Hosting the Leading Websites:

Security Online


See in FAQ

Overview

Network security matters, but the greater variation in security is likely about software issues and remotely-directed attacks. No host that you don’t own is going to tell you about those incidents and their countermeasures. You’ll be informed that they haven’t been successfully attacked since shortly after Attila the Hun was swinging a sword from horseback. Don’t ask those questions and they won’t tell you lies. Supposedly, you could ask particularly incisive questions that would reveal whether their staff are really experts in this, but the real experts may not be available to answer your questions precisely because they don’t want to reveal their precautions, since that could reveal more sophisticated weaknesses, so they’ll let someone else answer in more general terms. They’d likely rather lose your business than take the chance of telling you new ways to attack them.

All hosts have good physical security, so that’s not a point on which to choose one over another. All of them are allergic to having their equipment stolen or suck dust. They all have cooling because no one likes their computers to melt like candles. They likely have redundant hardware in case a hard drive or something else physically breaks down but a visit won’t tell you how much redundancy there is, because you won’t know how many customers they have on the day you visit, how many tebibytes all the customers’ files fill up without mirrors and backups, and how many machines were disconnected that day routinely or otherwise. Well-known hosts will have more security precisely because their fame puts them at greater risk, but that may mean only that their security is proportionate to their risk, which may result in no difference in physical safety between well-known and hardly-known hosts. Some will have their data centers far from likely natural disasters, with alternate data centers far from their primary centers, but they’ll be expensive hosts.

The DDoS Squeeze and Crash

DDoS protection might be good, keeping you from some denial-of-service attacks. Judging from complaints, some website hosts deal with a distributed denial-of-service (DDoS) attack by simply turning your website off and maybe telling you to tell whoever is causing it to stop. If you have to talk to the attacker (assuming you can find whoever it is), you may be vulnerable to a ransom demand, often payable internationally with almost no chance of getting the police to act. Other Web hosts have far more sophisticated methods that try to mitigate DDoS and keep your site online, although they probably charge more for their service. Review complaints and ask hosts you’re thinking of about how they deal with DDoS situations.

Uploading Files Securely

SFTP should be supported for uploading, so ask hosts for that support. SFTP is more secure than traditional FTP (File Transfer Protocol). You may want to require that a Web host accept SFTP (Secure FTP or, more arcanely, SSH FTP (SSH is Secure Shell)) in order to get your business. This is not the same as FTPS or FTP-S, which is not as secure as SFTP. You’ll need software on your computer that will let you use SFTP, but that’s not hard. I use Konqueror and other programs are available, many of them free to get.

HTTPS and Certificates

If you want HTTPS along with HTTP and you want SSL certificates, decide what you need and ask the host. They’ll cost you. Certificate authorities vary in how they verify identity, so you may want to know which certificate authority a host prefers. You may find a list of authorities in a browser’s security settings. And the host itself should be using HTTPS and SSL for anything that requires you to use a password or that requires you to submit private financial information, such as card details. Since fraudulent certificates have been issued, potentially allowing interception and alteration of transmissions, you may want to check your domains at Google Transparency Report and Comodo’s search tool. (The URLs were as accessed .)

Software Versions

Better ask what software versions your host is running. The latest stable versions should be running, unless you prefer an older one or a beta version for a particular purpose. Older versions often have security holes and the best solutions for those usually are newer versions. Beta versions are a type of test version, usually considered experimental, and are conventionally designated by verion numbers below 1 (like 0.9) or as beta. Research the software most concerning to you to find out what the latest stable versions are and then ask your Web host what versions it’s running.

Tiger Testing

Some checking is good. One customer said a few years ago it was able to use FTP to access the server root level at a large host, giving that customer access to other customers’ files without permission, the customer told the host, and, weeks later, the host still had not repaired that. That means mystery users could access the first customer’s own files without permission. If you discover that at your Web host and it doesn’t get fixed fast, leave.

Don’t try penetration testing beyond about that level to check a host’s security, however, without asking your host. You’re more likely to get approval if you are already a customer and you coordinate with the host on scheduling and key parts of your pen test content, preferably in writing. It may cost you, especially if the host has to have a technician on hand to repair any damage you successfully inflict so the host can keep their other customers online, and you could hardly object to the host staying in business. If you don’t ask and you get caught, don’t be surprised if they ban you, delete all of your websites and backups without notice, refund nothing, and bill you on top of that. Their terms of service likely have a clause about doing annoying things to their hardware and software and to their other customers.