Friday, March 28, 2008

The Elastic IP Addresses allow Amazon Web Services users to set up static IP addresses, making it easy to host websites, web services and other online applications using Amazon EC2. Users can programmatically map the static IP addresses to any of their instances, making it easy to recover from instance failures.

By default, users are limited to a total of 5 Elastic IP Addresses, although additional IP addresses can be requested from Amazon. To ensure customers use the Elastic IP Addresses associated with their account, a $0.01 per hour charge is applied when each IP is not mapped to an instance.

The Availability Zones feature makes it easy and relatively inexpensive to operate a highly available internet application. Availability Zones are designed to be protected from failures in other Availability Zones, so by spreading an application across several zones, it can be better protected against power failures or network downtime.

This is not Amazon's first foray into web hosting - a number of high profile sites have been working with Amazon's Enterprise Solutions group for a few years, including Marks and Spencer, which signed a deal with Amazon in 2005. Amazon were to provide the technology behind the Marks and Spencer website as well as systems for customer service and ordering.

Other companies that are hosted by Amazon include Timex, Sears Canada and Benefit Cosmetics.

While the complexities of web hosting with Amazon's EC2 platform may appear rather daunting to the majority of web site owners, the service will no doubt appeal to existing owners of dedicated servers who want further scalability or wish to make their sites highly available at a reasonable cost.

Amazon's pricing for the EC2 service depends on a variety of factors. A single default "small" instance, with 1.7GB of memory and 160GB of storage, costs $0.10 per hour to run, with additional charges for data transfer and unused Elastic IP Addresses. An extra large instance costs $0.80 per hour and features 15GB of memory, 1690GB of storage and 4 virtual cores.

Internet data transfer costs depend upon the direction of the data. All data transfered in is charged at $0.10 per GB, while outwards transfers are $0.18 per GB for the first 10TB of data each month, reducing to $0.13 per GB if 50TB is exceeded.

With EC2's bandwidth costs significantly undercutting many hosting companies, Amazon's latest move will be sending shock waves throughout the conventional hosting industry. It will be interesting to see how the use of Elastic IP Addresses grows, as high bandwidth websites - or even entire hosting companies - are tempted to migrate to a cheaper alternative.

A vulnerability in the TRUSTe seal verification service was demonstrated last week, showing how the service could have been exploited to make it look as though an unauthorised site had a valid TRUSTe seal.

A security researcher using the pseudonym "Antani Tapioco" discovered the problem, which stemmed from insufficient input validation on the TRUSTe seal validation page. Netcraft has reported the problem to TRUSTe and it has since been fixed.

Tapioco demonstrated how JavaScript could be injected into the page, causing a popup dialog box to display the message "Verified by haxors, LOL". Tapioco was further critical of the ease at which the flaw was found, saying that companies should spend money on code reviews and penetration tests to discover such problems before they become an issue.

Tapioco was able to execute JavaScript on the page by injecting an img tag with an invalid src parameter. The JavaScript payload, specified in the onerror handler, was then subsequently executed. This kind of vulnerability on a page like this has the potential to be very harmful - being able to inject arbitrary JavaScript can allow attackers to remove all existing content from the page and replace it with their own content.