Question about about web hosting.

[MrPlacid]

Ok, I am thinking of not running my own webserver and have a web hosting company do it. They probably do a better job.

Anyone know if my site's contents would be safe from even the web host's snooping administrator? I wouldn't want them seeing my database's login and password. Nor do I want them seeing all my codes.

And if they do regular backup. Is the backups for my eyes only?

I am having the impression, for the most part, that web hosts are locked out of my site. I believe they can shut my site down, but they don't have access to go in an change stuffs inside my web's htdoc directory. Is that true?

[joelby]

In general, a Web hosting company can always look at your files. Pretty much the only time they wouldn't be able to is if you supply your own hardware for co-location and don't employ the host for any sort of maintenance or management service.

If you're using a shared server, the administrator doesn't need to know your password because they'll have administrative access to everything anyway. Similarly, it is a technical requirement that they're able to access your files in some way if they are to make backups of them.

If you use a large, well-known Web host, you can assume that they will be far too busy to care one iota about your files unless your applications start causing problems for other users or there are complaints about the nature of your content.

If you are storing any genuine trade secrets or PCI compliance is a requirement, you should be co-locating your own gear.

[vk6hdx]

If you have a bit of Linux / Unix knowledge, you could always look at deploying a virtual private server (VPS) and run your own webserver / database on it.  There are a number of companies that offer vps's and this approach gives you full access to the system enabling you to encrypt your file system or take any security measures you wish.

Troy

[joelby]

Even if you're running a VPS, it's easy for a server administrator to log in to your instance (e.g. on Virtuozzo, 'vzctl enter xxx'). Encrypting the whole filesystem doesn't protect against online attacks because the server presumably has to somehow first decrypt the filesystem in order to boot up and run. If you don't want to enter the decryption password each time the machine boots, you'll need to have it saved on the VPS.

Assume that the hosting company *can* view your files, but (from my own experience working for hosting companies) they really don't care that much about what you do.

[amspire]

Ok, I am thinking of not running my own webserver and have a web hosting company do it. They probably do a better job.

Anyone know if my site's contents would be safe from even the web host's snooping administrator? I wouldn't want them seeing my database's login and password. Nor do I want them seeing all my codes.

Pretty hard to achieve total security if you are using  a cheap shared hosting site.

If you are running a dedicated server, a virtual server, or a virtual server on Amazon EC2, it may be possible to get close to total security.

What it would take would be first, you need to be running a https:// site with SSL/TLS encryption and a SSL certificate, so anyone capturing the data stream out of the computer cannot interpret it. If your site is an unencrypted port 80 website, then the host can capture and view everything you send.

Secondly, the website and database could be mounted on a truecrypt drive with only the httpd (apache) server with rights to access it.

Last, you would have to lock down the password of the httpd server and mysql user so that only you can access it, and you might have to manually mount the truecrypt drive and start the httpd via a SSH terminal, so you can avoid putting the password on the server. That would mean that if the hosting company ever restarts the server, the site would be down till you restart it.

In spite of all the precautions, it may still be possible for a hacker in the hosting company to find a way into your httpd user account and to see the data.

So yes, a server that you physically control is more secure - as long as someone doesn't break in and pinch it.

And if they do regular backup. Is the backups for my eyes only?

The Truecrypt drive will look like random noise to anyone without the login credentials, so the hosting company can back up your server and it doesn't matter who sees it.

I am having the impression, for the most part, that web hosts are locked out of my site. I believe they can shut my site down, but they don't have access to go in an change stuffs inside my web's htdoc directory. Is that true?

No, it is not true.

Richard.

[MrPlacid]

Guys, thank for shedding some light on the subject (and quick too)   Every time I think of web hosting companies, I kind of see integrity around them. I guess they must have that to be in that kind of business of serving other people's stuffs. So, I'll take that trust. I also picked the "Host in the USA" one.

Thanks, guys, for introducing me to new terms and stuffs. Unfortunately, it's way over my head. I am gonna check out the SSL stuffs. Thanks again!

[EEVblog]

Shared hosts, yes, they can always see and do everything without asking for your password.
With my new dedicated server, when I've had to use technical support, they have asked for root WHM password (I changed it before giving it to them then changed it back afterwards). Doesn't mean they can't see things without it though, I presume they can some way.
Backups go to a 2nd drive in the same rack and are not encrypted, so they'd be able to access that.
But like others have said, they simply don't care when they are hosting hundreds of thousands of web sites.
As long as the general public can't access your stuff, and you don't have any legal requirements to keep your stuff confidential, it's not worth worrying about.
So just pick one of the big hosts and you are pretty well potected by obscurity 

Dave.

[ejeffrey]

Pretty hard to achieve total security if you are using  a cheap shared hosting site.

If you are running a dedicated server, a virtual server, or a virtual server on Amazon EC2, it may be possible to get close to total security.

Even then it is fairly hard to get even casual security.  Definitely your best line of security is their terms of service, legal obligations, and market forces that say that hosting companies which steal customer data and get caught will go out of business.  Good hosting providers have procedures in place to prevent their employees from accessing customer systems without approval mostly by logging both physical and network access by the administrators.  This will make it difficult for a rogue employee to mess with your system without getting caught.  Cheaper and smaller hosts, or those that don't concentrate on 'enterprise' customers will have less extensive internal controls.  This is probably still fine as long as you don't have specific legal obligations (such as hosting CC data, medical information, or financial data).  It is just unlikely that the hosting service administrators want to steal your data or would find it worth the risk.

