Hacker News new | past | comments | ask | show | jobs | submit login
GoDaddy injecting JavaScript into websites and how to stop it (igorkromin.net)
949 points by ikromin on Jan 13, 2019 | hide | past | favorite | 302 comments

In case this turned out to be misleading, I picked a random GoDaddy-hosted low-cost site (hometailer.com) and yep, there's the code:

<script>'undefined'=== typeof _trfq || (window._trfq = []);'undefined'=== typeof _trfd && (window._trfd=[]),_trfd.push({'tccl.baseHost':'secureserver.net'}),_trfd.push({'ap':'cpbh'},{'server':'a2plvcpnl83247'}) // Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.</script><script src='https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js'></sc...

That's pretty gross.

GoDaddy is the Oracle of web hosting companies. I don’t understand their popularity, yet it seems to be going strong. Why is that? (Serious question, not rhetorical.)

Advertising. I remember seeing tons of not-quite-porn ads from them even during superbowls.

They stopped those fall 2013.

That's quite specific. Do you know what the impetus for them to stop was?

New management I think?

New CEO (Blake Irving)

He did a Reddit AMA after starting: https://www.reddit.com/r/IAmA/comments/23v7f3/hi_im_blake_ir...

I remember it being surprisingly good!

So, long after those ads had made them a household name?

I was get YouTube video ads for them everyday not long ago.

Are they profitable?

$139.8 million net income in 2017.

Cheap .net packages, shitton of advertisement, constant discounts and offers, and more importantly they own the domain market.A lot of people buy domains from them and it doesn't take long to host something on that domain, so why not stick with them. Long story short, the power of convenience.

Although I have mixed feelings, I've switched all my domains to Google... the one down side to Google's domain management is there's no way to bulk edit contact information (when you move).

It's about as simple as it gets to add services, but Google's DNS is included (as opposed to GoDaddy's, which is slower) and I don't get pressured multiple times and have to click less obvious links to not choose other services. Privacy is included at cost, for TLDs that support the option.

What happens if you are locked out of your Google account? This can happen for some silly reasons and some times without recourse. Will you lose your domains, effectively ruining your business?

I have to say, google domains is about the only case where I have had responsiveness from google support. And it is a concern to me... I think that if google does such a thing it would be easy enough to demonstrate real damages in a lawsuit against google.

Sure you could probably win a lawsuit. However what about the lost business you will incur until the lawsuit is done and Google decides to follow the court order?

See the part about "real damages." In a case, as such you could demonstrate the impact and estimate ongoing damages as a result of googles (in)action. Given the offset in size and likely irresponsible nature the amount google would have to pay would include your damages, lawyer fees as well as additional punitive damages. This is how common law is supposed to work.

NOTE: I am not a lawyer, and this is not legal advice.

I was talking to my roommate, a non tech person, and asked her where she she got her domain, out of interest. She said GoDaddy. I let her know about their shittiness, but normal non I.T. people don't know enough to care.

It’s name recognition. Whenever I have to help a company, friend, or family that doesn’t really know “tech”, their domain is, without fail, hosted by GoDaddy.

I would guess it's their marketing that helps. They're one of the few with prime-time TV commercials.

Happy with my namecheap domain hosted in Linode: never going to touch a godaddy domain for any of my needs.

This solution is for the 1% or the 0.1%, the vast majority who choose Linode are creating vulnerable servers because they are not going to competently keep the machine up to date on security patches or configure it properly for security.

Managed hosting is a requirement for the masses, and comparing a managed hosting service with a self-service VPS is a bit disingenuous IMO. Managed may seem more pricey, but that's only unless you don't value your own time as an administrator, or if your time isn't valuable (you're not good at it lol).

For my static website I think it’s ok.

Parent comment is referring to software vulnerabilities running on the box itself, not vulnerabilities in your website. When Apache or whatever it is that you use to serve your static website comes out with a vulnerability that allows RCE as root, it becomes a problem for you, even if your website is static.

FWIW I use Namecheap / Linode myself, and will probably never go back to shared hosting. But the flip side of that coin is you do need to manage it, regardless of the website you are hosting.

> Parent comment is referring to software vulnerabilities running on the box itself, not vulnerabilities in your website. When Apache or whatever it is that you use to serve your static website comes out with a vulnerability that allows RCE as root

Or you can opt out of this mess and run a simple server. Not as root.

The update & maintenance treadmill can be slowed down to nearly a halt if you're ok using simple software that doesn't have a billion features and just as many bugs. Which, I suppose, someone running a static site would be quite willing to do.

I'm sure we all have fond memories of that time we sat our grandparents down when they wanted to make an anniversary site and explained to them how easy it was to run a simple server, after which they spun one up in a container and secured it no problem.

Little old grandma just loves ssh'ing into her pet server every day to read her system logs.

Little old grandma ain't making sites with GoDaddy either, so why do you have to come up with such an irrelevant strawman. Please.

Grandpa is exactly the target market for GoDaddy. Look who they've got advertising the company in Australia.


My grandmother's website for her small business was purchased via GoDaddy. This was before those commercials even started airing.

It's not a strawman at all. I am speaking from real experience, except for the part where my grandmother could tell you the difference between SSH and SSL.

You can configure that machine to automatically update itself, which is what I do.

And I don't think GoDaddy or other managed hosting providers are doing a better job than this.

Also FYI static websites have a much smaller surface of attack when compared to forever-vulnerable shit like WordPress.

yes, this.

Godaddy is not doing much more than auto-updating packages with security fixes. This is easily handled with most Linux VPSs (often automatically, in the case of DigitalOcean). I am pretty sure the Amazon Linux AMIs do this too on AWS EC2. And most other distros can turn this on once with one command.

I don't think GoDaddy is going much deeper than this, so security is a moot comparison between the two. In fact most sites are hacked at the application level anyway, not the system level. So the real security hole is not something on Linux, but the actual wordpress site thats installed within it. Food for thought: 83% of hacked websites in 2017 were Wordpress sites. Source: https://sucuri.net/reports/2017-hacked-website-report

my website is run via containers that don't run as root...

Oh well in that case, you are 100% invulnerable to attack.

^ I know this statement appears absurd to you, so I'm wondering why you're posting as if it's true?

Yes, with read-only volumes. These are awesome for security.

They are useful for mitigating some kinds of attacks; I wouldn't go so far as to say they are a panacea for security in general.

