Security researchers recently uncovered an attack on web APIs that:

1. Compute a “string to sign” containing a shared secret followed by a concatenation of parameter names/values.
2. Compute a “signature” based on the string to sign using the MD5 hashing algorithm.

This authentication scheme is quite popular, in part due to its use by Flickr’s API, one of the first and most popular web APIs.  We use a related authentication scheme for our Hosting API, hAPI.

The security researchers contacted us with the details of their attack at 11:30 EDT on Friday, September 25.  The attack exploits technical properties of the MD5 hashing algorithm to append additional parameters to certain API calls, given the length of the API secret and the signature from a previous call. Their paper, which focuses mainly on Flickr’s API but makes brief mention of Voxel, and provides complete technical details of the potential vulnerability, is available online.

Read the rest of this entry >>

Posted in General Posts | No Comments »

A few weeks ago and after a lot of hard work by Voxel’s elite admins and network commandos, we finally brought VoxCAST’s Singapore POP online, nestled in the Equinix facility in Ayer Rajah a few minutes’ drive from our Singapore offices. With this, web browsers is AsiaPac will see significant improvements in load times for VoxCAST-hosted sites.

Read the rest of this entry >>

Posted in General Posts | 2 Comments »

Voxel has a lot of customers who really know what they’re doing. Many of them are in the business of writing code, and pointing and clicking and typing — manual stuff — is the kind of thing these customers tend to like to avoid. Be it purging content from VoxCAST, provisioning a new VPS or dedicated server, rebooting a machine, fetching performance data — whatever — there’s a case for letting our customers do it in code.

Voxel Labs to the rescue once again — this time with hAPI, Voxel’s new Hosting API. hAPI turns much of Voxel’s infrastructure inside-out and makes it programmatically accessible to our customers. hAPI is a REST API based on HTTP requests and XML or JSON responses, a lot like other popular web services APIs. To read more about the hAPI interface and get started, check out the hAPI documentation.

Read the rest of this entry >>

Posted in General Posts, Press | 1 Comment »

Something we have a lot of experience with at this point is helping VoxCAST customers modify their websites to take advantage of the CDN’s static content delivery. Depending on how forward-thinking a customer was when they first built their site, the process can be as simple as switching a DNS entry. Typically, though, it’s more like:

1. Look through the HTML, PHP, Ruby, Python, or whatever else for links to static content;
2. Painstakingly edit the code to re-point those links to a new hostname, like cdn.example.com;
3. Potentially (depending on the application) relocate all the actual content to a different origin server (for some of our customers with TB of data, this has taken weeks); and
4. Finally, turn on the CDN, point cdn.example.com at it, and hope you didn’t miss anything important.

In other words, turning up a CDN to serve your content can be a lot of work if you weren’t planning on it from the start.

Well, like all good engineers, at Voxel Labs we’re lazy. We don’t like to waste time doing boring stuff like poking through code looking for links to replace, and we’re pretty sure our customers share the sentiment. So we came up with mod_cdn, an Apache module that makes CDN-ifying a site ridiculously easy.

Read the rest of this entry >>

Posted in General Posts, Press | 2 Comments »