Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hosting Provider Automatically Fixes Vulnerabilities In Customers' Websites

Posted by Soulskill on from the what-could-possibly-go-wrong dept.

An anonymous reader writes "Dutch hosting provider Antagonist announced their in-house developed technology that automatically detects and fixes vulnerabilities in their customers' websites. The service is aimed at popular software such as WordPress, Drupal and Joomla. 'As soon as a vulnerability is detected, we inform the customer. We also explain how the customer can resolve the issue. In case the customer does not respond to our first notice within the next two weeks, we automatically patch the vulnerability.' Antagonist plans to license the technology to other hosting providers as well."

7 of 73 comments (clear)

  1. Why not fix it immediately? by loufoque · · Score: 3, Insightful

    In two weeks it might be too late.

    1. Re:Why not fix it immediately? by sabri · · Score: 5, Interesting

      In two weeks it might be too late.

      You're talking about customer data here. They may have some customizations in the code that break if you allow yourself to patch it.

      I would take another approach: disable the vulnerable file until the customer fixes it. By fixing it for them you may generate expectations which you'll not be able to match in the long run: "don't worry about software updating, the hosting company will do it for us".

      --
      I'm not a complete idiot... Some parts are missing.
    2. Re:Why not fix it immediately? by loufoque · · Score: 3, Interesting

      It would have to detect that it can safely apply the patch. Also it could be opt in, of course.

    3. Re:Why not fix it immediately? by Anubis+IV · · Score: 3, Insightful

      So, if you're running WordPress or a popular message board (e.g. phpBB, vBulletin, whatever, take your pick) and the developer releases a general security update that applies to everyone, you'd be fine with your host disabling essentially your entire site until you fixed it? And if you're on vacation for a week or two when it happens? What then? I rather like the fact that the stuff I run can essentially sustain itself in my absence.

      I might be okay with it if it was in the terms of service and the customer had been given fair warning that their site would be disabled if they didn't take action (though I'd never host with them). I may also be okay with it in cases where a vulnerability is actively being exploited and it's causing some form of harm to the host. But to pro-actively disable "vulnerable files" which may be necessary to the functioning of a site without first providing notice is not something that I could condone. I'm still undecided on even having them apply their own fixes, to be honest.

  2. Re:Liability by Njovich · · Score: 4, Insightful

    They probably claim no such thing as having patched all WP vulnerabilities. Also, keep in mind that culture in Netherlands is really not to sue people for any minor thing (and if there was a lawsuit, damages awarded would be quite proportional, and costs are lower than some other countries).

  3. Re:Thanks for your help by Njovich · · Score: 5, Insightful

    At this point, if you want control over your site you can easily run some kind of VPS. If you use shared hosting, do you really want to share your server with a bunch of vastly outdated joomla and wordpress sites? This constitutes the majority of sites on your average shared hosting provider... leading to potential escalations to other sites (not always true, but it's possible), being used to host or send spam, leading to blacklisting of the server on spam lists etc.

  4. Re:Good idea, wrong solution by wvmarle · · Score: 3, Informative

    They do not modify customer data; only the software that runs the customer's sites. Which to me is totally cool as of the reasons to use a shared hosting site would be to not have to worry about the software that runs it.