[amspire]

Thanks, guys, for introducing me to new terms and stuffs. Unfortunately, it's way over my head. I am gonna check out the SSL stuffs. Thanks again!

SSL certificates can cost anything from $1000's of dollars to under $30 a year.

RapidSSl certs for about $27 a year should be fine.  You can get them added to any hosting site, but check the prices. There should be a one time cost to install the certificate, and you will need a dedicated IP address. So either look for a site that comes with a dedicated IP address or find out the cost of renting the dedicated IP.  The price can vary a lot from host to host depending on whether they are running out of IP addresses.

Richard.

[Mechatrommer]

Pretty hard to achieve total security if you are using  a cheap shared hosting site.
What it would take would be first, you need to be running a https:// site with SSL/TLS encryption and a SSL certificate, so anyone capturing the data stream out of the computer cannot interpret it. If your site is an unencrypted port 80 website, then the host can capture and view everything you send.

in normal http (not https), is it possible to develop custom encryption method in PHP? (on server side) and/or ActiveX component or such (in client side) so any transmitted data is not so easily understood by bare sniffing eye?

[joelby]

in normal http (not https), is it possible to develop custom encryption method in PHP? (on server side) and/or ActiveX component or such (in client side) so any transmitted data is not so easily understood by bare sniffing eye?

Certainly, but in general it's a terrible idea. Unless you are a competent cryptographer and allow your work to be peer reviewed, your implementation will almost certainly be flawed. Even if you base it on existing ciphers, there are many ways to screw encryption up, many of which are subtle and difficult for the untrained eye to detect. At best, you'll create something that works about as well as SSL, so why not just use SSL?

[Mechatrommer]

so why not just use SSL?

as amspire said, it takes extra money for the service. the idea is not to create an invincible excryption, but at least we dont send our data into dinner plate of prying eyes. we can keep them guessing for few minutes, even a simple xor method. and i'm talking about small bugdet business/webhosting, where at least we dont give our data as free and other will not be very interested at even deciphering xor encryption.

[joelby]

If your small business seriously can't afford $10 to $30 a year for an SSL certificate, you can get a free one from https://startssl.com/ (works in all modern browsers). If it's for personal use and you don't care about warnings, or in an environment where you're able to push out your root certificate to all end users, you can generate your own self-signed certificates for free.

If you don't think that people will be interested in breaking your system, think again - the world is full of people who like challenges, have time on their hands, and are prepared to leak or destroy your data for fun or profit.

[amspire]

Even if you get free SSL certificates, they last a year and each year you will have to install a new one, as well as pay about $1 a month for a fixed IP address.

An alternative is to use your provider's shared certificate for free. If you are on a shared server, then the provider will have a certificate for the whole server, but there is a catch - to do HTTPS, you have to use the servers domain name.

So say your domain is "http://www.bestcircuits.com", and your site account login name is "bestcir".

Then people would go to "http://www.bestcircuit.com", but when they click on the link to go to a secure page, you would have to take them to something like:

"https://server23.myhostingco.com/~bestcir/circuit_download"

Now it is possible to provide your own encryption to send files, and there are probably libraries of properly implemented code out there to use.  But you will have to generate and email keys to each registered user, and you will have to deal with all the problems of lost emails, lost keys, and annoyed customers. I am sure people have done it this way.

If you want people to be able to browse secure web pages, then it is simple: you need to use some kind of SSL certificate provided by a trusted SSL Certificate registrar.  If you cannot afford to pay a small amount each year, use the free one from your hosting company.

Self generated certificates are possible - a certificate is just several files generated by open source software -  but forget it.  You still have to pay for installation and the fixed IP rental, and browsers are getting more and more intolerant about untrusted certificates. You will have many customers who get scared by the dire warnings from the browser when they see your self signed certificate, and will decide not to install it. They will never get to your secure pages.

Richard.

[MrPlacid]

Guys, my web host supposed to offer a dedicated IP and SSL with my plan. So I checked why I haven't received my email notification when my dedicated IP came in. They're out of IP addresses and is requesting for more.

[Simon]

I think they can or at least I'd play safe and assume that. I have a sort of re-seller account where each domain has it's own control panel and log in, but I can come in right over the top and access any of the accounts and any of their emails without needing any passwords only my main log in (handy for my sister when she is not at her computer and wants me to get her into her emails on say my pc or my dads) so if i was seriously selling hosting, yea i would have full control of your account.

When I was with another provider and had problems i did have to give them my password, but I'm also assuming that was a way of them being able to say that I authorized them to access my account.

[alm]

What problem are you trying to solve with SSL? It's useless against people with access to the server. General rule is that you've lost as soon as someone has physical access to your hardware (or virtual access to your virtual hardware), so I'd say you pretty much have to trust your hoster. The amount work they have to put in is slightly more with a VPS than shared hosting, and again slightly more for a dedicated server, but in the end you need a trusted hoster. Otherwise you need to supply at least your own hardware and preferably space.

[MrPlacid]

What problem are you trying to solve with SSL?

Since my contract came with one, I am gonna learn to use it

To be honest, I was curious about server administrator and wanted to know if what I thought was true or not. It's that nagging feeling in the back of my head that wanted to know.

[ellisg]

I will also need such a SSL certificate and due to this I will contact my web hosting provider. I think their customer support will be able to solve my problem. It is crucial to me that my own website is safe so I will definitely talk to my web host and ask them which possibilities I have. Nevertheless this is an very interesting thread.