A lot of people recommending NameCheap in this thread.. it's worth noting that they supposedly gave a warning to a guy running a forum with millions of visitors that they would suspend his account if he didn't remove two images within 24 hours (https://news.ycombinator.com/item?id=14139288), and that they're dumping costumers private info (https://news.ycombinator.com/item?id=18063667). I'm guessing there are other horror stories as well, but those two alone (which to me sound credible) were enough reason to take my business elsewhere.

This - after their support requested my password over live chat I've since moved every domain I own to Gandi upon renewal.

Hey, the same thing happened to me! They asked for my password during a livechat session, and i was like "what the hell".

Also, another time I was having problems with their stupid 2FA app (back when they ran their own app and it broke constantly), and their solution was to just disable the 2FA for my account. They said I can set it up again whenever I want to. So then I told the woman, that if someone wanted to hack into my account, they could just open a livechat and get my 2FA disabled and then log in, why should I even bother having 2FA at all if you're just going to disable it.

To be fair, they finally moved to a more traditional 2FA now, where you can use any 2FA app instead of their proprietary namecheap app. So they might not do this anymore. I think they were disabling 2FA back when they used their own app for it, because it was super buggy and people (like myself) would get locked out of our accounts for no reason other than their app was buggy.

I can recommend https://easydns.com/

seconded. been using this for years and works incredibly well - perfect also also as a secondary DNS.

Their UI hasn't always been the latest & greatest (but even here they came a long way in the past 2 years). their knowledgeable (and helpful) customer support really makes up for it.

I don't know the internals of the company but would assume that the people running it are still the same team who founded it and they really know networking & DNS inside-out. Refreshing in a time where financial and marketer types have taken over a lot of the decision making in tech or where you're in a customer support loop for ages and everything is handled by a bot.

Their “no upselling” policy has taken a bit of a nose dive these days with pestering about things. In an email I have with their CS they said it’s not upselling, but offering you things other customers have found useful... Yeah right... all it’s not as annoying as GoDaddy’s at least was (not used them in years) but you are still trying to upsell me; just ditch your no upsell policy :-p

I still have a few domains with them it I’ve been using namesilo lately after hearing about them here and no complaints. Well the only complaint I have of them is they don’t have the range of TLD’s as namecheap does (but it’s only a handful of TLDs such as .es)

I've had nothing but great experiences with their support staff. I guess it's a your-mileage-may-vary kind of thing.

I've been using OVH for my domains. They're cheap and pretty good to be honest.

Move your domains to Cloudflare.

I did, largely because they take security seriously, but CloudFlare domains isn't a registrar: You can't set the nameservers to whatever you want. It's a CloudFlare lock-in service.

The fact that you can't change the nameservers doesn't make them not a registrar. They absolutely are a registrar. Just one that doesn't let you change the nameservers.

But you know what? I'm okay with that. I honestly can't think of a scenario where I'd want to use any other nameservers.

> I honestly can't think of a scenario where I'd want to use any other nameservers.

What about the scenerio where you are thrown off of cloudflare service? A CDN is more inclined to ban sites to limit their own risks from litigious IP owners, etc, irregardless of who would win an actual court case.

Why would they continue allowing you to use the registrar but not the nameservers?

The registry probably has rules on what they can do to customers that curtail them; they are probably not bound (ha!) to anything wrt serving DNS requests.

I'm saying why would you let a CDN be your registrar in what sounds like an abnormal registrar agreement. (If they block you from the CDN, what happens then?)

> If they block you from the CDN, what happens then?

That could be an argument not to use their DNS service and their CDN service.

It shouldn't be an issue for the DNS service by itself.

I believe the path for Krebs when under DDOS was free CF cloud to akamai to special status (from Google?) Using CF domains with or without CF's normal services turned on would have made akamai impossible until a transfer process to a real registrar completed leading to an extra week or so of downtime.

I was a huge fan of Namecheap, and I have like 25 clients using them.

But... I haven't been a fan of them lately.

I've got a password manager and 2FA on all my accounts, and I went to sign in. I kept getting an incorrect password response. Reset, tried again. Just kept getting the same error. Freaked me out as I couldn't sign in.

Fast forward, came to find out because I was on my company VPN they were blocking me. Rather than just show a message, "We don't accept users on a VPN..." they let me think my password was wrong and go through the panic of not being able to sign in. And, even thought they thought I was some sort of spammer / hacker for using a VPN, they were more than happy to discuss my sign in details over live chat.

I sort of get "security" here, but they shouldn't be heavy handed with just saying who can and can't sign in, and if you are going to block me, tell me why -- at least send an email letting me know what's up if you don't want to display a browser message. 2FA was enabled, at that point... just leave it up to the user where they want to sign in from, don't put in secret rules around who can and can't sign in.

Anyway, I moved everyone over to Amazon Route 53 and haven't had any more issues.

Unfortunately that's what many companies do. IIRC, this includes connecting with OVH ips to mojang (minecraft) login servers. It's becoming a popular practice that is not good in UX terms at all

Sounds like a great practice. You don't let the spammer know they're found out, and if you call customer support about it they are able to tell you what's wrong after you've verified extra info. Would you rather they give hackers access to lock you out or unlimited access to keep trying?

Security by obscurity is none at all, the customer/hacker can call up and provide information/pretext no problem - plus the information is available on public sources (such as this one) on why the issue occurs - a smart enough attacker can just use other proxies until it finds one you didnt ban, whereas legit users are probably SOL.

Blocking known source of brute force attempts and attacks is not security by obscurity and it should be a mandatory practice.

Run a website of any importance and you will quickly be shocked at the amount of malicious traffic that keep coming from Tor/DigitalOcean/VPN/openproxy and a few other sources.

Just to clarify something, I was a legitimate user with a strong password (100 character) and 2FA enabled.

And they blocked me.

They didn't tell me why, I figured it out on my own inadvertently.

I wasn't on a junky free VPN, I was on a corporate VPN service.

And I was blocked, worse I was given false information about my password being incorrect... and worse still, given that they assumed someone was trying to enter a fake password, they never emailed me to let me know -- I had to contact them.

Plenty of legit reasons for someone to use a VPN. I'm relatively certain nobody from the telco in Australia who set up the VPN had been trying to hack Namecheap, looks more just like someone found a way to classify that IP as a VPN and blocked it.

And look, to put the nail in the coffin, they were more that willing to tell me the email address to check for the reset password via live chat.

Anyway I tend to be the guy harping about security, but when they start banning VPNs just for being a VPN I don't think that's secure, I think it's obnoxious. We should encourage people to use VPNs, not make it annoying for them.

Proper procedure would be to let the bad guy try, block the IP (or better yet, browser finger print), let them know why they were blocked (in case they aren't a bad guy), and (if the owner didn't have 2FA) send the owner an email saying someone was trying to get access but wasn't successful.

