Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home General
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Provider can see what customers is doing on vps?

13»

Comments

  • bsdguybsdguy Member

    @deadbeef said:

    @bsdguy said:
    ...

    You're saying that hosting providers have 0-day access to crypto exploits? :D Unless we're in the "they can do anything" zone, which is a conclusion and not an argument, SSL does what it should.

    No, I am saying that there have been MITM attacks with ssl and that there is plenty evidence, in part even of the perpetrators themselves.

    And I'm saying that one doesn't need 0-days to do that. openssl and even the protocol itself is a rich source of attack vectors. One example is the '\0' bug that allowed fake certs for arbitrary entities (boiling down to CA's verifying in domain order (reverse) but clients (using openssl et al) check in 0..n order (forward) till '\0' which led to e.g. 'google.com\0blabla.it' being considered OK by the CA (as blabla.it was indeed owned by requester) but OK for google.com by client (who only saw 'google.com\0'))

    And I'm saying that there are many other problem with CAs - for which we have evidence.

  • corbpiecorbpie Member

    I can see what im doing on my vps

  • sinsin Member

    @m3gf said:

    @stefeman said:
    What are the justification moments when the host can/should/must check client's VPS? Will any LET host spy on my porn collection?

    They will definitely spy on you porn collection, they will even give you a free recurring promo to let you keep doing this.

    I wish, then all my hosting would be free.

  • raindog308raindog308 Administrator, Veteran

    bsdguy said: openssl

    "You know, HeartBleed can't even be considered the worst OpenSSL bug..."

  • rincewindrincewind Member

    deadbeef said: You're saying that hosting providers have 0-day access to crypto exploits? :D Unless we're in the "they can do anything" zone, which is a conclusion and not an argument, SSL does what it should.

    No need for 0-days. BlueCoat is a commercially-available DPI proxy that intercepts HTTPS and is used by ISPs, schools, and some governments to monitor their network. It captures certificate requests and MITM's itself in between.

    Sources:
    http://surveillance.rsf.org/en/blue-coat-2/

    http://bluecoat.force.com/knowledgebase/articles/Solution/Intercepting-SSL-traffic-based-on-authentication-credentials

    They had a recent issue with TLS 1.3 changes in the Chromium browser: https://bugs.chromium.org/p/chromium/issues/detail?id=694593

    Thanked by 1Yura
  • rm_rm_ IPv6 Advocate, Veteran

    rincewind said: It captures certificate requests and MITM's itself in between.

    You still need to have the BlueCoat certificate installed as trusted on all clients (schools and governments can and do ensure this via group policies in Windows), else this will show a broken cert error instead of the website. Nope, no magic miracle MITM devices for SSL.

    Thanked by 2raindog308 vimalware
  • bitswitchbitswitch Member

    @rm_ said:
    You still need to have the BlueCoat certificate installed as trusted on all clients (schools and governments can and do ensure this via group policies in Windows), else this will show a broken cert error instead of the website. Nope, no magic miracle MITM devices for SSL.

    Excellent point. I am not sure why @rincewind did not state this in his comment as that is quite a crucial fact and if left out, the claim is misleading.

  • WebProjectWebProject Veteran, 🚩 Host Rep Tag Suspended

    For any decent provider I can see no reason to access customer data on VPS, different matter if police has a court order and required data for investigation purpose

Sign In or Register to comment.