Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Thinking of Starting Shared Hosting Business
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Thinking of Starting Shared Hosting Business

brenthopkinsbrenthopkins Member
edited August 2019 in General

Hi,

I've been a lurker on LET for a while, and only got an account recently. I'm interested in starting a shared hosting business, but I want to make sure all my ducks are in a row.

I'd love to here some feedback about the set up I'm considering, bad feedback is definitely welcome as long as it is constructive:

  • WHMCS to handle orders, billing, etc.
  • Stripe/PayPal so I don't need to worry about PCI compliance. Bitcoin for users who which wish to be anonymous.
  • DirectAdmin for the control panel. I was considering VestaCP, but decided against it due to security issues
  • Software RAID and daily backup to BackBlaze B2 or Online.net's C14
  • 70 websites maximum on one server.

Host server specs:

Intel Xeon-E 2136
2x500GB NVMe (software raid)
1Gbps unmetered
32GB DDR4 ECC 2666MHz

Even though I'd like to think I know a decent amount about web hosting, I'm sure there are people more experienced than me on this forum who can give some insight.

Thanks!

«1

Comments

  • Out of curiosity, does NVMe raid1 post any issues in the long run? Pertaining to r/w performance.

  • There's really nothing such as having anonymous customers in hosting. Only produces problems for you.

  • MikeAMikeA Member, Patron Provider
    edited August 2019

    @SirFoxy said:
    There's really nothing such as having anonymous customers in hosting. Only produces problems for you.

    Definitely not considering he's posting an OVH server spec. Anonymous customers on OVH network will bring him lots of fun time.

    @cybertech said:
    Out of curiosity, does NVMe raid1 post any issues in the long run? Pertaining to r/w performance.

    no, I use the same hardware but with dual 1-2TB NVMe drives and performance is as expected.

    Thanked by 1cybertech
  • LeviLevi Member

    @SirFoxy said:
    There's really nothing such as having anonymous customers in hosting. Only produces problems for you.

    Online world is all fake.

    Thanked by 1Egyarmy
  • @MikeA said:

    @SirFoxy said:
    There's really nothing such as having anonymous customers in hosting. Only produces problems for you.

    Definitely not considering he's posting an OVH server spec. Anonymous customers on OVH network will bring him lots of fun time.

    @cybertech said:
    Out of curiosity, does NVMe raid1 post any issues in the long run? Pertaining to r/w performance.

    no, I use the same hardware but with dual 1-2TB NVMe drives and performance is as expected.

    Can you elaborate on why OVH would have issues with anonymous customers? There's plenty of Tor exit nodes using OVH, and that brings plenty of abuse.

    Bitcoin is really more for people who want to host controversial content (legal content) and would rather keep their identity to themselves. Or customers in countries that block PayPal or Stripe.

    Thanks

  • MikeAMikeA Member, Patron Provider
    edited August 2019

    @brenthopkins said:

    @MikeA said:

    @SirFoxy said:
    There's really nothing such as having anonymous customers in hosting. Only produces problems for you.

    Definitely not considering he's posting an OVH server spec. Anonymous customers on OVH network will bring him lots of fun time.

    @cybertech said:
    Out of curiosity, does NVMe raid1 post any issues in the long run? Pertaining to r/w performance.

    no, I use the same hardware but with dual 1-2TB NVMe drives and performance is as expected.

    Can you elaborate on why OVH would have issues with anonymous customers? There's plenty of Tor exit nodes using OVH, and that brings plenty of abuse.

    Bitcoin is really more for people who want to host controversial content (legal content) and would rather keep their identity to themselves. Or customers in countries that block PayPal or Stripe.

    Thanks

    Unless you plan to instantly kick off any anonymous customers who host illegal things on your server you will need to provide OVH abuse team detail on how you prevent each problem from happening again in the future.

