1

My website is hosted on hosting24.com*, which, at the time I purchased their service, seemed like a good enough host. I was (I hope) to be proved wrong.

Bascially, they are saying that

You need a Gold-package (which is the only account-type that offers a dedicated IP) to be able to have a private SSL.

Which is all fine and good. But, and here comes the fun part, they also say that

All other accounts have shared IP and SSL, meaning that if you use https, you might sometimes end up on the wrong website.

I call bullshit. Why? Two reasons:

  1. Compare my domain with SSL and without SSL (Notice the differens?)
  2. They refuse to uninstall SSL on my domain (I don't need it, but I sure as heck don't want shady stuff on my domain).

So, since I'm not the most versed in these matters (I'm a programmer, not a sysadmin), Im asking you, good folks:

Is any of this something any of you have encountered before, if so, how did you deal with it?
If not, how would you deal with it?

My reaction when I discovered this was, needless to say, "Let's get out of here, quick".

*Sorry, but I can only post two hyper-links. If any of you want, can you edit so the link to www.hosting24.com actually is a link (and also so, at the top of the post, website is [website])?

Marcus Hasson
  • 131
  • 2

3 Answers3

4

Multiple http websites can run on the same IP by pointing different domain names to it because the Webserver can look at the host headers and see which domain name was used. SSL requires a dedicated IP address because the host headers are encrypted and can not be checked in this manner.

Because domain names merely point to an IP address the SSL site on the machine will appear for all of the shared domains unless there is no SSL site setup on the IP at all. This will give a certificate error because the domain used will not match the domain of the certificate.

This is not a problem for the shared websites because it is clear that it is not their site, the cert error demonstrates that is being accessed by the wrong name, and most of all it will not be indexed under the shared domain names so the only way to access it is through an incorrect link or by manually typing in https://

JamesRyan
  • 8,166
  • 2
  • 25
  • 36
  • 1
    What James said. And I don't see their explanation as bullshit. What they're saying is that, as a non-gold customer, you share an IP address with many (thousands of) other customers. Some or all of them are running https service on that address. In order **not** to have a listener on port 443 of the address to which your hostname resolves - which I presume is what you mean by "uninstall SSL on my domain" - you'd have to have a dedicated IP - which, as they point out, is the gold service. – MadHatter Sep 09 '11 at 09:40
  • This explains it! As I said before, I haven't really ever had anything to do with ssl, so I didn't have full understanding of how it worked. But now I do, thank you all! :) – Marcus Hasson Sep 09 '11 at 09:49
  • This is all true, *but*... at least on Apache a properly setup name-based virtualhost should display the correct content, even with SSL (I've used this myself). You'll get the "this is a bogus cert" warning, but if the client accepts the cert, the client will still send the Host header to the server, which Apache should use to select a VirtualHost block and show the correct content, not someone else's site. – DerfK Sep 09 '11 at 12:45
  • That is not a properly setup host but an incorrectly setup host. You are then using one person's certificate to sign someone else's content! – JamesRyan Sep 09 '11 at 12:55
0

this sounds like they are using cpanel

it also sounds like they setup a shared ssl certificate for another domain and your site is on the main shared IP, they cant uninstall this without breaking other sites on the server this is normal

if you dont want the risk of any shady business and ssl then you should get the dedicated IP with your own SSL, or a new hosting provider that doesnt do this. I'll agree there handling is not so transparent but this is not unusual to see in the wild

anthonysomerset
  • 4,233
  • 2
  • 21
  • 24
  • Well, it sure sounds like I should get another host. As far as I'm concerned, they're basically hijacking my domain. Oh, and yeah, they're using Cpanel. – Marcus Hasson Sep 09 '11 at 08:50
  • They are not hijacking anything. If you arn't paying for a dedicated IP address then you are accepting that there will be other services on the box. This is a common practice in a world where ipv4 addresses are scarce. – JamesRyan Sep 09 '11 at 09:18
  • It might not be hijacking _per se_, but it still feels kinda like they're totally screwing me. Especially since they provide no explanation or, well, anything really. Anyhow, thanks for the help, both of you! o/ – Marcus Hasson Sep 09 '11 at 09:37
  • they aint screwing you at all, its standard practice... – anthonysomerset Sep 09 '11 at 10:35
0

They are correct. You share the same IP with several other sites. So your site name resolves to this IP. This works great for HTTP, since HTTP inherently supports name-based virtual hosting. However, if other sites use other services that don't fully support name-based virtual hosting or that you choose not to support, people will be able to access those services through your domain name, because it resolves to the same IP as their names do.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84