SoylentNews is people
SoylentNews
from the friends-don't-let-friends-use-godaddy dept.
GoDaddy has been caught sneakily injecting JavaScript into the websites it hosts.
I recently started having issues with the admin interface of a website I run and decided to check the browser console to see if any errors were being displayed there. There were and among them was an error stating that a JavaScript map file being loaded (and failing) that I did not recognise. This meant that the actual JavaScript file itself was already loaded via my website. This set off all sorts of alarms for me and I started to dig in further.
I checked the file system for any suspicious files, there were none. I checked the source code and templates for evidence of anything that has been added, there was nothing there. Yet all my pages were being served with the following script injected into them just before the closing html tag...
[...] Of course that comment in the script was a give away of what was going on but I didn't immediately want to believe that the website host itself would be injecting a JavaScript script into my website without my consent! Turned out that's exactly what GoDaddy was doing and they justified it as collecting metrics to improve performance.
The technology that's in use here is called Real User Metrics and GoDaddy has a page about it here - Why am I signed up for Real User Metrics?. If you happen to be a customer in US (which I am not but the website is hosted in a US data centre) then you are automatically opted into this service and all your website's pages will have this JavaScript injected into them.
(Score: 5, Insightful) by SomeGuy on Monday January 14 2019, @05:28PM (4 children)
Ha, ha, ha, ha. Oh, yea, whenever the topic of HTTPS encryption comes up, one of the top reasons for using it is to prevent injection of malicious content.
Doesn't do a damn bit of good when your host sells you out now, doesn't it?
(Score: 4, Interesting) by DannyB on Monday January 14 2019, @07:00PM (3 children)
What if your host lets you run your own Linux image in a private VM? (Digital Ocean, Linode, etc)
The Linux image and server you are running is all your own setup. Assuming the SSL is implemented within your server software, the only way it seems that the hosting company could interfere would be to hack your VM system.
For some odd reason all scientific instruments searching for intelligent life are pointed away from Earth.
(Score: 2) by Pino P on Monday January 14 2019, @07:22PM (2 children)
Last I checked, hosting companies charged more per year for a virtual private server such as what you describe than for shared hosting where a reverse proxy running NGINX does all the HTTPS termination. Has there been a recent review of the best VPS providers under $120 per year?
(Score: 2) by DannyB on Monday January 14 2019, @09:13PM
It depends on how big of a VPS you need. They start at $5 / mo and go up from there. The smallest could probably handle a static web site with some amount of traffic. Dynamic sites, or especially full blown applications obviously require more resources. A big database application can require multiple servers for heavy traffic.
But it is a question to ask. The less you share with other tenants the more control you have, such as operating your own SSL termination.
For some odd reason all scientific instruments searching for intelligent life are pointed away from Earth.
(Score: 1, Interesting) by Anonymous Coward on Monday January 14 2019, @09:16PM
Sounds like a good Ask Soylent question?