Thread overview | |||||||||
---|---|---|---|---|---|---|---|---|---|
|
January 24, 2009 OT: Worthwhile *security-competent* web host? | ||||
---|---|---|---|---|
| ||||
Anyone know of a reliable, reasonably-priced web host that...and here's the key part...actually understands even the most basic security concepts? It seems like every place out there has an IT/support department that is absolutely convinced of one or more of the following: 1. Unencrypted emails are secure. 2. PGP *signing* an email encrypts the entire message. 3. It is somehow possible to email users their passwords without the password ever being stored in either plaintext or in a reversible form (not counting, of course, the process that actually sets the password in the first place). 4. Secure access to the control panel isn't important. 5. If all of the navigation links and redirects inside of the HTTPS secure version of the control panel (including the URL that the login form submits to) all point directly to the insecure HTTP version, this somehow doesn't defeat the whole point of having secure control panel access. 6. Some other such silliness. |
January 25, 2009 Re: OT: Worthwhile *security-competent* web host? | ||||
---|---|---|---|---|
| ||||
Posted in reply to Nick Sabalausky | Nick Sabalausky wrote:
> Anyone know of a reliable, reasonably-priced web host that...and here's the key part...actually understands even the most basic security concepts?
>
> It seems like every place out there has an IT/support department that is absolutely convinced of one or more of the following:
>
> 1. Unencrypted emails are secure.
>
> 2. PGP *signing* an email encrypts the entire message.
>
> 3. It is somehow possible to email users their passwords without the password ever being stored in either plaintext or in a reversible form (not counting, of course, the process that actually sets the password in the first place).
>
> 4. Secure access to the control panel isn't important.
>
> 5. If all of the navigation links and redirects inside of the HTTPS secure version of the control panel (including the URL that the login form submits to) all point directly to the insecure HTTP version, this somehow doesn't defeat the whole point of having secure control panel access.
>
> 6. Some other such silliness.
>
>
I gave up trying to find a good one ages ago. There's always the option of starting an account with SliceHost and doing it yourself, though.
-- Chris Nicholson-Sauls
|
January 25, 2009 Re: OT: Worthwhile *security-competent* web host? | ||||
---|---|---|---|---|
| ||||
Posted in reply to Nick Sabalausky | Nick Sabalausky wrote:
> Anyone know of a reliable, reasonably-priced web host that...and here's the key part...actually understands even the most basic security concepts?
>
> It seems like every place out there has an IT/support department that is absolutely convinced of one or more of the following:
>
> 1. Unencrypted emails are secure.
>
> 2. PGP *signing* an email encrypts the entire message.
>
> 3. It is somehow possible to email users their passwords without the password ever being stored in either plaintext or in a reversible form (not counting, of course, the process that actually sets the password in the first place).
Never ever *ever* EVER *EVER* email a password in clear. I'd say, if anyone thinks she wants to do that, she doesn't deserve a server that understands basic security concepts, even if one existed.
Andrei
|
January 25, 2009 Re: OT: Worthwhile *security-competent* web host? | ||||
---|---|---|---|---|
| ||||
Posted in reply to Andrei Alexandrescu | Andrei Alexandrescu wrote:
> Never ever *ever* EVER *EVER* email a password in clear. I'd say, if anyone thinks she wants to do that, she doesn't deserve a server that understands basic security concepts, even if one existed.
>
> Andrei
This isn't terribly important if you're only considering one system that does not require any significant amount of security.
However, people reuse passwords, and sometimes they'll use the same password for sensitive and non-sensitive systems.
|
January 25, 2009 Re: OT: Worthwhile *security-competent* web host? | ||||
---|---|---|---|---|
| ||||
Posted in reply to Christopher Wright | Christopher Wright wrote:
> Andrei Alexandrescu wrote:
>> Never ever *ever* EVER *EVER* email a password in clear. I'd say, if anyone thinks she wants to do that, she doesn't deserve a server that understands basic security concepts, even if one existed.
>>
>> Andrei
>
> This isn't terribly important if you're only considering one system that does not require any significant amount of security.
>
> However, people reuse passwords, and sometimes they'll use the same password for sensitive and non-sensitive systems.
My point exactly. I do have one "insecure" password that I use e.g. with mailing lists, and a "secure" password. The worst that happened was that some webmoron has set up a system that asked me to choose a password via a https protocol, to then email it to me in clear... When I tried to casually explain the mistake of his ways, he got all combative.
Andrei
|
January 27, 2009 Re: OT: Worthwhile *security-competent* web host? | ||||
---|---|---|---|---|
| ||||
Posted in reply to Andrei Alexandrescu | Sun, 25 Jan 2009 13:51:28 -0800, Andrei Alexandrescu wrote:
> Christopher Wright wrote:
>> Andrei Alexandrescu wrote:
>>> Never ever *ever* EVER *EVER* email a password in clear. I'd say, if anyone thinks she wants to do that, she doesn't deserve a server that understands basic security concepts, even if one existed.
>>>
>>> Andrei
>>
>> This isn't terribly important if you're only considering one system that does not require any significant amount of security.
>>
>> However, people reuse passwords, and sometimes they'll use the same password for sensitive and non-sensitive systems.
>
> My point exactly. I do have one "insecure" password that I use e.g. with mailing lists, and a "secure" password. The worst that happened was that some webmoron has set up a system that asked me to choose a password via a https protocol, to then email it to me in clear... When I tried to casually explain the mistake of his ways, he got all combative.
All my passwords are generated, and different. When I acquire a password for a sensitive resource I make sure to change it to generated as soon as possible.
|
January 27, 2009 Re: OT: Worthwhile *security-competent* web host? | ||||
---|---|---|---|---|
| ||||
Posted in reply to Sergey Gromov | Sergey Gromov wrote:
> Sun, 25 Jan 2009 13:51:28 -0800, Andrei Alexandrescu wrote:
>
>> Christopher Wright wrote:
>>> Andrei Alexandrescu wrote:
>>>> Never ever *ever* EVER *EVER* email a password in clear. I'd say, if anyone thinks she wants to do that, she doesn't deserve a server that understands basic security concepts, even if one existed.
>>>>
>>>> Andrei
>>> This isn't terribly important if you're only considering one system that does not require any significant amount of security.
>>>
>>> However, people reuse passwords, and sometimes they'll use the same password for sensitive and non-sensitive systems.
>> My point exactly. I do have one "insecure" password that I use e.g. with mailing lists, and a "secure" password. The worst that happened was that some webmoron has set up a system that asked me to choose a password via a https protocol, to then email it to me in clear... When I tried to casually explain the mistake of his ways, he got all combative.
>
> All my passwords are generated, and different. When I acquire a
> password for a sensitive resource I make sure to change it to generated
> as soon as possible.
Now what password do you use for the file you keep all your passwords in? :o)
Andrei
|
Copyright © 1999-2021 by the D Language Foundation