    If it's legal content sure, but there's a lot of people who pay with BTC who don't have legitimate uses. Yesterday I had a guy that was banned from other hosts for running phishing sites, paid with BTC. 4~ days ago I had a guy trying to run Microsoft phishing sites, paid with BTC. Yeah, there are legit people, obviously. But either way don't think of OVH as an abuse friendly host.

    Edit - And no, Tor will bring abuse, but if I recall that falls under something in the terms of service, so I'm sure they can terminate the client anytime if they really want to. I remember in the past their abuse teams canned response threatens termination for things like DMCA, so.

  • Unless you plan to instantly kick off any anonymous customers who host illegal things on your server you will need to provide OVH abuse team detail on how you prevent each problem from happening again in the future.

    If it's legal content sure, but there's a lot of people who pay with BTC who don't have legitimate uses. Yesterday I had a guy that was banned from other hosts for running phishing sites, paid with BTC. 4~ days ago I had a guy trying to run Microsoft phishing sites, paid with BTC. Yeah, there are legit people, obviously. But either way don't think of OVH as an abuse friendly host.

    Edit - And no, Tor will bring abuse, but if I recall that falls under something in the terms of service, so I'm sure they can terminate the client anytime if they really want to. I remember in the past their abuse teams canned response threatens termination for things like DMCA, so.

    How would OVH treat abuse as long as it is resolved in less than 24 hours? Would that still require an essay on how you will prevent abuse on OVH's network?

    Thanks

  • LeviLevi Member

    @brenthopkins said:

    Unless you plan to instantly kick off any anonymous customers who host illegal things on your server you will need to provide OVH abuse team detail on how you prevent each problem from happening again in the future.

    If it's legal content sure, but there's a lot of people who pay with BTC who don't have legitimate uses. Yesterday I had a guy that was banned from other hosts for running phishing sites, paid with BTC. 4~ days ago I had a guy trying to run Microsoft phishing sites, paid with BTC. Yeah, there are legit people, obviously. But either way don't think of OVH as an abuse friendly host.

    Edit - And no, Tor will bring abuse, but if I recall that falls under something in the terms of service, so I'm sure they can terminate the client anytime if they really want to. I remember in the past their abuse teams canned response threatens termination for things like DMCA, so.

    How would OVH treat abuse as long as it is resolved in less than 24 hours? Would that still require an essay on how you will prevent abuse on OVH's network?

    Thanks

    After 3 or 4 times of the same abuse type they will terminate you. No matter essay or not essay. Do not do this if you know rhat your services may be heavilly abused.

  • MikeAMikeA Member, Patron Provider

    @brenthopkins said:

    Unless you plan to instantly kick off any anonymous customers who host illegal things on your server you will need to provide OVH abuse team detail on how you prevent each problem from happening again in the future.

    If it's legal content sure, but there's a lot of people who pay with BTC who don't have legitimate uses. Yesterday I had a guy that was banned from other hosts for running phishing sites, paid with BTC. 4~ days ago I had a guy trying to run Microsoft phishing sites, paid with BTC. Yeah, there are legit people, obviously. But either way don't think of OVH as an abuse friendly host.

    Edit - And no, Tor will bring abuse, but if I recall that falls under something in the terms of service, so I'm sure they can terminate the client anytime if they really want to. I remember in the past their abuse teams canned response threatens termination for things like DMCA, so.

    How would OVH treat abuse as long as it is resolved in less than 24 hours? Would that still require an essay on how you will prevent abuse on OVH's network?

    Thanks

    Sometimes they won't care and close it sometimes they will push for steps you took to prevent it from occurring again. All I am trying to get across if to not market your services as "anonymous hosting" or "bitcoin web hosting" or anything like that unless you're specifically using a network that is lenient on abuse or is in a country that doesn't have laws like the US or many EU countries.

  • jsgjsg Member, Resident Benchmarker

    @brenthopkins said:
    How would OVH treat abuse as long as it is resolved in less than 24 hours? Would that still require an essay on how you will prevent abuse on OVH's network?

