Hostmonster Sucks – Hostmonster Review and Warning

11

Posted by Amir Shevat | Posted on 20-07-2010

Category : Reviews, Security, web, web hosting

After 4 years of suffering and apologising to my clients about hostmonster’s downtime, I am moving my sites out of there, and I am leavingĀ  Hostmonster for good. In this article I will explain why that is, and why you should stay away from Hostmonster.

This it a professional site, so I apologise for the language in the header, but most people look for ‘hosting-company-name sucks’ when they are looking for a review for a hosting company.

I have been using Hostmonster to host about 6-8 sites I own for the last 4 years (never for this site – spacebug has a dedicated account somewhere else)

Here are the reasons you should not consider Hostmonster as a hoster:

Low availability

Since day one my sites had more downtime in hostmonster then other hosting compenies I have worked with. There are some good weeks, but on average you get very low availability. You see it in downtime in the site, bounced incoming email, and flaky FTP connections.

Horrible performance

Sites run slowly on Hostmonster. This problem becomes worst with time (my guess is they overload the servers). This happens on plain HTML sites as well as PHP and MySQL driven sites.

Poor and unfriendly support

Contacting Hostmonster support is a waiting game, it takes forever for them to get back to you. what is worst is that when they do come back to you, they are never helpful.

Major security issues

This is not a joke – Hostmonster servers have been compromised several time. These have been a server-level attacks which affected multiple accounts. Personally speaking, it is a terrible feeling to have your site hacked into. The company required all accounts to change their passwords to strong password and two weeks later the attack happened again. If you do not want your site to be a place for virus distribution – stay away from hostmonster!

No communication of issues

They have never communicated any security/downtime/other (planed or otherwise) issues. They never admit it is something that they do wrong. When you tell then your server is down for the last 8 hours, they will say “it was done to improve future performance” or something like that.

Conclusion

I do not want to make any recommendation about other hosters, these things change from time to time. I have yet to find the perfect hosting company. But all the other companies I have worked with were, by far, much better.

Recommend Hostmonster only to your arch-enemy.

CakeOTP 1.1 – User Registration with One Time Password for CakePHP Released

Posted by Amir Shevat | Posted on 20-04-2010

Category : CakePHP, New Release, Open source, PHP, release, Security, Software development

Tags:

CakeOTP is a reference implementation of User Registration with a secure, table-less and expirable implementation of One Time Password for the popular CakePHP development framework.

New in CakeOTP release 1.1

1) Automatic login process, after the account activation- The user is automatically logged into the site and is redirected to an internal page, immediately after activating his/her account.
2) User email validation.

Download this release here.

Checkout the Online Demo, project page and getting started page.

Security issue in CakePHP code documentation

5

Posted by Amir Shevat | Posted on 05-03-2010

Category : CakePHP, Open source, PHP, Security, Software development

I have been using CakePHP for a long time now and enjoy every second. It provides a productive, easy to use and well document platform for PHP application. The key advantages for me are – transparent OR mapping, a strong Model View Controller framework, and tons of extra utilities that make your life better.

I have came across a possible security issue in one of cakePHP code examples. This section of code is responsible to authorize or un-authorize clients access to a certain action (MVC flow)

action == 'delete') {
            if ($this->Auth->user('role') == 'admin') {
                return true;
            } else {
                return false;
            }
        }

        return true;
    }
?>

The major security rule this code is breaking is – never ever have ‘return true’ as a default for an authorization method.
Continue Reading

CakeOTP 1.0 – Secure, Expirable, Table-less One Time Password for CakePHP Released

Posted by Amir Shevat | Posted on 11-02-2010

Category : CakePHP, Open source, PHP, release, Security, Software development

CakeOTP is a secure, table-less and expirable implementation of One Time Password for the popular CakePHP development framework.

A one-time password (OTP) is a password that is only valid for a single login session or transaction. It is commonly used in the internet for registration and password reminder process in which OTPs are provides to the user in a form of a link that the user uses to access in order to create/reset his password.

The problem is that most one-time password implementation involve maintaining additional database tables and batch process that handle the persistence and expire date of the one time password. This adds complexity and reduces performance.

CakeOTP is a simple and clean implementation of one time password. It reduces complexity by removing the redundant SQL calls and DB batch maintenance while still keeping the one time password secure and expirable.

Download this release here.

Checkout the Online Demo, project page and getting started page.

Feel free to post comments and questions.

CakeOTP 0.1 beta release – One Time Password Reference Implementation for CakePHP

Posted by Amir Shevat | Posted on 22-01-2010

Category : CakePHP, Open source, PHP, release, Security, Software development


I have started to implement the algorithm for tableless, secure One time password.

Here is a link to the Demo, and here is a link to the beta release.

The only thing you need to do other then the regular cakePHP setup is to create a user table (used by the CakePHP Auth component):

CREATE TABLE IF NOT EXISTS `users` (
  `id` int(11) NOT NULL auto_increment,
  `username` char(50) default NULL,
  `password` char(40) default NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=23 ;

Continue Reading

Tableless and Secure One-Time Password (OTP)

10

Posted by Amir Shevat | Posted on 15-01-2010

Category : Open source, Security, Software development

Tags: ,

A one-time password (OTP) is a password that is only valid for a single login session or transaction. It is commonly used in the internet for registration and password reminder process in which OTPs are provides to the user in a form of a link that the user uses to access in order to create/reset his password.

Common requirements of One Time passwords are:

  1. Statistically unique – using the same password for all requests is probably not the right security choice.
  2. Hard to guess – using sequential number is again, probably not the right security choice.
  3. Can be authenticated by the server – the server needs to distinguish between real OTP and bogus OTP.
  4. Good for one time – after the process is done the OTP should no longer be valid.
  5. Time limited – the OTP usually expires after a configurable amount of time.
  6. Secure – hackers should have a hard time changing the expiry date, username context and so forth.

Most OTP implementations use a Database table to persist the OTP and to manage their expiry date, a DB table might look like this:

id User Id OTP Expire date
1 Amir Asfsd3434bgddh 1/1/2010
2 Someone Ddfsd3345ssfsss 7/1/2010

While this is a valid solution, it is not the most efficient and elegant one, the truth is that you do not need an additional table enable and manage OTPs.

The answer is simple – the seed for this OTP is already persisted in the Database in the form of the old password (or more exactly the old password hash)

Here is how it is done:
Continue Reading