Monday, 5 February 2018

PHP is a major programming language that powers millions of projects on the web.
It offers great coding flexibility and is compatible with various modules that can extend its capabilities significantly.
However, as mighty as PHP might be, poor coding can make your server vulnerable to security threats. To address this negative scenario, PHP extensions like Suhosin have stepped in.

Security vulnerabilities in PHP

According to a recent W3Techs survey, PHP is used by 83.1% of all server-side programming language-based websites.  Now PHP has grown to be the most preferred web programming language thanks to its short learning curve and the great deal of options for building dynamic web projects.
Just like other programming languages, however, PHP is not immune to poor coding practices and web servers can easily become vulnerable to attackers.

You may have crafted the most perfect piece of code, but if you allow non-verified code from other developers to run on your server, you will open the door to vulnerabilities.

If you are hosting third-party PHP applications with plugins, you cannot always trust the quality of the code either.

This is where the Suhosin solution kicks in.

What is Suhosin about?

Suhosin (pronounced ‘su-ho-shin’, which means ‘guardian angel’ in Korean) is an advanced protection system for PHP installations developed by the German company Sektion Eins.
It was designed to protect servers and users from all manner of flaws in PHP applications and in the PHP core itself.

Suhosin works on two levels. First, it protects the PHP core against buffer overflows and format string vulnerabilities. And second, it acts as a powerful PHP extension that tackles operability issues.
The two functions can be used separately or in combination.

Why use Suhosin?

If you are using PHP on your personal server where you run your own vulnerability-free scripts and applications, then you most probably don’t need the Suhosin extension. However, one should keep in mind that PHP is a very complex language with lots of easy-to-overlook pitfalls.

Therefore, it is always a good idea to have Suhosin running in the background as an additional safety measure.

According to its developers, the Suhosin extension will effectively protect your server against malicious attacks resulting from vulnerabilities left in your code.
Suhosin will also ensure that no one else on the web will be affected if your server falls prey to spam or DDoS attacks, for instance.

How to make use of Suhosin on our platform?

To help you maintain a secure environment for your PHP-based projects, we’ve installed the Suhosin extension on our servers.

You can enable the extension with a click from the PHP Settings (Advanced>PHP Settings) section of your Control Panel:

 PHP is used by 83.1% of all server-side programming language-based websites.

Thursday, 4 January 2018
Yesterday two critical server vulnerabilities were discovered that affect nearly every modern server and desktop computer made after 1995. These vulnerabilities known as  “Meltdown” and “Spectre” affect Thexyz and many other service providers.  Since becoming aware of these vulnerabilities, Thexyz has been working diligently to plan and implement the best resolution for our customers. Our security and development teams have been working with our vendors to deploy the required updates to mitigate vulnerabilities. 

What are these vulnerabilities?

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to read data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of data stored in the memory of other running programs.

Some patches have already been released to mitigate the risks of these vulnerabilities.  Based on the requirements of most of these patches, it will be required to reboot customers’ servers.  We will be scheduling these reboots, and updating affected customers prior to them taking place. 

We are continuing to monitor the situation for further information and will be updating our customers as more information becomes available. Our customers’ security and environments are a top priority, and we can assure you we have the best team working feverishly to fix these vulnerabilities in the least impactful manner.

Who reported Meltdown?

Meltdown was independently discovered and reported by three teams:

Who reported Spectre?

Spectre was independently discovered and reported by two people:

The vulnerability announcement and applicable white papers are available at:
Monday, 1 January 2018

With Google tracking scripts found on three out every four websites, users are not only being tracked for what they search for, but also what actions they do while on a website. This data is stored and shared with Google partners and staff, it can also be subpoenaed by lawyers, including for civil cases like divorce. Google answered over 80,000 such data requests in the first half of 2017 alone!

More and more people are also realizing the risk of relying on one company for storing personal data. There are also security concerns and during the last few months of 2017, we helped a number of business and individuals who had lost their data which was hosted by Google. This was usually due to having their Google account hacked and once hacked they were not able to get back into their Google account, which meant they lost all their data. Years of photos, contacts, calendars and email data all gone. Some also lost thousands of dollars as a result of having their Google account hacked. 

A new year is a great time to begin a proactive approach to improve your security and take back your privacy.

Here's to a Google-free 2018!

It is possible to remove or limit your reliance on Google by changing a few habits. This will protect your data and ensure you own it, without it being shared with third parties.

Here are a few recommendations for cutting Google out of life this year....

Google Search Alternative

Google search is great, but Google is not a search company, they are an advertising company. There is also options other than Bing or Yahoo called DuckDuckGo that doesn't track you. These tracking scripts are silently loaded to your device each time you search, usually by way of a cookie. If you were to try opening a private window in your browser and do a Google search, take a look at how much faster it it.

I recently tested some Google trackers, I used an old phone to search for some hotels and clicked on Google ads. The result was the browser crashed with too many tracking scripts loading. When I tried again in a private or incognito mode window, it worked fine.

The lead me to create a start page that is free from Google trackers, analytics, ads and other scripts. The result was a search that load twice as fast as Google's: (view pingdom result)

Performance grade: 96 
Load time: 394 ms 
Requests: 12
Page size: 105.4 kB
Faster than 98 % of tested sites (view pingdom result)

Performance grade: 88
Load time: 830 ms 
Requests: 23
Page size: 1.1 MB
Faster than 92 % of tested sites 
If you still wish to use Google search you can by removing tracking scripts and using the incognito mode of your browser. Loading the Thexyz Start Page on Google will also allow you to search Google but will load the page twice as fast, free of initial trackers.

Gmail, Contacts and Calendar Alternative

Hosting your email on an independent, paid service that also includes calendar and contacts support across all device from Thexyz, will allow you to store your important email data secure and private. Your email account is a key to unlock your other online accounts, it is essential to keep your email account as secure as possible, 

YouTube Alternative

There is some great content on YouTube so it is hard to avoid using it sometime. You can  however search for and watch them on DuckDuckGo for better privacy protection via YouTube's "youtube-nocookie" domain. If you're creating and hosting video yourself, however, Vimeo is the best-known alternative which focuses on creators.

Google Drive Alternative

There are some great options for a Google Drive alternative. Last year we launched Cloud Drive for Thexyz Webmail which adds 30GB of secure cloud storage to your Webmail account. There is also ownCloud which is open source software that can be hosted anywhere and you can control your own security settings.

Google Chrome Alternative

A common point of entry for a hacked device is the use of Google Chrome. It is not because Google Chrome is insecure, it is a secure browser if properly configured. The problem is that is not usually configured to be secure and private. There are many developer apps that can obtain over bearing permissions. Both Firefox and Brave have built in tracker blockers.

Google Maps Alternative

OpenStreetMap is a good alternative for Google Maps. iOS also have a built map app that is independent from Google Maps.

Google Analytics Alternative

Piwik is Open Web Analytics are both open source web analytics software that you can use to track and analyze how people use your websites and applications.

As you can see, moving away from Google isn't difficult, you may also find you prefer the alternatives while also getting better privacy!

For more privacy advice, follow us on Twitter & get our privacy tips newsletter.

Trending Posts

Blog Archive

Subscribe by email

Enter your email address:

Subscribe to more feeds


News (73) Web Hosting (50) Email (27) security (23) webmail (18) Advertising (17) Tutorials (16) Thexyz Cloud (14) Video (5) resellers (2)