    I think you got @MikeA wrong. Unless you have at least half a rack full of servers you are a small fish for OVH and they need not care about details like whether you or one of your clients created trouble. So it's basically their friendly courtesy to give you a chance instead of simply kicking you. What is expected is a clear, actionable, credible statement from you how you can avoid misuse repeating (not an "essay").

    Now to the technical side:

    It's not about X (e.g. 70) sites max per host. If sites are highly frequented 5 can be too many. If - and that's more realistic - 90% of the sites hardly get 1 req/s (if that), 8% get a couple of dozen req/s and 2% get a couple of hundred req/s, you can have hundreds of them on a single server.

    The one technical point I'd recommend to think over is dual NVMe with soft-Raid. My advice would be to save money by using SSDs but to use hardware Raid - not because the Raid is so much faster but because the controller has (hopefully) lots of memory (1 GB or more). If you choose your http server software wisely and if you configure it smartly (-> caching) SSDs will be plenty fast enough but the hw Raid controller will offer speed and more IOps. The second reason is that a hardware controller with BBU (do not even think about using one without BBU) is an excellent means to avoid having to explain to your clients why all their data are lost.

    Thanked by 1ITLabs
  • @MikeA said:

    @brenthopkins said:

    Unless you plan to instantly kick off any anonymous customers who host illegal things on your server you will need to provide OVH abuse team detail on how you prevent each problem from happening again in the future.

    If it's legal content sure, but there's a lot of people who pay with BTC who don't have legitimate uses. Yesterday I had a guy that was banned from other hosts for running phishing sites, paid with BTC. 4~ days ago I had a guy trying to run Microsoft phishing sites, paid with BTC. Yeah, there are legit people, obviously. But either way don't think of OVH as an abuse friendly host.

    Edit - And no, Tor will bring abuse, but if I recall that falls under something in the terms of service, so I'm sure they can terminate the client anytime if they really want to. I remember in the past their abuse teams canned response threatens termination for things like DMCA, so.

    How would OVH treat abuse as long as it is resolved in less than 24 hours? Would that still require an essay on how you will prevent abuse on OVH's network?

    Thanks

    Sometimes they won't care and close it sometimes they will push for steps you took to prevent it from occurring again. All I am trying to get across if to not market your services as "anonymous hosting" or "bitcoin web hosting" or anything like that unless you're specifically using a network that is lenient on abuse or is in a country that doesn't have laws like the US or many EU countries.

    @LTniger said:

    @brenthopkins said:

    Unless you plan to instantly kick off any anonymous customers who host illegal things on your server you will need to provide OVH abuse team detail on how you prevent each problem from happening again in the future.

    If it's legal content sure, but there's a lot of people who pay with BTC who don't have legitimate uses. Yesterday I had a guy that was banned from other hosts for running phishing sites, paid with BTC. 4~ days ago I had a guy trying to run Microsoft phishing sites, paid with BTC. Yeah, there are legit people, obviously. But either way don't think of OVH as an abuse friendly host.

    Edit - And no, Tor will bring abuse, but if I recall that falls under something in the terms of service, so I'm sure they can terminate the client anytime if they really want to. I remember in the past their abuse teams canned response threatens termination for things like DMCA, so.

    How would OVH treat abuse as long as it is resolved in less than 24 hours? Would that still require an essay on how you will prevent abuse on OVH's network?

    Thanks

    After 3 or 4 times of the same abuse type they will terminate you. No matter essay or not essay. Do not do this if you know rhat your services may be heavilly abused.

    Thank you both for the valuable insight. I don't think I will advertise it an anonymous/bitcoin web host. Instead I am thinking of advertising it more of a free speech and reliable web host.

    @MikeA I am going to send you a PM in a second.

  • jsgjsg Member, Resident Benchmarker

    @brenthopkins said:
    Instead I am thinking of advertising it more of a free speech and reliable web host.

    Nowadays "free speech" and trouble are almost synonymous. Plus many of those concerned about free speech are also concerned about privacy.