For users with 2FA, all you'd ever really have to do is send an email to the owner, and / or access distribution list, letting them know when a certain user signed in. I wish more people offered this service, getting access notifications when any admin signed in would be key for helping me figure out what task broke something if I have to go fix it.

I have had so many problems with 2FA and Namecheap. I use 2FA on any service that will let me. Needless to say, I am very confident in using it. All my 2FA are set up in my Authy app, and i use it many times a day without issue.

But then comes namecheap. They are literally the only service on the internet where I will get locked out with 2FA. It will keep claiming it is the wrong password, when I know its not. I don't ever have a problem with any other online service, but the 2FA on namecheap is a constant problem. I have been locked out on Namecheap for no reason now 5+ times that I have now just turned it off.

Now that I read your comment, I wonder if I have the same problem. I am sometimes logged in via VPN and I wonder now if that is why it was rejecting me. Its frustrating because i know the password is correct and the app is set up correctly, but it will keep claiming I have the wrong password. Like i said, I now just have it turned off, because I am terrified of losing access to my domains. But I am also terrified of not having 2FA protecting my domains. So its made me consider transferring elsewhere.

I also considered just using Amazon. Most of my domains are already using Route53 as a premium DNS instead of relying on Namecheap as a DNS anyway. So I am considering just having them be the registrar too.

I've been trying to move away from Network Solutions (now web dot com) for years and NameCheap was the closest to a halfway decent registrar I could find. That said, I don't like them or any of the other registrars. Most of the registrars have been bought up and their backend wrapped with some other companies junk UX. I also tried name dot com. They don't even have the capability to set apex DNS names as NS records. Black Knight closed my account with no reason at all. The only halfway decent registrar is Mark Monitor and they are too expensive for my hobby sites. I always move corporate DNS and Cert management to Mark Monitor, but for personal use, all the popular registrars are just garbage, in my strong jaded opinion. MM is just a reseller of certs and they don't even offer all the capabilities of the vendors they resell.

I am purposefully staying away from AWS. They are super popular right now and developer friendly, but I know how their business operates and that popularity will subside in a few years. I predict many of their users will feel betrayed at some point in the future after enough people have moved to their DNS.

If you're happy with namecheap you will be delighted with bookmyname imho

This is quite ironic because I used to work in the security team at GoDaddy, writing tools to scan and clean websites infected with malicious code injected the same way. To find out that the company is using the same technique (for something less malicious?) is very surprising to me. I guess they never asked for a review of this feature to the security team, otherwise I doubt they would have approved it.

Last time I got a "your site is infected with malware" alert from GoDaddy...it was for a domain parked with GoDaddy.

Is this common in web hosting? I'd be pretty livid if my web host was modifying traffic, regardless of the intent.

It's not unheard of. Some platforms offer New Relic RUM integration which breaks shit (like XML sitemaps).

I am guessing the hosting provider gets access to the information the client also gets, but that's just a guess without any evidence. It would just make sense in the absence of regulation.

This is something absolutely unthinkable in our company. However, we have heard of other providers using similar tactics in the past, so always do your research before trusting a provider with your website.

I work for a competitor and we definitely do not do this, so I don't think it's ubiquitous at any rate.

There used to be a lot of web hosting companies that offered free hosting and injected their ad frame.

It's very common with features like A/B testing, analytics, advertising and CDN.

This should be inserted by the customer instead of filtering traffic, but not necessarily. It's very user friendly to only have a button to turn something on or off.

It’s pretty surprising to me that they could ship a feature like that without an enforced review by security and probably several other teams (legal and pr come to mind immediately).

The very notion that GoDaddy could be in a position to "clean" websites of malicious code is--what's the word?--stupefying? profoundly unsettling? mystifying?

Why? For those of us who've worked in hosting, it's a routine thing that you help customers do every day.

At their scale, trying to automate it hardly seems surprising.

Could you give an example of when a customer would need that? I'm missing something.

If a customer’s website is being hosted in a shared account, the infection will quickly spread across the other websites in the same server unless the hosting provider takes the matter in their own hands. Years ago, it was common to simply suspend the infected website until the webmaster finished the cleanup by themselves. Nowadays, instead of suspending a website for a minor infection, some hosting providers simply clean the malicious code automatically, or offer a premium cleanup service if the infection is more complex.

> If a customer’s website is being hosted in a shared account, the infection will quickly spread across the other websites in the same server unless the hosting provider takes the matter in their own hands.

Not at any professional hosting service. It's not hard to secure the environment so that it'll take a classier attack than guessing somebody's WP login to get access to any other sites on the host.

The actual problem for hosting services is that compromised sites can be used to annoy visitors or other hosting services.

edit: okay, I don't care about the points, but I'm getting really curious why people disagree with this.

I agree. If it's possible for the infection to "spread across the other websites in the same server", then that implies that clients can access and modify each other's files, which is not the case with any shared hosting provider I've heard of.

What is more plausible is malicious server-side code eating up server resources, and that load impacting the websites of other customers, but that has its own solutions which are different from automated detection of malicious JavaScript code.

Most of the compromises I've dealt with over the years fall into just a handful of categories:

1. Data theft. So, ripping off a database or intercepting credentials while people log in.

2. Embed a link into page output which will try to download something from somewhere somehow. It might be phishing, or (usually) it's some kind of JS trying to infect the user with malware. Lazy attacks work by just popping up a convincing-enough warning message with a link that lets the user download the malware themselves, and it's effective enough.

3. Credit card theft. Using a third party service with iframes makes this harder, but not impossible.

4. Dropping some kind of web-based shell, like C99.

#1 doesn't get anybody to care. If that's all that ever happened, I'm pretty sure shared hosting providers would still be saying, "sucks to be you." #3 causes headaches for the site owner and makes them care, but still not the hosting provider.

#2 got the hosting providers' attention once Google launched Safe Browsing. Suddenly this put some of the responsibility for maintaining a safe network back onto the hosting providers. Their first solution was to just shut down sites discovered to have malicious code, but that really irritated the customers. So gradually hosting providers started trying to be a little more helpful.

#4 is a big headache for hosting providers, because those things don't get picked up automatically by Google, and the shells can be used to irritate other hosting providers, who will definitely start lodging complaints with whoever's upstream of the hosting provider.

