Simple hosting?

ENIAC

All I want is a simple website!

OK, I have a website, and you’re probably reading this on it.

But I want a simple website. Since 2006, I’ve had a server hosted with Asergo (previously EasySpeedy). It ran a lot at one stage. Huge mounds of organic food found new homes through its circuits. Today it’s not so busy, but stands ready, waiting to handle any imminent Slashdot Effect when my latest masterpiece goes viral. Except it never does, and I’m basically paying for a private jet when I could make do with a rusty bicycle.

In other words, a bog standard WordPress hosting offering will do just fine these days.

Moving from total control of my own server to a tiny hosted offering seems limiting, and its kept me from moving for a while. But gradually I’ve come to make peace with it, and will make do with a tiny instance offering limited functionality.

So what am I looking for?

* a reasonably new version of PHP
* a reasonably new version of MariaDB, or similar
* perhaps even hosted locally? Other sites I help with that host locally have made me wary, but there must be some good ones out there?

Space (my current server feels like it’s got backups going back to the dial-up days, so this will be a good chance to clean up), bandwidth etc. are all much of a muchness, as most offerings give some flexibility here

Let’s look at some of the options.

As a starting point, seeing as another site I manage is hosted there, 1-grid. They’ve gone through some wobbles. At first part of Web Africa, the hosting division got spun off into Gridhost, which then got renamed 1-grid.

1-grid
* R89 a month
* Unlimited MySQL databases
* PHP 5+. Really? What does this mean? PHP 5.6 and PHP 7.0 reach EOL in about a month… I happen to know PHP 7.1 is available, but sites really need to publicise this stuff!
* No mention of MySQL version. The instance I manage has the venerable but still supported MySQL 5.5, with no mention of possible upgrade.
* But, the dealbreaker. A measly 5GB storage. The next tier, offering 50GB, is R219 a month.
* Another big dealbreaker – they charge an extra R519 for SSL, for one domain only!

Hetzner
* Hetzner were one of the first locally to move to MariaDB, a major plus in my books (yes, I know I work for the MariaDB Foundation so perhaps I’m slightly biased)
* Another plus is they offer Lets Encrypt SSL with all hosting packages
* R99 for 5GB, 10GB costs for R149 a month
* However, they only mention MariaDB 10.0, which, while a version above MySQL/MariaDB 5.5, is still quite old. In discussion with them, they do offer MariaDB 10.1, but again their website lags with no mention of this.
* PHP 5.6 and PHP 7.0 only.
* Only offer Debian 8. Debian stable is itself already pretty venerable when it comes out, and Debian 8 came out way back 2015. I don’t need cutting edge, but Debian 9 came out in Jun 2017, so this makes Hetzner’s offering a little on the old side.

Ok, moving internationally. I moved my domains to Gandi a few years ago. They offer a Simple Hosting service as well.

Gandi
* Unusually, they offer Percona Server as a MySQL equivalent. Based on MySQL 5.7, which came out at about the same time as MariaDB 10.1.
* Support PHP 7.2
* 20GB for ~R45 a month (a discount as I have domains with them)
* In price, space and up-to-date software they absolutely blow the local offerings out the water
* They also offer a free 10-day trial.

Their Simple Hosting seems to be just that, really simple, not offering as much as the full CPanel or KonsoleH services offered by 1-grid and Hetzner but hey, I did start by saying I wanted a Simple website.

I spend way too long investigating the governments of Luxembourg and France to decide which of the two server locations to choose, but in the end I’m sold (I chose Luxembourg for those interested).

Except I’m unable to sign up, as their interface isn’t working (I tried on three browsers) and I cannot actually sign up. I contacted them a few months ago, pointing out inconsistencies in their documentation (the site mentioned MySQL/Percona 5.5, 5.6 and 5.7 being the latest available version in various different places). The site still lists MySQL 5.6 as the latest release in at least one location.

So not exactly getting a good feeling from them either.

Am I destined to keep paying for my jumbo jet hosting, as it least I know it works?

Any personally recommended hosting suggestions?

Related posts:

Image from Wikimedia Commons

Firefox Quantum and too many tabs

I’ve been running Firefox Quantum as a browser since it came out, and there’s been a noticeable improvement in all areas. Rendering speed, CPU, memory – it lives up to all the hype.

Quantum

I’ve used Firefox as my primary browser for ages, but often used Chrome and Chromium as alternatives for certain sites, or when Firefox was creaking under the load of too many open tabs. I’ve moved most of them to Firefox now, and only use those browsers for easily running multiple sessions (logging in to Twitter with an alternative account, or to quickly test how something looks when I’m not logged in).