    Do as you please but I think that offering free speech hosting without an anonymous payment option isn't very promising.

    (Disclaimer: I like your intention. My statements are well intended)

  • @jsg said:

    @brenthopkins said:
    How would OVH treat abuse as long as it is resolved in less than 24 hours? Would that still require an essay on how you will prevent abuse on OVH's network?

    I think you got @MikeA wrong. Unless you have at least half a rack full of servers you are a small fish for OVH and they need not care about details like whether you or one of your clients created trouble. So it's basically their friendly courtesy to give you a chance instead of simply kicking you. What is expected is a clear, actionable, credible statement from you how you can avoid misuse repeating (not an "essay").

    Now to the technical side:

    It's not about X (e.g. 70) sites max per host. If sites are highly frequented 5 can be too many. If - and that's more realistic - 90% of the sites hardly get 1 req/s (if that), 8% get a couple of dozen req/s and 2% get a couple of hundred req/s, you can have hundreds of them on a single server.

    The one technical point I'd recommend to think over is dual NVMe with soft-Raid. My advice would be to save money by using SSDs but to use hardware Raid - not because the Raid is so much faster but because the controller has (hopefully) lots of memory (1 GB or more). If you choose your http server software wisely and if you configure it smartly (-> caching) SSDs will be plenty fast enough but the hw Raid controller will offer speed and more IOps. The second reason is that a hardware controller with BBU (do not even think about using one without BBU) is an excellent means to avoid having to explain to your clients why all their data are lost.

    I would limit memory, disk space, and bandwidth to each site to minimize noisy neighbors. 70 websites maximum means 70 websites on the lowest plan possible. You are right about the concurrent requests, though. I would impose a limit on that, but it is unfair to people having traffic spikes or being DDoS'ed. It's something I need to think about more.

    Software RAID at the moment is what I'm going to be stuck with regarding RAID. I personally don't trust backups in the same location anyways. As mentioned in the OP, I intend to use BackBlaze B2 as a off-site, reliable backup solution.

  • brenthopkinsbrenthopkins Member
    edited August 2019

    @jsg said:

    @brenthopkins said:
    Instead I am thinking of advertising it more of a free speech and reliable web host.

    Nowadays "free speech" and trouble are almost synonymous. Plus many of those concerned about free speech are also concerned about privacy.

    Do as you please but I think that offering free speech hosting without an anonymous payment option isn't very promising.

    (Disclaimer: I like your intention. My statements are well intended)

    I'm an advocate for privacy and freedom of speech. If there is a user who is 100%, without a doubt breaking the law, I'd be more than happy to assist law enforcement. On the other hand, I'd be more than happy to protect a journalist who made a government angry.

    I would imagine if things take off, I could get a dedicated server from Private Layer in Switzerland, and accept bitcoin for that location.

    Please note that this web hosting business might not be launched until a month or two. It's still in the brainstorming stage right now, and I'd need to make sure everything works and looks decent before I launch it.

  • @MikeA said:
    no, I use the same hardware but with dual 1-2TB NVMe drives and performance is as expected.

    If I may ask, what are brand and type of the NVME drives you use?

  • brenthopkinsbrenthopkins Member
    edited August 2019

    @laoban "Samsung Datacenter NVMe SSDs"

    https://extravm.com/webhosting.html

  • MikeAMikeA Member, Patron Provider

    @laoban said:

    @MikeA said:
    no, I use the same hardware but with dual 1-2TB NVMe drives and performance is as expected.

    If I may ask, what are brand and type of the NVME drives you use?

    It's an OVH server, the 1.92TB NVMe drives they use are these - https://www.superbiiz.com/detail.php?name=MZQLB1T9HA

    Thanked by 1laoban
  • You are kinda late, summer is almost over :neutral:

  • @brenthopkins said:

    @jsg said:

    @brenthopkins said:
    Instead I am thinking of advertising it more of a free speech and reliable web host.

    Nowadays "free speech" and trouble are almost synonymous. Plus many of those concerned about free speech are also concerned about privacy.

