Saturday, April 11, 2009

The Many Faces Of Google

Many bloggers are totally unaware of how many different domains make up the Blogger and Google address space. Daily, we see passionate yet vague problem reports
  • My Followers gadget doesn't show any pictures.
  • The links in my Navbar don't do anything when you click on them.
  • I can't publish a post - the buttons don't work (aren't there in the toolbar).
  • The feed gadgets on my blog don't update.
Each of these complaints, phrased as they are, result in part from bloggers who don't understand how many addresses (domains) Blogger and Google use, in providing us the ability to publish and maintain our blogs, and in providing our readers with the ability to view and to enjoy our blogs.

Most of us are aware of the dual nature of Blogger / BlogSpot, hopefully when we setup and maintain security settings in our browser.
  • Blogger contains the code ("scripts") that lets us setup and maintain our blogs. We will have to trust Blogger, since it contains the code that lets us setup and maintain our blogs.
  • Blog*Spot contains the published versions of our blogs - when we don't publish to external URLs. We should not trust BlogSpot, to the same level as we trust Blogger, since it contains blogger modifiable code. There are similar Google domains, which we should trust only conditionally.


If you secure your computer, and your browser, you know about the need to designate trusted domains (or block some domains) - and there are more domains which you need to consider, besides the two described above.

If you use Firefox with NoScript (which is my hope), you may have seen mysterious domains show up in your NoScript popup menu. NoScript, which provides Unix like security ("deny by default, permit by exception"), sees many Blogger / Google scripts as potential clickjack or cross site scripting exploits.

If you use Internet Explorer, you have the Internet Properties - Security - Trusted sites wizard, where you may need to add (or remove) some entries.

All browsers - Firefox, Internet Explorer, and others - will need cookies enabled for these domains. Besides enabling these specific domains to create and read their own cookies, you will, quite likely, need to allow for access to third party cookies. Note that cookies (which you should enable for BlogSpot) are separate from scripts (which, as noted above, you should not enable for BlogSpot).

Note also that each browser contains native settings for both cookies and scripts. It's also possible to install add-on software which gives us greater control over cookies, and over scripts, in either browser. Additionally, some anti-malware and firewall suites, installed to the operating system, will contain cookie and / or script control software. All of these possible security components may need to be configured to allow for these many domains involved.

So check your browser security settings, and decide how much trust you can provide for scripts, provided by the various Google domains.
  • google.com can always be trusted.
  • gmodules.com can be trusted.
  • google-analytics.com can be trusted.
  • googleads.com can probably be trusted - if you enjoy ads displayed on your computer.
  • googleapis.com can probably be trusted.
  • googlesyndication.com can probably be trusted.
  • googleusercontent.com must be very discrimininately trusted - it contains user contributed code, which has been used in malicious attacks. If you are viewing this article while configuring NoScript as a Firefox add-on, you should specifically not trust googleusercontent.com, while you are removing dodgy code from your blog.
  • gstatic.com can probably be trusted.


The next time that you (or another blogger - maybe one of your readers) needs to make a problem report similar to one of the scenarios enumerated above, ask yourself what domain is involved, and what security settings you use for that domain, before complaining to Blogger Help Group
It isn't working - again. What did Blogger break this time?


>> Top

No comments: