One telling example of the web security industry’s lack of concern for security is how web host GoDaddy has continued to have rather poor security while first being partnered with one web security company, SiteLock, and then owning another one, Sucuri.
An example of that poor security came up a few months ago while we were dealing with a hacked website where Sucuri had not properly secured the website. We meant to post about that at the time, but then forgot about it until we were dealing with another hacked website with a GoDaddy connection worth posting about.
While working on the hacked website, we accessed the phpMyAdmin database administration tool that GoDaddy provided and found a situation we can’t recall seeing before with a web host. That would be the SSL encryption was “broken” on the server hosting phpMyAdmin.
If you access that in Google’s Chrome web browser the connection is listed as “Not Secure”:
You are warned that “Your connection is not fully secure” and that:
This site uses an outdated security configuration, which may expose your information (for example, passwords, messages, or credit cards) when it is sent to this site.
When looking at the Technical Details of that issue with Firefox, it states:
Broken Encryption (TLS_RSA_WITH_AES_128_CBC_SHA, 128 bit keys, TLS 1.0)
If you run that address through the SSL Labs tool, the server gets an F grade:
The domain name being used for that insecure server, secureserver.net, which isn’t an accurate name.