Not on this list is, "try to infect other sites on the same server", because shared hosting environments have had easy access to a variety of tools for a long time now that prevents that. In a LAMP environment, that used to include SuexecUserGroup; more modern LAMP environments now use php-fpm and have PHP processes running from distinct unprivileged user accounts. There's also the usual php.ini values, like open_basedir, which limit access to the filesystem or to other PHP functions (allow_url_fopen).

I won't say it's impossible for an infected site to attack another site on the same server in a shared hosting context, but you'll need a get-out-of-jail card and those are harder to come by.

No professional shared host would allow one site to access or modify another site on the same server.

It's not normally the default, but there's a world of bad advice out there telling people to chmod everything to 777 so that their PHP CMS can upload files.

Hell, Wordpress recommends against it (and still doesn't do a great job explaining): https://codex.wordpress.org/Changing_File_Permissions#The_da... -- probably because people keep suggesting it. A search for "chmod 777" brings up plenty of examples.

Even chroot will mitigate this, but e.g. reseller types quite often don't have that level of competence.

The situation with default file permissions is already terrible enough that no host should ever have o+x on home directories. And once you remove that, it doesn't matter if everything inside is 777.

This doesn't work for setups with e.g. a single apache instance running as www-data.

Add the apache user to every customer's group. It can get into the files but no other users can.

Most hosting providers don't want to host malware, as it's against their terms. Instead of banning an account, trying to identify affected customers proactively sounds reasonable. Injecting your own code in their site does not.

I can't tell if you're trying to respond to me, or just making a public service announcement.

In any case, yes, I agree.

It's honestly a smart thing for shared hosting providers to offer. Some years ago my co took over a bunch of legacy sites from another developer that were not tightly maintained Wordpress. We hosted the sites at the time at Rackspace Cloud Sites. The main reason we chose their antiquated hosting tier was that Rackspace support would handle infection cleanup when it happened.

It would take us time to assess everything and do up contracts for bring-up with these sites. Everything from old revslider and timthumb to more exotic infections. Once you got a file injection or reverse shell on a host, it would spread fast to everything on the server. Only way reliably back was catching when it came in and rolling it back to before then upgrading the vulnerable components.

> It's honestly a smart thing for shared hosting providers to offer

Offering it as an opt-in service, yes. Doing it to websites that have not agreed to to it, no.

"If a customer’s website is being hosted in a shared account, the infection will quickly spread across the other websites" Hmm Shouldn't my hosting provider provide better isolation and separation from the bad accounts?

I honestly never knew that shared hosting was a thing that companies sold.

I was under the (false) assumption that every user’s website was in their own little VM, not they were sharing a web server.

I work in a datacenter, and can confirm this exact setup is still quite common even recently. We used to offer our own shared hosting setup. Even though we've moved away from that service model and generally only support Cloud / Dedicated hardware, several of our customers do exactly that, leasing out our hardware and acting as a reseller for shared hosting services, sometimes using Plesk or another turnkey control panel, other times using their custom in-house software.

Unfortunately, shared hosting comes with all the risks described: if just one site on the server gets infected, everything else co-hosted on the box feels the effects, especially when the infection is something resource intensive like a cryptominer, or sends out spam emails en masse and gets the physical box on a blacklist. From an infrastructure standpoint we can only do so much; keeping the OS patched and up to date helps to curb the really nasty infections, but the reseller plays whack-a-mole with their customers, detecting infections and shutting domains down as needed.

It's a bit of a mess really. At the same time though, the economies of scale really seem to favor shared hosting from a pure cost perspective, especially for very small businesses that can't otherwise afford a technical team to manage a VPS. So, I think that market is always going to be there.

especially for very small businesses that can't otherwise afford a technical team to manage a VPS.

I’m way out of my area of expertise here. But from a management perspective, when it comes to managing a lot of VPS’s for something like WordPress, is there a simple service where the underlying OS and plug ins stay patched by the provider? I guess something like Elastic Beanstalk but simpler.

I guess there may be hosting providers that are that insecure, but I doubt it. There are many ways you can secure and isolate the users. SuExec, grsecurity, strict security policies, 24/7 monitoring are just some of the things a reputable hosting provider would have.

Up until as recently as maybe 6 or 7 years ago it was about the only option if you didn't want to pay for a full dedicated server.

Running a full VM, especially on the tools back then, took a ton of resources. Even server class machines only had 4 or 8GB of RAM typically.

Not to mention that in several cases, the managed service is run with Windows Server (think managed .asp hosting, or using a Windows-only middleware). So you have to tack on the extra resources for a Windows machine and the license costs.

Funny story (but not the ah-ah funny kind): such a service (hosting different customers on the same Windows machine) was still running in my previous company as of 4-5 years ago. They had long moved from physical hosts to VM, but were stuck with the legacy CMS/control panel which was more or less unpatchable (as in, the software editor didn’t exist anymore). About once a week, one of the host VMs would be taken over by hackers using one exploit or another. In that case they would kill the VM, boot a fresh one from a clean image, and start serving the customer data again after making sure it was clean. The service was not sold anymore but they had long-running customer contracts. It wasn’t making enough money to justify rebuilding it with modern software, but it was making enough that simply killing it wasn’t an option.

I was exclusively a Windows developer for 20 years - using Windows as a development and deployment platform. The cost of Windows in terms of licensing and resource was someone else’s problem.

It wasn’t until I started architecting and developing in cloud environments that the true cost of Windows became apparent - when the cost of every project I do can more or less be directly tied to me.

I still development on Windows but I found an appreciation for deploying to Linux.

Don’t get me wrong, I’m not new to the field and in hindsight it makes perfect sense, but back then, I worked for corporations that hosted their own servers and never needed to host a site for a personal/small company.

By the time I got to the point where I would think about doing something on my own, VPS hosting was so cheap, I wouldn’t have thought about anything besides a VPS like Linode.

None of this is true. VPSes have existed since the early 2000s and have been in common use since the mid 2000s; Linode was founded in 2003, for instance. Shared hosting was popular because it cost pennies, whereas VPSes would run you $30+/mo, which of course is more like $5+/mo now.

Just for a reference:



3GB Disk Space

38GB xfer


Linode's kind of expensive. I've been using VPSDime [1] for a few years, since they give us 6 GB of RAM for $7 a month. For smaller stuff, I've been happy with RamNode [2], which is $3.50 a month for 1 GB of RAM. And you can usually find good deals on Low End Box [3]. Of course, at those price points, everything is OpenVZ, which is kind of annoying.

[1] https://vpsdime.com/

[2] https://www.ramnode.com/vps.php

[3] https://lowendbox.com/

The prices GP cited were from 2003.