I can see this all backfiring though when it comes to the number of tabs I have open. I already spend way too much of my time scrolling through tabs trying to find a specific tab. In the past, I used to vigorously close tabs, as Firefox collapsed under the load when it reached a few hundred. I may not need to do this so much, which means my open tab count could grow drastically. To keep tabs (ha) on this, and since I’ve more than once tried to manually count my number of open tabs, I’ve installed the Tab Counter plugin, which does the tallying up for you.

Right now I’m at a measly 80 open tabs, so I’m feeling light and fresh. Let’s see how high it goes…

Image from Wikimedia Commons

South African Banks SSL Security (2)

After seeing someone’s Facebook security horror story about a local credit card (not one of the banks listed below), I was inspired to re-run the tests I previously ran on the South African banks, using SSL Lab’s SSL Server Test.

The results last time were awful, with Standard Bank and Absa falling way below the acceptable standard. This time, I was pleasantly surprised (previous results in brackets).

Ranking Bank Overall Grade Protocol Support Key Exchange Cipher Strength
1 FNB A+ (B) 95 (95) 90 (80) 90 (90)
2 Nedbank A (B) 95 (70) 90 (90) 90 (80)
3 Capitec A- (A-) 95 (95) 90 (80) 90 (90)
Absa A- (F) 95 (0) 90 (90) 90 (90)
Standard A- (F) 95 (0) 90 (0) 90 (60)

All of the banks have improved their scores. Capitec, which has dropped from first to third, still does not support Forward Secrecy, but has improved its key exchange ranking from 80% to 90%.

FNB, which jumped from second to first, has deployed HTTP Strict Transport Security (HSTS) with long duration. FNB gets the only A+ ranking.

Nedbank, which jumped from third to second, has improved from a B to an A, improving its protocol support and cipher strength rankings.

Absa and Standard Bank have both improved from F’s to A-‘s, and are joint third with Capitec. To put things in perspective, their rankings would have put them top during the previous test. So all banks are doing better than the best bank in May 2016. With no-one talking of a big four anymore (Capitec now outrank Nedbank in some metrics), perhaps little bit of competition is helping after all.

Related Posts:

Trust Us, We’re a Payment Gateway

A friend told me today about an experience of attempting to book a flight on kulula.com. His credit card wasn’t working, but there was an option for bank transfer (EFT), so he chose that.

The EFT option used SID, a payment option promising secure EFT transactions. All good so far, so he followed the link.

The SID window asked him to enter his bank account login details… You know, the kind you’re constantly warned about to never give to anyone and never to enter on any other site except your banks.

I couldn’t believe that this is actually what happened (perhaps the friend had missed his morning coffee), so I checked it for myself. Looking into SID’s documentation, they claim to be externally verified, not to store the login details, and to use the bank’s own security system. But yes, you are asked to enter your bank account login details in their window.

I’ve got no reason to doubt that SID does what it says, but the methodology seems hopelessly flawed.

Let’s say I start a new payment system called SAD. At the same time I launch my casino website, relying on trusted SAD security. I state clearly that SAD uses the bank’s own security systems, and doesn’t store any of the login credentials. Totally secure!

The transaction succeeds, and the customer has a credit to spend on my casino site. They spend many happy hours on my casino website, winning up a storm, and dreaming of their new Tesla. For some reason the cashout option isn’t working today, but check back soon…

Some time later, they decide to check their bank balance, and find, to their horror, it’s all gone. They immediately phone their bank. Perhaps the conversation goes something like this:

HORRIFIED CUSTOMER: There’s a transaction clearing out my entire balance! It wasn’t me! The transaction needs to be reversed!

BANK: Hmm, our records indicate you logged in from internet banking, and transferred the money out. When was the last time you remember logging in?

HC: Er, I logged in to winbigbillionscasino.com and made a R50 transfer to their account from my bank account, using the safe and secure SAD system.

BANK: OK, no problem, we’re refunding the money now, apologies for the mistake.

Or perhaps not…

Perhaps the bank, in their charming and professional manner, laughs you off the phone and tells you you’re and idiot for giving your login details to another site.

Merchants asking customers to trust them, assuring them that their bank details are secure, is a recipe for disaster. Just don’t do it.

Related posts:

Image from Wikimedia Commons

South African Banks SSL Security

After coming across an article testing the security of the SSL implementations of Australian banks, I decided to run the same tests on the South African banks, using SSL Lab’s SSL Server Test. I have a little bit of inside info into some of the banks systems, so was not too surprised how bad the results were.

Bank Overall Grade Protocol Support Key Exchange Cipher Strength
Capitec A- 95 80 90
FNB B 95 80 90
Nedbank B 70 90 80
Absa F 0 90 90
Standard F 0 0 60

None of the banks score an A (they all fail with Forward Secrecy), but pick of the bunch was Capitec, whose only only other failing was using a relatively weak signature.