    Do as you please but I think that offering free speech hosting without an anonymous payment option isn't very promising.

    (Disclaimer: I like your intention. My statements are well intended)

    I'm an advocate for privacy and freedom of speech. If there is a user who is 100%, without a doubt breaking the law, I'd be more than happy to assist law enforcement. On the other hand, I'd be more than happy to protect a journalist who made a government angry.

    I would imagine if things take off, I could get a dedicated server from Private Layer in Switzerland, and accept bitcoin for that location.

    Please note that this web hosting business might not be launched until a month or two. It's still in the brainstorming stage right now, and I'd need to make sure everything works and looks decent before I launch it.

    Switzerland hosting will do you absolutely no good if you live in the U.S. or other countries where the content is questionable. They do not care if the server is there, they care where you are and what you are doing.

    I think you need to do some research before you start this venture, and even maybe consult a lawyer in the country you live in, and see what the law can and will do if you violate your laws.

    It is not as cut and dry anymore as it used to be, and it is changing too much to rely on just what people on the web tell you. I am not saying do not it, but I am saying make sure you do it right or you may end up on the hook.

  • jsgjsg Member, Resident Benchmarker

    @brenthopkins said:
    I'm an advocate for privacy and freedom of speech. If there is a user who is 100%, without a doubt breaking the law, I'd be more than happy to assist law enforcement. On the other hand, I'd be more than happy to protect a journalist who made a government angry.

    Nice view - but without proper legs because you can virtually never be 100% sure about some user breaking the law. Governments and governments agencies sometimes lie or make things appear different from how they really are, etc, etc.

    Switzerland? Pardon me but that country (or more precisely its politicians) bent over when the USA pressed them and largely gave up their "holy" banking secrecy. That is not to say that Switzerland is a bad country but rather that "democracy" and laws are one thing and reality often is a quite different thing.

    Again, I like your intention but I'm not sure that you are really prepared and capable to pull that off. I wish you good luck, sincerely.

    Well noted, what I write here doesn't come from this or that political position or view but from the fact that thinking rationally and verifying statements and assumptions is part of my job.

    Thanked by 1AuroraZ
  • jsgjsg Member, Resident Benchmarker
    edited August 2019

    @AuroraZ

    Yes. More precisely (and ugly) they pick and choose what they care about. It may be the server location or yours or that of your provider or ...

    Thanked by 1AuroraZ
  • @jsg said:
    @AuroraZ

    Yes. More precisely (and ugly) they pick what they care about. It may be the server location or yours or that of your provider or ...

    Yeah, and then they start with their crap to get people to do what they want. The sad thing is the guy providing services may not even know until it is too late.

  • @bugrakoc said:
    You are kinda late, summer is almost over :neutral:

    Yeah, okay... I'm trying to get feedback so I can offer a good service, and you want to assume it will be a garbage host that will last 3 months.

    @AuroraZ said:

    @brenthopkins said:

    @jsg said:

    @brenthopkins said:
    Instead I am thinking of advertising it more of a free speech and reliable web host.

    Nowadays "free speech" and trouble are almost synonymous. Plus many of those concerned about free speech are also concerned about privacy.

    Do as you please but I think that offering free speech hosting without an anonymous payment option isn't very promising.

    (Disclaimer: I like your intention. My statements are well intended)

    I'm an advocate for privacy and freedom of speech. If there is a user who is 100%, without a doubt breaking the law, I'd be more than happy to assist law enforcement. On the other hand, I'd be more than happy to protect a journalist who made a government angry.

    I would imagine if things take off, I could get a dedicated server from Private Layer in Switzerland, and accept bitcoin for that location.

    Please note that this web hosting business might not be launched until a month or two. It's still in the brainstorming stage right now, and I'd need to make sure everything works and looks decent before I launch it.

    Switzerland hosting will do you absolutely no good if you live in the U.S. or other countries where the content is questionable. They do not care if the server is there, they care where you are and what you are doing.

