, this approach offers several significant advantages in terms of minimized overhead; marginalized risk of site disruptions; high coverage of complex, client-driven application states in web 2.0 solutions; and insight into dynamic cross-domain trust models.
We decided to make this tool freely available as open source because we feel it will be a valuable contribution to the information security community, helping advance the community’s understanding of security challenges associated with contemporary web technologies. We believe that responsible security research brings a net overall benefit to the safety of the Web as a whole, and have released this tool explicitly to support that kind of research.
To download the proxy, please visit this page. Also, please keep in mind that the proxy is designed solely to highlight interesting patterns in web applications, and a further analysis by a security professional is often required to interpret the results and their significance for the tested platform.