The vast majority of Wordpress deployed in the world (and there's a lot more of it in general than we tend to see in the high tech community) exists on a WHM server, which basically deploys an Apache vhost for every site.

There's a thing called Cloudlinux, which is an additional licensed feature that provides resource fencing, but its a lot less capable than advertised ime.

Moreover, many end users rush to chmod 777 their installation because there's a lot of guides out there telling them to do so. There are also highly rated Wordpress plugins that do this silently because developers read those guides.

I haven't move my WordPress off dreamhost because it just works :)

Also I don't have to update operating systems or do backups, etc.

Unless you website is serverless, good old shared hosting isn't bad. You have less control, but also less responsibility :)

> Years ago, it was common to simply suspend the infected website until the webmaster finished the cleanup by themselves.

Which is still how it should be done.

If someone takes control of their website and puts malicious stuff on there, GoDaddy being able to ask the customer “Hey, did you mean to do that?” and helping them roll it back is handy.

A lot of SQL injections are malicious ad scripts that will be named the same on each hack. It would be pretty easy to remove something like that as it passes back through Godaddy's router. I would hope they notify the website owner because otherwise you wouldn't know that you have a problem.

Wordpress plugins get injected with crap all the time, same with joomla, pretty much any site running a super old php version with their CMS, etc.

> how to stop it

When faced with egregious business practices the best option is to switch company. What guarantees do we have that GoDaddy won't toggle the switch back at some point, or introduce other trackers?

There are plenty of website hosting solutions out there. While at it, switch your domain registrar to a reputable one like https://www.gandi.net/

Yep, and tons of others. And, it seems, they all require the feature to transfer providers. Consumers have the upper hand and should take advantage of it. I guess it requires awareness, though.

Gandi might be great for common domain suffixes, but their support for country-specific domains is poor, they just don't offer that many. If you're not in the U.S. it can be frustrating.

Name.com is good in that case.

This specific instance says a lot about how GoDaddy conducts their business. Enough to keep me away.

I think it's pretty unfortunate that even now, CSPs are getting so little love in the comments of a post where they would have easily prevented this script from loaded at all, and could have helped the author discover the script the second it was added.

For the unitiated, Content Security Policies (CSP) allow you to, among other things, define a whitelist of origins for things like scripts, css etc. and also notify you of violations. There is little excuse to not set a strong CSP on your sites if you can and you'll be glad you have it once something does happen.

Then again, Vodafone Portugal was caught rewriting CSPs of all your visited pages to whitelist their own domain last year [0].

[0]: https://twitter.com/JackyHallyday/status/968263408003973121

Nothing can save you if you don't trust your hosting provider, or don't use HTTPS.

However, "was caught" is important :) The more noise they make the more likely they are to get caught.

> There is little excuse to not set a strong CSP on your sites

true, but

> if you can

IIRC that excludes every website with Google Adsense and even just using a manual ad network includes always fiddling with your CSP.

> There is little excuse to not set a strong CSP on your sites

Can't use CSP if you want any ads on your page usually. If anyone here knows an ad provider that plays nice with CSP and pays okay then please do let me know, I'd love to securely monetize a few webapps of mine.

Anyone using either of those doesn't care about user security and privacy anyway.

How would a CSP have helped here? GoDaddy injects that additional script tag right into the HTML file it serves. No policy will help if the web server does not serve what you uploaded.

The browser wouldn't have loaded the linked JS file. This is exactly the attack that CSP is designed to thwart.

Then again, GoDaddy could just rewrite your headers.

That's not true. CSP can have a specific host/path for scripts and won't even run JS in the page without explicitly opting in to 'unsafe-inline'. It's an important prevention technique against XSS for pages showing user generated content.

My point is that if GoDaddy modifies the HTTP body, they could as well modify the CSP you send in the HTTP header. It is yet another stop-gap, but the real solution is to get a hoster you can trust.

You can also make this assignment throw:

    window.tcg = ...
And the script will do nothing.

Isn't the script injected inline in the HTML here? I have only little experience with CSP but wouldn't it only prevent from loading external scripts?

CSP affects inline scripts as well. They are actually disallowed by default and must be explicitly whitelisted.

The document ($PAGE + $NEW_JS_SCRIPT) is a new, different work. I doubt the added Javascript is a large enough change to be considered "transformative" and worthy of a separate copyright. The new work isn't a fair use of the original work, because it doesn't meet the statutory requirements[1]: 1) isn't a protected use (education, journalism, criticism, etc), 2) the original work is usually creative and (patently) published, and 3) the entire original work was included. Since the Javascript was added without without consent (or even any notification), we can assume GoDaddy hasn't negotiated with the original authors for a license to made derivative works.

Therefor this is probably a violation of copyright. Does anybody using GoDaddy for hosting want to sue GoDaddy? Statutory damages up[2] to $150,000 per work adds up fast.

[1] https://www.law.cornell.edu/uscode/text/17/107

[2] actual damage amount in copyright cases varies a lot - this is simply an upper limit

Sadly, I think they have their ass covered in their TOS, under "User Content Other Than User Submissions": "You hereby grant GoDaddy a worldwide, non-exclusive, royalty-free, sublicensable (through multiple tiers), and transferable license to use, reproduce, distribute, prepare derivative works of, combine with other works, display, and perform your User Content in connection with this Site, the Services and GoDaddy’s (and GoDaddy’s affiliates’) business(es), including without limitation for promoting and redistributing all or part of this Site in any media formats and through any media channels without restrictions of any kind and without payment or other consideration of any kind, or permission or notification, to you or any third party."

I'll admit I didn't look that closely though.

While you’re at it, why not sue for emotional distress? Or lost income for the time reading this instead of billing clients?

I’m all for GoDaddy being held responsible but advocating this kind of copyright abuse is as ridiculous as it is scary. Are we going to start suing CDN’s for setting custom HTTP headers now?

You've presumably given GoDaddy a license to serve your content if you're hosting it on GoDaddy. It's probably all covered by some user agreement.

I think the important part is: Use a hosting provider you trust!

Why are you using godaddy in the first place? It's not like they aren't universally reviled for many good reasons. You deserve what you get for not educating yourself about what a terrible company they are and voting with your feet.

You might as well be complaining that you're surprised Larry Ellison isn't looking out for your best interests, David Miscavige tried to brainwash you, Donald Trump didn't tell you the truth, and Rick James ground his muddy cowboy boots all over your suede couch.


I don't think victims ever "deserve what they get". Yes, he's responsible for the outcome. But outfits like GoDaddy exist because they're good enough at advertising and PR to fool the novice. People can't be experts in everything.

