Open letter: Dreamhost - I'm shocked by your security practices (or lack thereof)


#1

I signed up for a new account recently to stay for the long term, but I’m no longer sure about it. I’ve migrated about 20% of my other hosting accounts to Dreamhost, but I put a stop to it.

I’m very happy with the core hosting service, but I’m absolutely shocked by Dreamhost’s security practices.

Dreamhost is violating every fundamental security rule:

  1. Rule: Passwords must be known only to users themselves. Service providers never store passwords, they store salted non-reversible hashes.
    Reality at Dreamhost: my password was just sent to me in clear text upon testing “forgot password” functionality. Clear proof that Dreamhost centrally stores my password somewhere - accessible to lots of people other than myself.

  2. Rule: Passwords are never echoed back to users, even when setting new passwords.
    Reality at Dreamhost: my password was just displayed to me when I changed it. Whenever I change my password, somebody snooping over my shoulder will know it.

  3. Rule: Passwords are never sent over nonencrypted channels.
    Reality at Dreamhost: all account changes trigger an email (which is inherently not secure) with the password. If somebody snoops on Wifi traffic or if somebody will ever see my inbox or if my email provider has security troubles, then all of my websites and customers will be compromised.

(4. Rule: Inherently nonsecure protocols that fundamentally allow compromising accounts are not supported.)
(Reality at Dreamhost: FTP is not only supported, but offered as the default option for new accounts as opposed to SFTP. HTTPS with self signed certs isn’t strongly recommended for all web based control panels.)

I don’t even want to think what will happen if Dreamhost’s databases are ever compromised through internal bad intent or external malicious action. All of the passwords, data, accounts, ecommerce traffic and reputation of all customers of Dreamhost would be at risk.

Dreamhost - can we expect better security practices from you in the immediate future?


#2

As a long-time dreamhost customer, I understand your frustration. I have made similar complaints in the past. IMHO:

1: Yes, dreamhost does centrally store user credentials. This process makes it simpler to move a user from one server to another (when a user buys a VPS, or is moved to reduce load on a shared server.) But, any DH employee with root access can access your account. And, users should NEVER use one password for multiple services (weather within or outside of dreamhost) anyway. That being said, a central database does create a dangerous single point of risk, as you point out. I should mention that sadly, DH is not the only host to do this. A recent exploit at MediaTemple used a similar method:

From: http://michaeltorbert.com/blog/media-temple-hacked/

However, I don’t think shell account credentials are stored in plain text. I think MySQL credentials are stored in plain text. However by default these accounts can’t be accessed from outside the DH network and your own MySQL hostname. Can a DH employee confirm or deny this?

2: If the password is generated, they have to tell you the new password in plain text at some point. Otherwise it would not be much use to you. I agree that when you set your own password, it should not be shown. However, you really should not change your password in an insecure location regardless.

3: Yes, user and webapp setups trigger these emails. The email allows users to be notified when provisioning had been completed. I agree that the user and password credentials should never be in those emails. I always change my passwords after that point to mitigate that risk. It would be nice to have an option to have the emails PGP encrypted.

  1. This is the area that I am most sympathetic with DreamHost. Remember, many potential dreamhost customers are entirely new to web hosting. Many WYSIWYG web site editors use built in FTP clients. If dreamhost did not allow FTP, or disabled it by default, they would very likely be bombarded with the same issue from angry, confused customers. It is generally expected that more security aware users like you and I will follow best practices, and will take the necessary steps to secure our own accounts. It is also my understanding that this stance is common among web hosts.

Bottom line: Yes, some of these issues are major security risks that dreamhost can and should correct. However, one should not expect one’s web host to hand hold on security practices. Web hosting companies have to walk a thin line between ease-of-use and security. Any web hosting customer should follow best security practices on their end as well.


#3

Well I just tested changing my password, and it was never echoed back to me, and the system didn’t send me an email, so that seems OK.

HOWEVER… I then tested the “forgot password” functionality… and the system immediately sent me an email containing my existing password.

This IS terrible.

And to make it EVEN MORE terrible, it never even asked me my security question! So something is definitely broken.

What ought to happen, surely, is that upon “forgot password”, the system should email me a nonce-password (a one-off generated password) which invites me to a session where I am asked my security question.

