How secure is DreamHost’s internal network? E.g., if my CGI program makes an unencrypted connection to my MySQL server and logs in with a password, how confident can I be that another customer will not sniff my password? Are measures in place to prevent customer-controlled VPSs from performing ARP poisoning and the like?
We send a small army to the major security conventions/events like Black Hat, Defcon, BSides, etc. So I think we do a decent job at security.
Additionally, customer VPSes don’t have full network access — they can do most normal things, but don’t have the ability to (for instance, add IP addresses or sniff the network. We can’t guarantee unconditional security under all circumstances, as that’s simply impossible, but we can at least guarantee that, under normal circumstances, there’s no way for other customers to sniff the internal network.