[caconym_]

I am not a security expert, but as I understand it, passwords sent in the clear are vulnerable to being intercepted. Even if users of your site don't have much to worry about from those accounts being compromised (this may or may not be true), lots of people use the same password for more than one login, so their accounts on other sites could be compromised too.

That's definitely a significant security risk, even if it wasn't being explicitly labeled before now. It sucks for independent website operators like you, but I'd probably blame your hosting for making it difficult to secure your site rather than browser vendors for protecting their users.

[johndoe4589]

I know I guess I just have to vent some frustration.

Time to move on I guess.

Does anyone have good hosting suggestions for a web app that has a 1GB database and a few thousand active users?

I can only afford ~10-20 EUR a month on shared hosting atm.

[vamur]

Try OVH. $3.5/mo for a 2GB RAM VPS https://www.ovh.com/us/vps/

[lucideer]

I'm currently on OVH. If you've a tight budget, I'd highly recommend. They're a LetsEncrypt sponsor so they offer free SSL out of the box https://www.ovh.ie/news/articles/a2224.ovh-your-free-ssl-cer...

[techwizrd]

Have you tried Amazon Lightsail or Digital Ocean? Both of them give you more than a paltry 1 GB for their $5/mo plans.

[fastball]

Seconding DigitalOcean. You can get a 20GB SSD + 1000GB xfer for $5 a month.

[kuschku]

Recommending against DigitalOcean: https://gist.github.com/justjanne/205cc548148829078d4bf2fd39...

TL;DR: Too expensive.

(And, additionally, they tend to fuck over customers who paid for their money. "100$ free credit!". "You only need to pay 5$ to activate your free credit!". "Sorry, but because you didn’t use it, we removed your free credit!")

[joshstrange]

Dreamhost is in that price range and has LetsEncrypt built in (it's just a checkbox when configuring the domain). I don't use them for my real projects but it's great for blogs and low traffic sites (a couple thousand users should fair fine I'd think).

[imron]

> I can only afford ~10-20 EUR a month on shared hosting atm.

Sounds to me like you can move to a better host that does provide LetsEncrypt and save money on your hosting costs to boot!

[johndoe4589]

Thanks so much for all the suggestions!

[icebraining]

LDHosting's shared hosting costs me 35€/year, gives 5GB of disk space and lets me upload my own cert for free. I've been with them for a few years and the uptime has been excellent.

[ldev]

https://www.netcup.eu/bestellen/produkt.php?produkt=1587

9 EUR, 2 cores + 6 GB RAM, 40 GB SSD.

It still baffles me that someone is using shared hosting services and upload their php files via ftp...

[michalskop]

Scaleway has 50G disc and 2G memory for 3€(+VAT)/month

[andybak]

Webfaction still rock

[robbiewxyz]

I think you could probably just point your DNS at Cloudflare to proxy your site through them; their service includes SSL plus some extras like caching and such for free. I've used them for a handful of projects and it's worked great.

[simcop2387]

That said it will still be insecure because of the unencrypted path from cloudflare to you server but it will hire the error

[Latty]

Cloudflare will provide you with certificates they generate, that they verify but won't be accepted by anyone else. (No cost because of that) - this keeps the data secure between you are them. Obviously, you are still trusitng cloudflare in the middle, but still less trust required.

[icebraining]

If you can install a certificate, you can already get a real one from Lets Encrypt (you don't actually need to run their client on the server). The problem is that many shared hosting services are still stuck in the past, and don't let you use SSL/TLS at all.

[Latty]

Without running the client, that means manually changing the cert for expiry, which is very short on LetsEncrypt certs. That introudces the possibility of forgetting or messing it up.

I agree that the best option is for shared hosts just to build in support for LetsEncrypt.

[Vinnl]

Hmm, so let's say I'm hosting my static files on S3. I've currently got CloudFlare setup in front of it but that apparently doesn't help.

Anything I can do other than not using S3?

[axman6]

Use CloudFront? Took me about an hour to set up for my S3 based blog, free TLS, http/2 and IPv6 without any setup apart from a checkbox.

[Vinnl]

Right, so I've currently got CloudFront in front of it, but doesn't that move the problem? Now the connection between CloudFront and S3 is unencrypted.

(I'm probably understanding this wrong, but I'd like to understand why.)

[andybak]

For some definitions of "insecure".

[andybak]

Hmmmm. -4. I fleshed out my thoughts in slightly more detail in another comment: https://news.ycombinator.com/item?id=13458224

[ycitm]

If you have control of your nameservers you can use cloudflare's free TLS offering and keep your current webhost.

[slrz]

What about actually solving the problem instead of tricking the user into believing their data is encrypted while being transferred to you?

[andybak]

I'm personally in favour of Cloudflare as the simplest solution - even simpler than letsencrypt. However - there are a few caveats. They tend to hit some countries with a Captcha unless you disable it. Might not be an issue. Their "Flexible SSL is controversial as it only encrypts from client to them - not from them to the server. Personally I think this covers the most obvious threat models and is probably "good enough" for the a lot of use cases.

[fastball]

You have a few thousand active monthly users (since it's a web app that requires an account, I'm assuming that corresponds to 50-100k page views per month) and you can't recoup 10-20 EUR a month to cover server costs?

I think it's time for a bit of light monetization.

[eru]

Perhaps johndoe4589 doesn't want to monetize?

(Asking users for donations might work where advertisement perhaps doesn't.)