Blame should stick to the bad actor, not the people they sucker.

> People can't be experts in everything.

But you don't have to be an expert to conduct a web search.

> Blame should stick to the bad actor, not the people they sucker.

I mostly agree with this, but I have a hard time not placing just a little blame on the people who don't engage in even the bare minimum of research.

>But you don't have to be an expert to conduct a web search.

And if you don't know how to conduct a web search, you shouldn't be building a web site.

>... placing just a little blame on the people who don't engage in even the bare minimum of research

And GoDaddy's uncritical customers tend to be the kind of people who are easily influenced instead of permanently repelled by the kind of commercials GoDaddy is infamous for running.



Habitual line-steppers, all.

Yet all my pages were being served with the following <script> injected into them just before the closing </html> tag...

The free hosts I used many years ago would do something similar, with no way to opt out --- that is, until I figured out they were just detecting the '</html>' and inserting before it.

Combine that knowledge with the fact that the closing tag of the HTML element is optional, and you can guess what I did pretty easily. ;-)

I remember those times. They were beautiful. I could spent hours trying to search for the best free webhosting that includes PHP, MySQL and Phpmyadmin, and didnt fill my website with popups or banners at the top/bottom of the webpage.

The good ol days :)

If you want valid HTML, and if they aren't parsing the DOM, then the following would likely work as well:




It’s valid to omit </html> (<html> too, for that matter).

The idea is to have the mangler see </html> and inject their garbage right above it--into a comment.

Unrelatedly, <html> is surprisingly hard to omit if you want to properly set the lang attribute.

Any element can accept `lang` attribute, though. You can put it on the `<body>` element, but it wouldn't be as "proper".


It's actually pretty easy to omit <body> (and <head>), so you don't gain anything from this anyway, either.

You can omit the closing tag.

Hmpf, didn't know that, thanks! Very strange, however.

Some hosts didn't even bother with this. I used a PHP host who ran another script after serving the hosted one, but it you used `die()` you could skip any other fluff they included.

pretty much pure evil. But hey its GoDaddy right?

There are at least three places where you can get injected, one is from the ISP (including phone company networks), one is from the hosting provider, and one is from add-ons in the browser.

One of the first Java applets I wrote (and you could easily do this in js) did a hash over the document page and reported if the hash didn't match the one stored in the applet. These days you could throw up an other wise invisible div that said "Page Tampered" please report to webmaster (or you could even do that yourself with a lookup on your hosted side to a script that would log IP/browser etc.

These days you could throw up an other wise invisible div that said "Page Tampered" please report to webmaster (or you could even do that yourself with a lookup on your hosted side to a script that would log IP/browser etc.

I've already encountered pages like that, they piss off everyone who uses adblocking/filtering so I would consider it an anti-user technique.

> There are at least three places where you can get injected, one is from the ISP

I'm not sure if they still do it, but Vodafone in my country (and many others) used to cache and compress photos on all websites, which often led to visible degradation in image quality. Luckily I discovered that their software respected the `Cache-Control: no-transform` header so include that header on all my websites now.

Vodafone did also inject custom js/html in non HTTPS pages (obviously). This was 2 years ago.

That's right. The js rewrote all image src attributes to point to the "optimised" photos they'd cached.

Are they sophisticated enough to modify CSP directives (in HTML or headers) to allow their scripts? If not that would be an easy solution.

Wouldn't it be better to just set up TLS terminated in a service you control?

Hey everyone, Krishna here, I’m on the hosting team here at GoDaddy. There are some excellent points in this thread. I wanted to give a little bit of background about GoDaddy’s use of Real User Metrics (RUM) and our plan regarding its use moving forward.

A little more than a year ago, we created a RUM javascript for our customers. The javascript is extremely lightweight and evaluates hosting performance only. We did this to create a better hosting environment for our customers. We rolled this out to a small subset of customers.

As the RUM proved very beneficial in optimizing our hosting platform for our customers, we decided to roll it out to a wider audience. That said, we clearly could have better communicated this program.

Based on all the feedback, we have decided to turn off the RUM javascript immediately and focus on designing the program so that customer participation is on an opt-in only basis. While the RUM data is beneficial in helping us improve our customers’ website performance, we regret that the implementation has upset many of our customers and we apologize for any inconvenience this has caused.

Narasimha Krishnakumar VP of Product Management - Hosting GoDaddy

If there is a chance this would break someone's website, why would you default this feature to being on?

Please Daddy, don't be so rough.

We are not perfect and should have thought through this more. We created the script to be as non-intrusive and lightweight as possible. The number of incidents we saw were so minimal, we kept moving. We’ve obviously learned a lot from this and it will be 100% opt-in when we reintroduce it later.

How to stop it: Use a different hosting service.

I thought that would be good enough, I went with WebFaction. But it seems they recently merged with GoDaddy, so even though I explicitly avoided them it turned out I didn't.

Who's a good alternative these days?

I'll mention FutureQuest. I've been with them for 20 years now. I'm certain they're not the cheapest, and I'm aware their website looks a decade or more out of date. But I've been extremely happy with them, they definitely wouldn't do something like GoDaddy did. They started as a small family business, and while they've grown a bit since then, many of the staff are still there. My occasional customer support emails still get answered by familiar names.

Since they're not the cheapest, I throw my experimental projects up on DreamHost, but my mission critical stuff is on FutureQuest.


I just cant them seriously with that website.

Hover, Gandi, Namecheap, AWS, Google, Cloudflare.

There are many decent alternatives. From the above, I have used all but Google and Cloudflare. My experience has been pleasant with all that I have used.

I've been very happy with Google's registrar service... the only down side is you cannot bulk edit contacts. The couple times I've needed support they've been available within a couple minutes (once by phone, twice in browser chat). Not like any other Google support issue. Some prices are a little more than GoDaddy, others a little less, that part was pretty much a wash.

The biggest advantage over Google's registrar service, is there's no upsell, at least not that I noticed. They do offer some integrated service options. The included google dns hosting and mail forwarding services are great imho. It could use some slight improvements in UI/UX, but still better than any other registrar I've tried by a large margin.

Mileage may vary, of course, but I really do like the service overall. I'm not affiliated with Google, don't always like everything they do, and do have some reservations about them as a company. That said, imho the best registrar option available.

Lol. Every company you listed gets blasted all the time here on HN.

I normally don't like qoutes but i think the Batman one fits well here with how people perceive companies: 'You Either Die A Hero, Or You Live Long Enough To See Yourself Become The Villain'

I moved to Webfaction just to get away from godaddy couple of years back and recently got an email that webfaction is merging with Godaddy.