About FTP … here I think Dreamhost’s current practice is correct. It’s a choice between either having it enabled by default (and business-savvy customers have to disable it), or disabled by default (and newbie customers in internet cafes where there is no SFTP have to re-enable it). The former choice is obviously more sensible.

~Tom


#4

While I’m here I may as well comment on this too. I’ve noticed these problems before. Some of them (leaving FTP access on by default) can be rectified easily enough that I wouldn’t have even cared to complain. I am a little annoyed with the way they repeat passwords back to you. You’ve just typed the password twice, so you ought to know it. :slight_smile:

I’m also a little annoyed with the obvious policy of storing plain-text credentials. At the very least, the credentials could be stored in multiple hashes. The combination of SSHA and MD5 would probably cover every case I can think of. Even if they had to include DES for some reason, at least it’s not straight ASCII. I hope it wouldn’t complicate the administrative work too much, and if they’re worried that they won’t be able to provide the password back to the user over the phone or such things, well, that’s exactly the point. It’s a secret.

I’m not annoyed enough at either of these things to consider dumping them for a different provider, especially since they’ve done quite well in the service department for me and their feature list is formidable. I’d still be delighted to see them fixed.

Chris


#5

I have been with DH for many years now. I have NEVER had an issue with them as far as security. The only thing I would be interested in is the ability for SQLi or XSS. How vulnerable is DH to this.

Other than that, I feel it is MY responsibility to secure my own sites and my own passwords. Working in the security industry over the past several months I have learned a lot and most of it is there is no such thing as 100% secure.

Now a lot of these issues you complained about have mostly to do with DH being able to give you your password. Well if it is is hashed correctly in the DB you need not worry. The proper program can extract it and send you the password in plain text, just in case you forgot it. Many places I have a password at do this.

You should be responsible for changing your password and do it on a periodic basis.

As long as my personal information is safe from hackers I am more than happy to be responsible for my account information.

Cheers


#6

The problem is that even people who follow good security guidelines are at risk.

For example, do you consider it reasonable to work on a laptop in Starbucks? I think most people would consider this quite reasonable, as long as they follow elementary precautions, like not doing anything confidential such as account maintenance, and not letting strangers peer over their shoulder while they are reading or writing email.

But consider this. Let’s assume (for definiteness) that you use gmail. When you are on your main ‘inbox’ screen, it just shows (mainly) a list of ‘subject’ fields. Nothing confidential there, and most people would think it quite reasonable to leave their laptop showing that screen while they sip their coffee.

So here’s the scenario. You are the good guy. The waiter is an opportunistic malfeasant (M).

While M is pouring your coffee, he happens to notice as one of the subject lines “Dreamhost Monthly Newsletter”. Just from that, M guesses that your are a Dreamhost customer.

Your Dreamhost account is now doomed … M will set in motion a train of events that, without any wrong behaviour on your part, will lead to penetration of your account.

M makes a mental note of your email address (which gmail shows prominently near the top right hand corner of the screen). He retires to the back office and brings up the Dreamhost login screen, enters your email address, and clicks on “please send me my password”.

He now knows that in about 10 seconds, an email will reach your inbox, and that you will naturally open it, and that it will say

[quote]Hi!

Your DreamHost password is: whatever

You can now log in at https://panel.dreamhost.com/

If you didn’t request this email, don’t fret, the security of
your account has not been compromised. Somebody else must have
requested your password. That’s exactly why we email it to you
instead of just giving it out!

Thanks!

-The Happy DreamHost Passwording Robot[/quote]

He knows that he only has to read one word out of this email, and he knows exactly where on the screen it will appear, and with a lot of white space helpfully around it! He doesn’t have to peer over your shoulder, he need merely take a fleeting glance.

So he immediately returns to the vicinity, waits until he hears the “ping” which says “new mail has arrived”, and times it so that he re-fills your cup of coffee at exactly the moment when you are opening this email.

You, of course, are blithely unaware, since as Dreamhost is at that very moment telling you, “Don’t fret, the security of your account has not been compromised”. Maybe, just to be on the safe side, you look around to check that nobody was watching your screen. There is nobody there. Well, there is that waiter who re-filled your coffee a few seconds ago, and who is now attending to the next table … but there was only a split second during which he might conceivably have glimpsed your screen, not nearly long enough for him to have taken anything in … so nothing to worry about there.

