undefined | Better HN

0 pointscaconym_9y ago0 comments

I am not a security expert, but as I understand it, passwords sent in the clear are vulnerable to being intercepted. Even if users of your site don't have much to worry about from those accounts being compromised (this may or may not be true), lots of people use the same password for more than one login, so their accounts on other sites could be compromised too.

That's definitely a significant security risk, even if it wasn't being explicitly labeled before now. It sucks for independent website operators like you, but I'd probably blame your hosting for making it difficult to secure your site rather than browser vendors for protecting their users.

0 comments

johndoe45899y ago

I know I guess I just have to vent some frustration.

Time to move on I guess.

Does anyone have good hosting suggestions for a web app that has a 1GB database and a few thousand active users?

I can only afford ~10-20 EUR a month on shared hosting atm.

vamur9y ago

Try OVH. $3.5/mo for a 2GB RAM VPS https://www.ovh.com/us/vps/

lucideer9y ago

I'm currently on OVH. If you've a tight budget, I'd highly recommend. They're a LetsEncrypt sponsor so they offer free SSL out of the box https://www.ovh.ie/news/articles/a2224.ovh-your-free-ssl-cer...

techwizrd9y ago

Have you tried Amazon Lightsail or Digital Ocean? Both of them give you more than a paltry 1 GB for their $5/mo plans.

fastball9y ago

Seconding DigitalOcean. You can get a 20GB SSD + 1000GB xfer for $5 a month.

1 more reply

joshstrange9y ago

Dreamhost is in that price range and has LetsEncrypt built in (it's just a checkbox when configuring the domain). I don't use them for my real projects but it's great for blogs and low traffic sites (a couple thousand users should fair fine I'd think).

imron9y ago

> I can only afford ~10-20 EUR a month on shared hosting atm.

Sounds to me like you can move to a better host that does provide LetsEncrypt and save money on your hosting costs to boot!

johndoe45899y ago

Thanks so much for all the suggestions!

icebraining9y ago

LDHosting's shared hosting costs me 35€/year, gives 5GB of disk space and lets me upload my own cert for free. I've been with them for a few years and the uptime has been excellent.

ldev9y ago

https://www.netcup.eu/bestellen/produkt.php?produkt=1587

9 EUR, 2 cores + 6 GB RAM, 40 GB SSD.

It still baffles me that someone is using shared hosting services and upload their php files via ftp...

michalskop9y ago

Scaleway has 50G disc and 2G memory for 3€(+VAT)/month

andybak9y ago

Webfaction still rock

robbiewxyz9y ago

I think you could probably just point your DNS at Cloudflare to proxy your site through them; their service includes SSL plus some extras like caching and such for free. I've used them for a handful of projects and it's worked great.

simcop23879y ago

That said it will still be insecure because of the unencrypted path from cloudflare to you server but it will hire the error

3 more replies

ycitm9y ago

If you have control of your nameservers you can use cloudflare's free TLS offering and keep your current webhost.

slrz9y ago

What about actually solving the problem instead of tricking the user into believing their data is encrypted while being transferred to you?

andybak9y ago

I'm personally in favour of Cloudflare as the simplest solution - even simpler than letsencrypt. However - there are a few caveats. They tend to hit some countries with a Captcha unless you disable it. Might not be an issue. Their "Flexible SSL is controversial as it only encrypts from client to them - not from them to the server. Personally I think this covers the most obvious threat models and is probably "good enough" for the a lot of use cases.

fastball9y ago

You have a few thousand active monthly users (since it's a web app that requires an account, I'm assuming that corresponds to 50-100k page views per month) and you can't recoup 10-20 EUR a month to cover server costs?

I think it's time for a bit of light monetization.

eru9y ago

Perhaps johndoe4589 doesn't want to monetize?

(Asking users for donations might work where advertisement perhaps doesn't.)

j / k navigate · click thread line to collapse

0 comments

johndoe45899y ago

I know I guess I just have to vent some frustration.

Time to move on I guess.

Does anyone have good hosting suggestions for a web app that has a 1GB database and a few thousand active users?

I can only afford ~10-20 EUR a month on shared hosting atm.

vamur9y ago

Try OVH. $3.5/mo for a 2GB RAM VPS https://www.ovh.com/us/vps/

lucideer9y ago

techwizrd9y ago

Have you tried Amazon Lightsail or Digital Ocean? Both of them give you more than a paltry 1 GB for their $5/mo plans.

fastball9y ago

Seconding DigitalOcean. You can get a 20GB SSD + 1000GB xfer for $5 a month.

1 more reply

joshstrange9y ago

imron9y ago

> I can only afford ~10-20 EUR a month on shared hosting atm.

Sounds to me like you can move to a better host that does provide LetsEncrypt and save money on your hosting costs to boot!

johndoe45899y ago

Thanks so much for all the suggestions!

icebraining9y ago

LDHosting's shared hosting costs me 35€/year, gives 5GB of disk space and lets me upload my own cert for free. I've been with them for a few years and the uptime has been excellent.

ldev9y ago

https://www.netcup.eu/bestellen/produkt.php?produkt=1587

9 EUR, 2 cores + 6 GB RAM, 40 GB SSD.

It still baffles me that someone is using shared hosting services and upload their php files via ftp...

michalskop9y ago

Scaleway has 50G disc and 2G memory for 3€(+VAT)/month

andybak9y ago

Webfaction still rock

robbiewxyz9y ago

simcop23879y ago

That said it will still be insecure because of the unencrypted path from cloudflare to you server but it will hire the error

3 more replies

ycitm9y ago

If you have control of your nameservers you can use cloudflare's free TLS offering and keep your current webhost.

slrz9y ago

What about actually solving the problem instead of tricking the user into believing their data is encrypted while being transferred to you?

andybak9y ago

fastball9y ago

I think it's time for a bit of light monetization.

eru9y ago

Perhaps johndoe4589 doesn't want to monetize?

(Asking users for donations might work where advertisement perhaps doesn't.)

j / k navigate · click thread line to collapse