Time to move away from webfaction now.

Hetzner (in EU).

Note that unless you have a premium account, others will be able to create sub-domains on your domain [1].

[1] http://freedns.afraid.org/faq/#14

Yep, this is some kind of weird _feature_ in it. You can pay $5 to get "stealth" domains that others cannot register sub domains of.

It seems that from the start the point was to share novelty domains, i.e. letting other people make subdomains off your domain is the point, and the rest of it kind of grew out from there.

I've put a couple domains on there expressly for that purpose... they also support dyndns options which makes it nice for home server networks.

I do wish that Let's Encrypt would work with them to whitelist all the domains on freedns.

Ah, did not know that. Thanks.

I can highly recommend them.

josh the webmaster at freedns is a really great guy. and they are very much into the golden rule philosophy. note also that it is trivial to change subdomains, and you can make your parent domain public, or private.

Their marketing is effective at convincing small business owners they're one of the best choices for hosting. That's pretty much the whole reason they're so successful.

This has convinced me to take precautions. I am adding some logic to my site that if there are more than two script tags (I only have 2) replace body content with error text and send an xhr notification back to the server so that the server will know their pages are compromised

It’s as simple as document.getElementsByTagName(“script”).length


Here is my tested more sane approach: https://gist.github.com/prettydiff/f9f85fffb00a903ecd3f2cfe0...

I do not have an xhr notification in place in the gist, because I have not written a service to receive it yet.

You could do this much easier and better with a Content-Security-Policy. Whitelist the things you want to allow, and set a report-uri to get notified of any CSP violations.

CSP wont help you if you authorize scripts with a source of self or if the malicious script contains a relative "src" attribute.

This approach has the added benefit of letting you know that malicious things are happening.

CSP has report options.

What about those plugins that the user chose and add a script tag? While they should be becoming less common (since I read it's a bad practice), they are still out there.

Did you consider a "silent alarm", that only phones home without displaying an error?

No. Perhaps the most important part of this is keeping the user informed.

What do you think most users would (and should) do if they were told your hosting provider was injecting scripts into the page? Stop using your site?

Hopefully. The alternative (silently alert and hope I pick up the phone) might not be so bad for users if a hosting provider is running analytics or ads, but from a detect-and-alert perspective it's pretty hard to tell the difference between a scummy-hosting-provider script and a credential-scraping bonafide hack. Many people (or robots) who install the latter aren't smart enough to defeat alerting measures, so it's a big benefit if those measures warn the users directly.

Your question is the difference between marketing and craftsmanship. Are you primarily proud of your product or trying to increase your traffic?

I have created a gist with "beautified" version of the script the inject.


I remember when I first bought a domain from them. I guess I fell for the marketing witchcraft, they advertised the domain for a lower price than what I ultimately paid, once I heard about Namecheap I went there and never looked back. My other problem was that their domain management interface was soooo slooooow, it got to me. This was in about 2008, but I rather not fall for their overpriced domains.

Edit: My other pet peeve was that they supported SOPA when that whole mess was ongoing. I can't trust them at all since.

GoDaddy convert here - Google Domains has worked out fine for me for the past few years.

Second Google Domains; I use it for my website because they are cheap, no-frills, and have never tried to upsell me on anything. Sure, it's Google, so it might shut down tomorrow, but the domain registration market is large enough that I could probably just move.

You shouldn't trust Namecheap either. Just because nothing happened to your domain, doesn't mean when it does Namecheap will help. I had numerous issues over the years including someone being real jerk over their chat and just because of their rudeness and knowing my email and full name, was able to took over my account.

Namecheap is not cheapest neither (Namesilo)


We've used Namecheap for 7 years and have had no problems you mention at all and, needing tech help from them only twice, found them extremely helpful and friendly.

I've been very happy with Namecheap. I moved all my domains to them year that Godaddy did some bad shit (off the top of my head, they supported SOPA and the CEO Bob Parsons slaughtered an elephant in Zimbabwe for sport).

Well Namecheap is not much better... they are US corporation but CEO is fine to hire people wherever is the cheapest labor to serve american customers.

Besides, he sounds super unprofessional to me; 7 months ago he was sparing with me because he chose to be blind who is #2 top registrar [1]. He suppose to know this shit as a CEO, no?

Here is another nightmarish story: https://news.ycombinator.com/item?id=18206464

At some point they deleted someone's 75 domains without any warning or support to resolve the issue.

[1] https://news.ycombinator.com/threads?id=NamecheapCEO

A happy NameSilo user and a former NameCheap user here. NameSilo is awesome!

Their UI will remind you of 2012 but it's functional and has all features you'd expect to be there.

A website that hasn't been gratuitously since 2010 is almost a positive sign for a registrar, especially if you only want them to shuffle around paperwork and not managing day-to-day technical aspects of the domain.

Wow, 2012? More like mid-2000's websites, I kind of like how nostalgic it looks.

Since people are recommending alternatives, take a look at Netlify. It's my new favorite thing.

For me GoDaddy is like a client test. If they are using something else for hosting, plus one point to them. If they use GoDaddy for hosting, minus ten points. If you can't convince them to move away from GoDaddy, you probably want to replace that client if possible with a more reasonable or less cheapskate one.

Also I believe that https would prevent injections.

Netlify is a static site hosting, it's more like Github pages than godaddy hosting.

> Also I believe that https would prevent injections.

Depends where it happens. On shared web hosting, they control SSL termination and everything behind it.

Nobody should ever use godaddy for a domain registrar or hosting services. Ever inherited a domain that was with them, and had to renew it? The sheer amount of unsolicited add-on offers you have to reject before successfully completing a payment for domain renewal is ridiculous.

There's a reason why companies like namecheap which market themselves on "no bullshit" registrar services are popular these days.

Namecheap has been great, I've also had good luck with Gandi.

I've been buying exclusively from Domai.nr for the last five years now, and I only ever login to buy a new one, or change payment details--which ends up with me rarely having to login. Years ago when I was with GoDaddy and starting my time on the web, it was daily, I knew some of their support people by voice.

As far as "no bullshit" registrars, Domai.nr has been short of incredible.

Thought I'd share the option if anyone is looking to migrate and at least wants options on the table to think about, along with namecheap.

Sigh. It’s crap like this that will eventually force me to leave WebFaction (that GoDaddy acquired), after a decade of excellent service. I never touched GoDaddy, but it looks like the plague comes to you these days.