Far fetched? Yes, a little. But possible. And so easy for Dreamhost to fix the loophole, which puts responsible and security-conscious customers at risk, and which no excellent web hosting company could possibly be proud of.

~Tom


#7

Now wait a second here …

Starbucks has waiters now??


#8

Here you are mostly right. Dreamhost could make it easier than they do, though. There’s definitely room for improvement. Of course they’re never hit 100%, but they would improve greatly by not printing out your password ever except in the case of one that’s temporary and requires you to change it immediately.

Many places are wrong to do it, as you are wrong to suggest – as I assume that you are – that a password stored with two-way encryption removes your need to worry about its interception at the service end by people who work there. Now a password that’s “hashed properly,” and by this I mean, a real, one-way hash which is sufficiently unique – like SHA1 or MD5 – that requires the original password (or at least more than a sneeze) and then produces the original hash for validation against the stored hash itself and never against the plain-text password requires cost and time-prohibitive computational resources to extract your password.

Even so, this is not what you should be worried about. It’s bad, certainly, but most people who will have access to the credentials for reversing the two-way encryption in such a setup would probably be included in the set of people who could just assume your id by administrative privilege without needing to type your password. Bad, but it’s a less extreme security flaw if they encrypt it reversibly on the server than if they print it out for you. The very act of printing the password implies insecurity. Shoulder-surfing is a popular hobby among miscreants, and social-engineering is easier and less risky than getting a job at the internet service provider where your victim hosts his web site. Even shoddy enforcement of accountability is more dangerous than standing behind somebody while they’re browsing the web. No offense, but I hope that if you keep working in the security industry, you begin adopt an attitude that actually fosters security and eventually look back upon that message as an embarrassment.

Chris


#9

and refills? since when did that happen???

on a serious note, I do agree that sending passwords in cleartext is Bad. A time-sensitive link to reset a password would be better.


#10

I note, by the way, that after testing the foregoing, I dutifully changed my password.

You can well imagine my indignation when I was subsequently unable to get into the stats areas of my websites.

After trying a few things, I realized that the stats areas were still expecting the old password.

Maybe some dreamhost honcho is going to come along and say that’s the way it’s meant to work.

Maybe they’ll say that the user which accesses a stats area is a completely different thing from the identifier which accesses the main panel of an account.

And that they only happen to have the same name because, out of the kindness of its heart, dreamhost is by default providing a user for the stats area with the same name as the panel id.

Well I would be surprised if most customers find that obvious or even reasonable.


#11

That’s actually pretty much correct. We don’t create any default stats users anymore; existing stats users with the same name/password as Panel users still exist, but are no longer created for new domains. This was actually done for security reasons: sending your Panel password to the stats page would transmit that password in clear text, which definitely isn’t a great thing to be doing!

You can configure stats users at: https://panel.dreamhost.com/index.cgi?tree=status.stats.


#12

"I have been with DH for many years now. I have NEVER had an issue with them as far as security. "

How long is a many years?
At the top of my CP it says “…since 2002”

You must not have been among the users that were affected by this incident, which wasn’t that long ago…

http://blog.dreamhosters.com/2007/06/06/dreamhost-ftp-accounts-hacked/

And this one that I recall viviidly… Not a Security Breach so to speak but one that really annoyed me as I was billed for a LOT of money "by mistake"

I’ll say this:
I like Dreamhost, I have many reasons to stay… BUT…

I AM always annoyed at their cavaliere attitude which seems to be pervasive throughout the organization…

My advice is to be careful and be on the ball with your accounts and you’ll enjoy the benefits DH offers… But there will be Sighs and Groans… As with any host.


#13

Yes, passwords should be hashed. I agree that security is more important than the convenience of a user being able to retrieve an old password. I am not some newbie technophobe, I can manage my passwords and if I forget one, I do not care if you have to reset it and send me a system generated one. I do understand why DH staff might want the ability to get passwords for people, but I don’t think it’s appropriate for a web hosting service.

However complaining that DH allows FTP (as an option, no less!) is delusional and detached from reality. Of course they allow FTP. That’s fine (and good).