    I think you need to do some research before you start this venture, and even maybe consult a lawyer in the country you live in, and see what the law can and will do if you violate your laws.

    It is not as cut and dry anymore as it used to be, and it is changing too much to rely on just what people on the web tell you. I am not saying do not it, but I am saying make sure you do it right or you may end up on the hook.

    I am just interested in hosting legal content. I have no issue removing illegal content, but I don't want my server to be terminated because the ISP doesn't want to forward a few abuse requests a month.

    @jsg said:

    @brenthopkins said:
    I'm an advocate for privacy and freedom of speech. If there is a user who is 100%, without a doubt breaking the law, I'd be more than happy to assist law enforcement. On the other hand, I'd be more than happy to protect a journalist who made a government angry.

    Nice view - but without proper legs because you can virtually never be 100% sure about some user breaking the law. Governments and governments agencies sometimes lie or make things appear different from how they really are, etc, etc.

    Switzerland? Pardon me but that country (or more precisely its politicians) bent over when the USA pressed them and largely gave up their "holy" banking secrecy. That is not to say that Switzerland is a bad country but rather that "democracy" and laws are one thing and reality often is a quite different thing.

    Again, I like your intention but I'm not sure that you are really prepared and capable to pull that off. I wish you good luck, sincerely.

    Well noted, what I write here doesn't come from this or that political position or view but from the fact that thinking rationally and verifying statements and assumptions is part of my job.

    Yes, governments can use a lot of resources to change things for their narrative, but I don't think I will have any clients who would attract that much attention.

    You are 100% correct about Switzerland. It is not a banking haven or even a privacy haven anymore. A website with HSTS enabled hosted in Switzerland can still be privacy-friendly. I mentioned Private Layer not because it is located in Switzerland, but rather because of their more relaxed abuse policy. (read: they don't like terminating accounts) The other host I can think of with a relaxed abuse policy is Novogara, but "Novogara" and "reliable" don't go together. Not only that, it would cause huge problems for users wanted to send email.

    Again, I like your intention but I'm not sure that you are really prepared and capable to pull that off. I wish you good luck, sincerely.

    Regarding this statement, I actually agree. That's why I opened up this thread. I'm giving this project an ETA of >1 month to launch so all my ducks can be in a row. I'd rather take my time making sure everything is good, than just launching a half-ass web hosting company.

  • @brenthopkins said:

    @bugrakoc said:
    You are kinda late, summer is almost over :neutral:

    Yeah, okay... I'm trying to get feedback so I can offer a good service, and you want to assume it will be a garbage host that will last 3 months.

    That's because you are trying to get that feedback from LET. Not really the best place to look for advice. But hey, what do I know, right? There are some valid advice here, maybe you should listen to them.

    In any case, my intention wasn't to be mean. Somebody had to make that joke :smile:

  • jsgjsg Member, Resident Benchmarker

    @brenthopkins said:
    Yes, governments can use a lot of resources to change things for their narrative, but I don't think I will have any clients who would attract that much attention.

    That's an untenable statement. Next to other reasons you might be surprised what even small fries like say a district attorney do to get at people, servers, sites, etc. But it's also untenable because that's not how it works (and how people work).

    ... A website with HSTS enabled hosted in Switzerland can still be privacy-friendly. ...

    It seems to me that you are overlooking or not seeing quite some factors but let me give you some advice: Do not believe anything. "Mozilla and/or EFF is behind it" may seem relevant and important psychologically but technically it's irrelevant and can in fact even turn out to be negative for you.
    Just one striking example: the whole PKI model is utterly flawed and in fact broken. Funnily the much beloved Let's Encrypt project demonstrates that. A LE issued cert tells you virtually nothing about the entity whose identity it pretends to certify. It merely "proves" that someone was or is in control of a domain or a system. What most people don't see is that it's dangerously easy to spoof/MITM that. For example your provider can MITM it. The problem is the automation and the complete lack of any verification of the legal entity (person, org, company). An LE cert - in the best case - can show that a system is who it says it is, but not the human or org or company.

