SSL for Virtual Hosts

Mar 3, 2013 by

Everyone knows that if you want SSL for a web site, it has to be on a dedicated IP.  But…why?

After all, we can have 1,000 non-SSL web sites on a single IP through virtual hosts.  So why not SSL?

I was curious and did some reading.  Turns out the answer is that the SSL protocol does a handshake before HTTP – it’s a separate, encapsulating, pre-HTTP-begins protocol.

Quoting from that apache doc:

The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.

However…this is fixed in SSL v3 with Server Name Indication.  I wonder how many IPs could be released if Microsoft Internet Explorer 8 was finally retired.  The issue is that if this was implemented, all IE 8 (and earlier) would break, and there is no way to go back and fix those products.

read more

Related Posts


Share This

Server Hosting Company Simulator!

Mar 3, 2013 by




This is hilarious.  Thanks to  Andrew Zadnik who originally posted it in a LowEndTalk thread.


read more

Related Posts


Share This

HostGator Security Panic!

Mar 1, 2013 by

I ran across this on the web:

Is HostGator Shared Hosting Safe?

Now first, you should know a couple things:

  1. I have no idea who WHSR is – this is just something I stumbled upon.
  2. There are many “Top 10 Web Hosts”, “Web Host Reviews”, etc. sites.  If you look at them, you’ll see that all of the links, etc are affiliate-coded.  They exist to draw in people who google for, say, “HostGator Review” and then click on an affiliate link to sign up.

Are most of these sites legit?  No.

Are some of them legit?  Probably.  As a disclaimer, I do own a VPS review site.  However, in that case I do personally own (or have recently owned) VPSes on all providers listed for several years.  And while I do use affiliate codes for those providers who offer them, I also recommend providers who don’t.

Back to this article.  Is the issue WHSR raises legit?  I don’t really think so.

System administrator access is always privilege-rich.  Unfortunately, cpanel/WHM does not offer granular access.  If someone has root on the box, they have root to every account, which is true of the underlying Linux OS as well.  Resellers can be restricted to the accounts they’ve resold, but ultimately, yes, there is one big “God” account for each cPanel.  While good security would be to set different root passwords on each cPanel server, how to determine those passwords (e.g., the password vault) is probably available to anyone.

I work in a Fortune 500 company by day and there are probably 30 people who could bring down the enterprise – destroy SAN volumes, erase databases, nuke servers, etc.  Of course, we’d lose our jobs and go to prison, but at some point you have to trust people to do their jobs.

A new admin at HostGator probably does know all the root passwords on his first day.  I knew the root passwords for several jobs on my first day, and they were bigger environments than HG.

There is one possible kernel of truth.  In the jobs I’ve had, there were background checks, reference checks, interviews, etc.  The “secret info” quoted on WHSR states that “HG will hire just about anybody for this position”.  I have no comment because I don’t know, but it would certainly be in HG’s best interests to do some background checks instead of just turning things over to anyone off the street.  I’m sure if you asked HG, they would say they do rigorous background checks, etc.  The only claim that they don’t is from an anonymous poster on a affiliate revenue generation site.


read more

Related Posts


Share This

Thinking Like a User

Feb 27, 2013 by

I have a friend who wrote a book.  She’s a counselor and her book is about depression.

Her publisher offered to setup a web site for her, and charge her something ridiculous – $200 a month if I recall.  What would such a fabulous web site do!?  Pretty much just static pages where she could place content.

I told her for $10/year she could register a domain and I could host her on my nascent hosting company as a beta user for free.  Because she’s a friend, I found a nice WP theme, setup the site, and populated it with her content, which was articles, blog posts, and some art.

I wrote her a three page “howto” on using WordPress and tried to think like a user.  How do you write user documentation?  For me it works like this:

  • Basic info section at the top – URLs, credentials, glossary
  • Key concepts – in this case, what’s the difference between a page and a post, etc.
  • Procedures – Add a  Page, which includes everything from start to finish (including placing it in a menu), Delete a Post, etc.

My friend is not a computer person and Microsoft Word is about as far as she goes.

I’ve been looking at various tutorial systems for users, and ultimately I think I’ll utilize some prepackaged ones while creating my own post-go-live.

read more

Related Posts


Share This

Web-Hosted Project Management Apps

Feb 23, 2013 by

Starting a company gets real complicated real fast.

There is so much to do – so many odds and ends and technical details.  And that’s before you start dealing with customers.

I’ve been looking for a web-based project management app.  I could use Excel or a Wiki but I’d like something a little more elegant.

Here are my notes based on recent explorations:

Currently Considering

ToodleDo: I use this app constantly – perhaps 30 times a day I’m in and out of it. Absolutely love it and use it on my phone, too. My whole life is in TD. It does subtasks, priorities, etc. but I’m not sure how well it would work for collaboration. Also, there’s no way to hive off this project from the rest of my life. You’re limited to Folders->Tasks->Subtasks, and I find the subtasking implementation to be suboptimal, so I’d have to setup a bunch of folders that would be intermingled with all my other stuff (or setup a separate account I suppose, but that would probably break the phone integration).

collabtve: Very nice, but I wish I could reorg tasks in the interface. If you use task lists as the “main task” then you can subtask I suppose. Nice interface, easy to setup. It may be easy to reorg/reorder tasks – the rest of the GUI is so nice I’m sure that’s possible but I haven’t read the docs yet.

phpprojekt: The .zip also took like a half-hour to unzip…seriously, 16,000+ files? The docs say to run “php composer.phar install” but apparently you don’t need to do that…well, the docs aren’t great. However I kind of like it, although running on a shared host it’s very slow to add (though clicking around seems OK). Easy to add any level of subtask, though reorganizing means a form/submit.

Passed On These

basecamp: hosted and expensive

TaskFreak: I’d forgotten about this oldie/goodie. Looks like it hasn’t changed. Not sure if it can do subtasks.

BugGenie: looks nice, but more issue/bug-oriented. BTW, installing in the root of a domain should not require going in and editing .php files – it should just be part of the install.

dotProject: demo is offline, no longer maintained?

ProjectHQ: heck, their whole site is offline

Excel or Google Docs: little more than a glorified notepad in the sky, makes it hard to flag urgent stuff. requires java + oracle. I could actually do that in a VPS but sheesh, I’m planning a project not coordinating Operation Overlord.

ProjectPier: I used this at one time and recall it being pretty primitive GUI-wise, and it hasn’t been maintained since 2007

Redmine: I know many use this, but I am not a Ruby guy and I’m not sure how much work it is to get going. great demo, but no longer maintained?

Trac: really more bug/issue oriented

Trello: I didn’t get the appeal, though it looks nice for simple things. I have one big task that has maybe 75 small things – I’m not sure how well that would organize.

Still to look at:

asana: hosted – my only worry there is that the company suddenly deadpools.

producteev: again, my only worry


read more

Related Posts


Share This