All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
No SSL on SolusVM: am I the only one that thinks that it is strange?
Yesterday I put in an order with a provider for a VPS. When I got the 'Your New VPS Is Ready' e-mail, it contained a linked to the non-ssl port of SolusVM (5353). I always get an uncomfortable feeling at that point. Because according to @soluslabs SSL is on by default and it should always go there. There must thus have been a reason for this provider not to redirect customers there. When I went to the SSL URL I found an invalid certificate (surprise, surprise).
This is the third provider in 6 months I've had this issue with. I don't want to have to explain to them every time why this simple and yet powerful measure for a little more security is a must-do.
Several questions:
1. Is it so damn hard to buy a $15 SSL certificate to provide all of your customers with secure access to the control panel?
2. Is there any good reason why you would not put an SSL URL in the WHMCS e-mail template?
3. If this simple security measure has not been taken, what else could be wrong?
4. Who else is bothered by this/has had this issue with providers?
Comments
i am. move away.
Invalid SSL = self signed. Still secure but not recognized. However, we do have valid SSL on every login panel we have. From whmcs to solus to cpanel.
I know This makes me conclude that no effort was made in actually getting a certificate.
True. I am actually guilty for this myself as my personal servers uses self signed SSL. Then again, I am the only one who needs to login there. So no harm done
PS: if they have a SSL cert, but just simply "untrusted", it's still secure even if it's not signed by a root authority, you just have to make an exception for that one and only server fingerprint, the idea is to encrypt the traffic between the client and server, not simply be "trusted" by some root authority. But course most people still freak out over a self-signed cert.
But yea a simple SSL cert purchased from one of the many resellers just looks more professional.
Wow, I bought a cheapy-cheap SSL cert for my ownCloud install just to stop all the 'my browser says this site is insecure' questions from non-technically minded family and friends, so you'd think a provider could spring for reasonable one.
That's what I do for personal stuff as well. I don't care about it there. No harm done indeed
You've ever heard of Wireshark? Doesn't matter how complicated the password is.
I know, but I would have to trust the self-signed SSL I get the first time is there is actually the domain owner's I have no way of checking that.
SSL is just a gimmick
Self trusted SSL certificate is not good because the average user thinks it's a scam. They don't read/understand.
I know people like pretty things but SSL is hardly an indication of security, no more than a lack of it is indication of a lack of security. Are you constantly logging into mission critical panels while on open wifi without VPN or something?
Heck I've got a bunch of certificates but I've got better things to do than bother with cosmetic changes to a panel that you should know better than to log into from Starbucks without a VPN. Just my two cents. I'll probably add one tomorrow anyway to shut up the incoming flames for it
If its important to you, tell them. It's a preference.
Wireshark works on encrypted VPNs?
Nope, only plain traffic.
Well, I guess it 'works,' if you're fine with a bunch of random strings.
Did you notify the host?
:P Seems like at this point they probably had least a few of the same complaints/notices to them before :P I know when I had turnkey for a brief time, I'd bug em every time their license expired or got invalidated.
We have SSL, but you just reminded me to setup auto-redirect. Currently our HostBill emails all use the SSL link, however I think some people are still using the non-SSL version.
We have on all login pages ssl certitificates installed. But it´s something like a stupid discussion. Most users get the login details from a mail which was send by a none encryption protocol. So what should helping a ssl certificate when your invader sniff your emails? It´s only a reassurance for a few peoples they encrypt all..
Just change the password? Maybe put a recommendation in the email?
Not sure why everyone is saying SSL is useless just because there are flaws elsewhere with systems.
It´s not usseless, a access should be done over a ssl site. But it´s not a refutation against a provider. If you order an vps and get the email, someone can faster than you to change the password of your account.
If your email is compromised, it's likely that you have bigger things to worry about than your newly created VPS being stolen.
Quit arguing for the sake for arguing, this is stupid.
Of course. This time, like that last time I informed a host, there's more of a defensive response. They are gonna fix it, but during the communication one of the employees sid "there's no sensitive data in there anyway". So now I'm like "whaaat"? I've told them I do think there is sensitive data in there and I'm looking forward to their response.
+1
This is why I use a simple password during sign-up and change it later, over SSL.
That's how it's supposed to be done, @mpkossen.
I would stay away if a provider is too lazy to use SSL on billing system and solusvm.
+1 They are so cheap.. Also it doesn't matter how many nodes they have. They only have to buy it for the master license url so its not like they are "rackin' up" a ton of SSLs. This is just poor business. I installed SSLs on SolusVM, WHMCS, and cPanel before I even started selling anything.
I would stay away from a client who logs into important things from public wifi without a VPN, personally. But I get the argument for "why not?"
I think our wildcard cert costs us $32/year. A year. We (and anyone else) can handle $32.
How?
Realizing that it's this important to more than just one person, I'll be adding these for the heck of it. But between you and me, one of my biggest problems is saying "oh it's only $XX." Crazy how fast all the little insignificant costs add up.
Just ask my wife about the summer I spent nearly $600 on iPhone apps.
Some people feel the need to brag about how little certain expenses are, not realizing not all people in all parts of the world have cash to throw at anything.
Oops, it's actually $37, not $32/year.