    Plus, trust me, there is a lot of politics and interest groups (incl. commercial) interests in "security" and especially in PKI (which includes SSL/TLS).

    Plus there is of course always the other side of anything. Even if one assumed that TLS is perfectly secure that wouldn't change the fact that publicly accessible software using TLS is wide open to DOS attacks. I work with and code crypto for a living and know what I'm talking about. The TLS computations (happening e.g. during handshakes) are immensely expensive and tens to hundreds of thousand times slower than symetric crypto.

    As a normal John or Harry one probably can afford to not care a lot and to simply assume that https is secure and fast. But as a hoster you are not some John or Harry, and even if you were that can change instantly with a single client.

    My point is not to talk you out of your plans. It is to warn you that walking in a mine field (and free speech increasingly is a mine field) requires proper thinking and checking what "everyone knows" (because sometimes everyone is wrong).

    Thanked by 1uptime
  • bugrakoc said: You are kinda late, summer is almost over :neutral:

    Fret Not. It'll soon be summer again

    Thanked by 1Egyarmy
  • armandorgarmandorg Member, Host Rep

    @kkrajk said:

    bugrakoc said: You are kinda late, summer is almost over :neutral:

    Fret Not. It'll soon be summer again

    preparing for winter hosts.

  • First there's the fall hosts. Then the winter hosts arrive.

  • LeviLevi Member

    @kkrajk said:

    bugrakoc said: You are kinda late, summer is almost over :neutral:

    Fret Not. It'll soon be summer again

    There is a winter. Sometimes it's more intricant than summer...

  • @jsg said:

    @brenthopkins said:
    Yes, governments can use a lot of resources to change things for their narrative, but I don't think I will have any clients who would attract that much attention.

    That's an untenable statement. Next to other reasons you might be surprised what even small fries like say a district attorney do to get at people, servers, sites, etc. But it's also untenable because that's not how it works (and how people work).

    ... A website with HSTS enabled hosted in Switzerland can still be privacy-friendly. ...

    It seems to me that you are overlooking or not seeing quite some factors but let me give you some advice: Do not believe anything. "Mozilla and/or EFF is behind it" may seem relevant and important psychologically but technically it's irrelevant and can in fact even turn out to be negative for you.
    Just one striking example: the whole PKI model is utterly flawed and in fact broken. Funnily the much beloved Let's Encrypt project demonstrates that. A LE issued cert tells you virtually nothing about the entity whose identity it pretends to certify. It merely "proves" that someone was or is in control of a domain or a system. What most people don't see is that it's dangerously easy to spoof/MITM that. For example your provider can MITM it. The problem is the automation and the complete lack of any verification of the legal entity (person, org, company). An LE cert - in the best case - can show that a system is who it says it is, but not the human or org or company.

    Plus, trust me, there is a lot of politics and interest groups (incl. commercial) interests in "security" and especially in PKI (which includes SSL/TLS).

    Plus there is of course always the other side of anything. Even if one assumed that TLS is perfectly secure that wouldn't change the fact that publicly accessible software using TLS is wide open to DOS attacks. I work with and code crypto for a living and know what I'm talking about. The TLS computations (happening e.g. during handshakes) are immensely expensive and tens to hundreds of thousand times slower than symetric crypto.

    As a normal John or Harry one probably can afford to not care a lot and to simply assume that https is secure and fast. But as a hoster you are not some John or Harry, and even if you were that can change instantly with a single client.

    My point is not to talk you out of your plans. It is to warn you that walking in a mine field (and free speech increasingly is a mine field) requires proper thinking and checking what "everyone knows" (because sometimes everyone is wrong).

    I was not aware of the issues regarding PKI.

    I'm not able to fully respond right now, but I'll send a PM later. I'd rather discuss via PM so the thread doesn't get continually bumped.

Sign In or Register to comment.