Congratulations!

You've probably ended up here because you're looking to setup a custom domain for Google Apps, Blogger or Google Sites. But how did I get this page to be hosted here?

When the Google Sites Blog announced that they'd switched on custom domains for all users of Google Sites, I wondered whether the team remembered to disallow the ghs.google.com subdomain this time.

In their blog post announcing the feature, one of the Google Sites team said (and the emphasis is mine):


More accurately, you must be the owner or administrator of the domain and have access to change the CNAME records unless the domain is already resolving to ghs.google.com. So that includes any google.com subdomains which are already resolving to the ghs.google.com address. Which includes ghs.google.com itself and a few other google.com subdomains too.

This isn't the first time this has happened either. The Blogger team forgot to do this when they enabled custom domains back in January 2007. Unfortunately, back then it created a security hole which would have allowed me to steal visitors' Google cookies and let me access their Google Account. (Fortunately for everyone, I'm a nice guy and I only created a proof of concept page before informing Google about the security hole.)

There's no need to worry this time though because you can't upload or create files which include JavaScript to Google Sites, so your cookies are safe! (And if you could, Google would have a much bigger problem on their hands because they already let you host your pages on the sites.google.com domain.)

I've not told Google about their mistake this time, so I'm just having a bit of fun to see how long this page will stay here...

Edit: It looks like they noticed and stopped the ghs.google.com domain from being mapped to this site around 30-60 minutes after I published page. Well done!

Anyway, thanks for visiting!

Tony Ruscoe
http://ruscoe.net

7 August 2008 22:19 (BST)