FNB is limited to a B by accepting the weak RC4 cipher, and Nedbank adds supporting only older protocols to the list of failings.

You’d hope for better security from banks, but the failings of Capitec, FNB and Nedbank are not too serious. On to the others…

Absa has all of the above failings, does not support secure renegotiation, uses the obsolete SSL3, and most dismally of all, is vulnerable to the POODLE attack against TLS servers.

Although Standard Bank also gets an F, it stands alone in the number of criteria it failed. It uses the even more old and insecure SSL 2, supports insecure Diffie-Hellman (DH) key exchange parameters, supports 512-bit export suites and might be vulnerable to the FREAK attack as well as being vulnerable to POODLE.

It’s quite astounding that Standard Bank may still be still vulnerable to the FREAK attack, which has been known about for over two months, and which is extremely serious.

These results match the banks scores in other areas as well, such as bank fees and customer satisfaction. So Standard Bank clients will be happy to know they’re not only with the least secure bank, but also with the most expensive and the one with the worst customer service.

Related Posts:

A comparison of WhatsApp, Facebook Messenger and Telegram permissions on Android

Recently I’ve seen quite a few postings of the article The Insidiousness of Facebook Messenger’s Mobile App Terms of Service , claiming you should remove your Facebook Messenger because of the control the app has over your Android device. Many have suggested Telegram instead, which I’ve been using a while. “Using”, I should add, in the same sense I would use a carrier pigeon. It’s nice to have, but there aren’t many others to share the fun with.

So how bad is the Facebook app compared to others? Here’s a comparison between the permissions demanded by Facebook Messenger, Telegram and Whatsapp on Android:

Permission Facebook Messenger Telegram WhatsApp
Retrieve running apps No No Yes
Find accounts on the device Yes Yes Yes
Find accounts on the device No Yes Yes
Read your own contact card Yes Yes Yes
Read your own contact card Yes Yes Yes
Read contacts Yes Yes Yes
Modify your contacts No Yes Yes
Approximate location (network-based) Yes Yes Yes
Precise location (GPS and network-based) Yes Yes Yes
Edit your text messages Yes No No
Receive text messages (SMS) Yes Yes Yes
Read your text messages Yes No No
Send SMS messages Yes No Yes
Receive text messages (MMS) Yes No No
Directly call phone numbers Yes No Yes
Read call log Yes No No
Test access to protected storage Yes Yes Yes
Modify or delete contents of your USB storage Yes Yes Yes
Take pictures and videos Yes Yes Yes
Record audio Yes Yes Yes
View wifi connections Yes Yes Yes
Read phone status and identity Yes Yes Yes
Read sync statistics No No Yes
Receive data from internet Yes Yes Yes
Download files without notification Yes No No
Run at startup Yes Yes Yes
Prevent device from sleeping Yes Yes Yes
View network connections Yes Yes Yes
Install shortcuts Yes No Yes
Change your audio settings Yes No Yes
Read Google service configuration Yes Yes Yes
Draw over other apps Yes Yes No
Full network access Yes Yes Yes
Read sync settings Yes Yes Yes
Read sync statistics No No Yes
Control vibration Yes Yes Yes
Change network connectivity Yes No No
Toggle sync on and off No No Yes
Use accounts on the device No No Yes
Modify system settings No No Yes
Uninstall shortcuts No No Yes

The permissions that have got most people worried, with visions of their phone starting to video them and record their conversations, “Take pictures and videos” and “Record audio”, are shared by all the apps. In Android’s permission system, they’re required to function. So if you want to use the chat functionality, you have to give the app these permissions. If the software is proprietary (Facebook and Whatsapp), you’ll need trust the company behind the app (Facebook owns Whatsapp as well). Telegram is open source, and therefore anyone can (and does) check the code. If you’re worried about security, you should be as concerned about what happens to your messages and data in transit, and here the best option I know of right now is Telegram, which is designed with a focus on privacy.

Now if only more people would use it…

Autumnal spring cleaning

This weekend I did some unseasonal spring cleaning. I closed down my chess website, my rugby website, the Wikipedia template translation tool, the free and open source feeds list, and some now rather dated software that I hosted.

So, if you’ve been redirected here looking for any of those, sorry to disappoint you! It’s time to simplify and none of the projects were particularly active or interesting anymore, so it was time to so some tidying.

WordPress spam, Akismet and Cookies for Comments

This blog gets about 1 spam comment a second.

Not bad for an obscure blog with, as I write this, only one post open for comments.

Akismet, the spam plugin does a great job of keeping the spam out, although recently a few more spam posts have been sneaking through for moderation, perhaps two a week. Still considering I get about 600 000 spam comments in that week, a miss ratio of 1 in 300 000 is rather exceptional.

The volume of spam shot up markedly after this post, which in retrospect, isn’t so surprising, since it contains every about spam phrase out there.

A feature I’d like to see in WordPress is the ability to automatically delete spam after a certain period. Apparently this is automatically set to one month, but since in that month I’d get about 2.5 million posts, and have to up the space on my backup server, I prefer to delete spam posts manually a little more often than that.

Deleting spam posts isn’t entirely smooth. If the number is too large, the script times out and I have to re-run a number of times. Since the spam arrives so quickly, I never have an empty spam folder, as by the time the deletion has happened, but before the page reloads, there’s normally a couple more posts.

After coming back from the weekend to 40 000 spam posts, I decided to look for a solution. It’d be easy enough to adjust the period in the code manually, but since I’d have to re-implement the change each time I upgraded, I prefer to look for an existing solution.

Enter Cookies for Comments. The solution is simple – the plugin sets a random cookie, which, if it doesn’t exist when a comment is posted, is almost a sure sign that the comment is being placed by a bot.

You can set the plugin to either automatically mark the comment as spam (effectively catching the two or so comments a week Akismet misses, but not solving my problem), or automatically delete the comment.

I set it automatically delete comments. Boom! Blissful silence with my recently-cleared spam folder now not moving from 247 comments.

You can play further and use an Apache rewrite rule to block the requests from even reaching WordPress, which I haven’t implemented yet, but looks hopeful in reducing unnecessary load further.

What’s that? You’re suspicious of cookies and have disabled them, and now you can’t comment on my blog? I doubt you can do much else on the internet either…

Related posts:

MySQL, MariaDB and relative asymptotics

In 2002 I wrote a book on MySQL. At the time, I was working crazy fulltime hours for IOL and I was exhausted by the end of the process. I’ve been approached quite a few times since to write an update, or to write other related books, but have never had the energy, time or interest. The most recent approach, by a publisher I won’t mention, was for a hilariously obscure topic. I’ve deleted the email, so can’t recall the exact topic, but it was along the lines of “Asymptotic Relative Efficiency in Python”. Not only have I hardly used Python, but I’m relatively inefficient in asymptotics. It did make me wonder about the quality of the rest of their books.

It’s obviously taken 10 and a half years for the memories to fade because although I’m as busy as ever, I’m considering an update to the book. I’ve been watching MySQL’s progress with interest, from the company’s purchase by Sun to the Oracle takeover.

With concerns about the direction of MySQL under Oracle, MariaDB is gaining widespread prominence, and it’s been good to see that Fedora and OpenSUSE are the first two Linux distributions to announce that they will move towards replacing MySQL with MariaDB.

MariaDB is a drop-in replacement for MySQL, but contains a number of enhancements and has been reported to perform better. Wikipedia were the first high-profile entity to begin switching, and their move has probably triggered similar moves elsewhere. MariaDB is administered by the non-profit MariaDB foundation in a much more open and transparent manner than MySQL currently, and employs some of the original MySQL developers.

Where Fedora goes, Red Hat follows, and it’s only a matter of time before MariaDB is widely available as a standard on most server setups.

Although I still use it myself regularly as a reference, the old book is quite dated now, so it’ll be interesting to get to grips with all the enhancements that MariaDB offers.

Speed Comparison of South African Media Websites

I’ve noticed that each time I’ve visited IOL recently my browser takes a noticeable performance knock. Trying to browse it by opening lots of tabs, as I do with most sites I visit, is out of the question, and it’s probably the worst-performing site I have visited recently.

I decided to run speed tests of the major South African news sites, and a few well-known international ones, to see how the performance shapes up.

I ran Yslow, which, along with Google’s PageSpeed alternative, is one of the more well-known speed tests. YSlow is a Firebug addon, both addons for Mozilla Firefox.

Here are the results. Higher scores are better – I only visited the front pages of each.

Site Grade Score
IOL E 55
News24 E 57
New Age E 60
Business Day D 61
Times Live D 62
Guardian (UK) D 64
iafrica D 66
New York Times (USA) D 68
City Press D 69
BBC (UK) C 71
Mail & Guardian C 73
Cricinfo C 74
Daily Maverick C 75
Facebook C 80
Twitter B 89

It’s no surprise that IOL comes in last, close behind the nearly-as-clunky News24, while at the other end of the scale, the Daily Maverick comes top, closely followed by the Mail & Guardian. The South African news websites are generally slower than the most popular international alternatives, ironic in a country with relatively slow and expensive bandwidth. Although Facebook and Twitter aren’t news sites, I’ve added them as two of the most popular sites for comparison. Twitter is unsurprisingly light, with it’s minimal interface, but Facebook comes out well, probably due to the hefty resources it devotes. It can by no means be called a light site, and the front page is filled with content, but it performs far better that any of the local sites.