lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 20 Dec 2012 22:07:57 +0000
From: Philip Whitehouse <>
To: Nick FitzGerald <>
Cc: "" <>
Subject: Re: Question regarding script vulnerabilities

Personally I wouldn't equate a trustworthy host to mean they had 'bulletproof' servers. Even if it were possible its not the normal definition of trust.

In any case it's irrelevant - it's what you run that typically exposes your site to the most risk

Philip Whitehouse

On 20 Dec 2012, at 21:16, "Nick FitzGerald" <> wrote:

> Rand wrote:
>> I was curious, if you have a virtual dedicated server or a dedicated
>> server, and a reasonably trustworthy hosting service, are malicious scripts
>> planted by external people a big concern? If so why?
> If you have a web server, malicious scripts should be a big concern to 
> you, yes.
> Why would you NOT be concerned that the integrity of your site and the 
> server running it may be compromised?
> Answering your "why" question is focussing on the wrong issue, as 
> you've rather glibly skipped over a much more important issue -- what 
> is the basis of your assessment that a hosting service is "reasonably 
> trustworthy"?
> Every site owner/admin on every one of the hundreds of compromised 
> sites I've had dealings with this year alone was (at least before they 
> finally recognized they were hosed) of the opinion that their hosting 
> provider was (at least) "reasonably trustworthy".
> They were all -- clearly -- wrong _if_ by that assessment they (and 
> presumably you) were of the opinion that a "reasonably trustworthy" 
> hosting provider will not have site/server compromise issues.
> I have to assume that they are representative of the many, many, many 
> hundreds more site owners/operators who never engaged further with my 
> response to their request for information about why their site was 
> "blacklisted".
> So, what critical baggage are you hiding inside your assessment that a 
> hosting provider is "reasonably trustworthy"?
> Regards,
> Nick FitzGerald
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -

Content of type "text/html" skipped

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists