back to article 123-reg resolves secure database access snafu

UK-based hosting and domains provider firm 123-reg has fixed an issue that meant access to some customers' databases ran over an unsecured link, creating a privacy risk in the process. A reader and 123-reg hosting customer got in touch over the issue after failing to get action directly from the hosting firm over the problem, …

  1. cbars
    Facepalm

    I complained to them years ago about something similar. I had set up a hosted site with them, but the only access available was over FTP:

    "FTP is totally secure as you have a password"

    I don't use them for anything other than simply buying a domain these days

    1. Richard Winslow 123-reg

      SFTP

      To confirm, SFTP is enabled on 123 Reg range of available hosting products.

      1. cbars

        Re: SFTP

        Hmm... NOW it is.

        Is that part of every hosting package, or is that a paid add-on, I wonder?

        1. Richard Winslow 123-reg

          Re: SFTP

          Hi, it is part of all the hosting packages we provide currently and is part of the package, same as FTP is standard. Richard.

          1. cbars

            Re: SFTP

            Great news Richard. I withdraw my snide criticism in light of your assurances, and apologise to the rest of the commentards for this spam at the top of the thread! :)

    2. Anonymous Coward
      Anonymous Coward

      > I complained to them years ago

      How many years ago? If we're talking 20 years or so, clear-channel FTP *was* the standard way of transferring files, in the same was as we used unencrypted POP3 / SMTP and HTTP.

      If it was three years ago, well that's a different story.

      1. cbars

        I believe it was in 2012. I don't think that's unreasonable to request, hell they were offering SSH access if you had a full box (rather than just a site), but I was motivated by cost at the time :)

  2. Tom 38 Silver badge
    Trollface

    Catches up with https everywhere memo

    Took your esteemed organ quite a long time to catch up with that memo too.

    1. The First Dave

      Re: Catches up with https everywhere memo

      To what advantage?? Were you worried that someone might intercept your commentard login credentials and use them to login to your bank?

  3. Hans Neeson-Bumpsadese Silver badge

    Someone who is technically savvy enough to read El Reg, but technically naïve enough to use 123-Reg for hosting services.

    I'm a bit sad to see those two bits of the Venn diagram intersecting.

    1. m0rt

      "Someone who is technically savvy enough to read El Reg, but technically naïve enough to use 123-Reg for hosting services."

      But still hopeful enough to push to get something done, even though he used El Reg for a bit of muscle.

      So kudos for the effort.

    2. Anonymous Coward
      Anonymous Coward

      > Someone who is technically savvy enough to read El Reg

      ??? That would be anyone with enough skills to load a webpage and read English.

      > technically naïve enough to use 123-Reg for hosting services.

      I was actually thinking: phpMyAdmin???

      Besides, if using that, chances are that the mysql server is listening on a public interface *and* that the connection to that interface is not encrypted anyway.

  4. Anonymous Coward
    Anonymous Coward

    Certificates

    They also insist on customers using their own, overpriced certificates rather than the completely suitable LetsEncrypt ones...

  5. Guus Leeuw

    Said memo reached TheRegister as well!

    Dear Sir,

    with great pleasure I see that theregister.co.uk defaults to HTTPS as well nowadays!

    Best regards,

    Guus

  6. Pascal Monett Silver badge
    Flame

    "only an (unspecified) "small number""

    Well we knew that, didn't we ? It's only ever a small number, even when the actual number is in the millions.

    Okay, right, in this specific case it might very be true that only a small number of users were affected - mainly because there hasn't been large headlines and furious tweets about the issue, but still - I just can't read those words any more and take them at face value.

  7. Oscar Pops

    Obligatory anecdote

    A few months ago I contacted 123-reg support as my hosted site became unreachable.

    "Aha! Looks like you have some code injected malware!" they said

    "Aha! Looks like your server's been breached then", I replied, "as my site is 100% HTML."

    "Security is customers responsibility" they advised, "but you can buy our SiteScanner service to validate your web site if you like?"

    "Erm, no, rogue PHP files are appearing on my site and redirecting it, that's nothing to do with my HTML files, is it?"

    "It could be because you've not changed your FTP password for a while..."

    Anyway, after a few more weeks of having to regularly go and repair my site I've moved to another host and will be taking my (admittedly negligible) business elsewhere.

    (For the lurking reps pretending to give a toss, a bit of googling and looking at the logs suggests it's a Joomla exploit)

    1. Captain Scarlet Silver badge

      Re: Obligatory anecdote

      Did you check if any other sites were on the same shared hosting server as yourself?

      1. Oscar Pops

        Re: Obligatory anecdote

        No, but it's odds on, surely?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like