This. WebFaction, in my eyes, is as good as shared hosting can get. Built an entire company on top of its robustness & trustworthiness. I was beyond dismayed when I heard the news of the acquisition (sorry, "partnership") and every time the GoDaddy integration is mentioned I go surveying the alternatives.

I'm in the same boat. Have you found any decent replacement for WebFaction?

Not really - the market has moved on to PaaS, a reliable shared-hosting-cum-shell with a Python slant is not easy to come by.

I’ll probably go with an OpenBSD vps somewhere, praying not to get hacked, plus Heroku for when I really can’t be arsed to look after a service. Quite a pain in the ass, though. At least my domains are already on Gandi...

Gandi is my go to alternative.


Mine as well. Only major registrar with U2F. They seem to take security very seriously.

>Only major registrar with U2F

I recently went looking for a registrar and one of the must-haves was U2F. Only Amazon and Google had it. Didn't know that Gandi has it as well. Good to know!

PS: I was disappointed that Cloudflare still doesn't have a U2F support yet they are a part of critical infrastructure for much of the web. We ended up not using them because of that.

I've had good luck with Gandi in the past for SSL certificates, and their U2F support makes me inclined to choose them as my new registrar.

On the other hand, I've heard less than great things about Gandi's reliability and support lately. If you've had to contact their support team, what's your experience been like?

I've never had to contact support, which might be a good thing. Although I did leave them for a while and am in the process of moving my domains to them.

Namecheap is supposed to be getting it soon: https://www.namecheap.com/blog/true-totp-2fa-and-u2f-are-com...

Hover has U2F.

Also Google Domains https://domains.google and soon Cloudflare Registar: https://www.cloudflare.com/products/registrar/

Seconding Gandi. Their (old?) slogan, though surprisingly sweary, is accurate.

Still seems to be the case:


The JS file creates cookies, which would break GDPR I am guessing.

The GDPR lets you set as much cookies as you want. They are mostly an irrelevant implementation detail.

The GDPR will however care that your traffic passes through GoDaddy, no matter if they set cookies or not. To be more precise, the GDPR will consider GoDaddy a processor of your data and you as a controller will need a proof from all your processors that they process data in a GDPR compliant way.

In practice, most european web hosting companies set up a web page somewhere that gives you this proof, and will,for a small payment, give you a signed, printed copy of this page. For most small to medium sites, either option will do.

While this seems pretty terrible in general. The GDPR is generally irrelevant. A large amount of websites will never need to even think about GDPR. If anything there is an over reaction complying to a law that will never be applicable.

GDPR matters to the EU. It doesn't apply elsewhere.

It matters to EU citizens. We are everywhere.

I'm sure it matters to you, but as a rule it doesn't apply to you if you reside outside the EEA.

It applies to "an enterprise established in the EEA or—regardless of its location and the data subjects' citizenship—that is processing the personal information of data subjects inside the EEA" (emphasis mine, text from Wikipedia)

This is the actual text of Article 3 of the Directive. Check point 2. It applies to (for example) an e-commerce in the USA if selling to somebody in the EU or to a USA company doing behavioral tracking if tracking somebody in the EU. In both cases, even if they are not EU citizens. Only the location matters.

Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Sure, they're trying to broaden the scope as far as they can. But is it enforceable outside the EEA? I'd love to see a U.S. court do anything but throw out a GDPR case or a European court's ruling based on the GDPR.

Why do you think the EU would use US courts to enforce EU law?

The EU would use EU courts to enforce EU law. This might mean that non-compliant websites are blocked, via court orders to ISPS, in the EU.

This already happens with some piracy sites. The blocking is inconsistant and easily circimvented.

US citizens fall under US tax law no matter where they are on this planet. Also, thanks for France, the sun never sets in the EU.

GDPR applies to any company with a significant prescene in the EU. I think it's hard to believe GoDaddy doesn't. They sell large number of domains with EU based TLDs. They've even bought EU based hosting companies.

GDPR doesn't apply to companies that only have a tiny portion of EU customers. Good examples would be: small local news, US only shops. (K-Mart, gun shops, etc)

GDPR being an EU law doesn't matter so much when there are so many treaties allowing fines to be forced. This means not being in the EU just makes it more expensive to deal with.

All interactions I’ve had with godaddy have been terrible.

> …and how to stop it

by not using GoDaddy.

I mean sure, it’s fixable, but this shouldn’t be a norm (for a paid service)!

I'm guessing this is some shared hosting solution where you don't have a lot of control or ability to add things like LetsEncrypt (but I'm sure GoDaddy will sell you their SSL offerings).

I noticed some of my sites getting Vodaphone banners when using Ireland/UK sim cards and realize they were injecting crap into my site. That really helped me make the push to use LetsEncrypt on everything.

I realize that 3rd party Wi-Fi/ISPs injecting code is a slightly different issue that the one in the article, but the solution is running SSL everywhere. If you need to login to a captive portal that redirects, there's always neverssl.com

> If you need to login to a captive portal that redirects, there's always neverssl.com

There's also:


(which is easier at least for me to remember for some reason)

example.com responds on http, and since it's reserved by IANA I more or less trust it to not serve malware, so I always just use that.

I’ve followed HN for around 10 years now but even basic stuff like this can come across as jazz to me. Funny thing is I understand jazz at a professional level. I feel foolish because I use godaddy, because they have good customer service and their interface is easy to understand but as a HN lurker I want to have good web etiquette. I’m going to see about turning this feature off in the way the author describes but what can I do to stay clear of the Kenny Gs of tech? Full disclaimer I have nothing against Kenny G, and even respect him, just one of those jazz expressions...

Companies that do this kind of garbage don't deserve your dollars. Its not enough to apologise after the fact, or offer opt-out, or any other half measures. I'm moving my domains over to someone else this week because of this.

You shouldn't use godaddy unless you support exterminating elephants.


Not surprising given GoDaddy's long history of malpractice and terrible behavior.

"Oh, but we've changed" they said... Glad I ran away from anything they touched since they acquired Media Temple.

GoDaddy: the SourceForge of web hosting.

^^^ This is a very appropriate analogy.

Who ever thought a registrar would be more awful than circa-1999 NetSol?

Apparently my ISP (Cox) injects stuff as well? I've never seen this message before, but just now stumbled on it for the first time -- have been with them for 5+ years now, first time I've seen this message though.


Aside from the cap topic, it's outrageous to me that they find it OK to alter/inject into HTTP responses like this. Send me an email, sure -- but to alter responses?!

This is an issue with many, especially mobile, carriers... the key is to use HTTPS everywhere, and send issues/requests to sites not HTTPS to switch. Let's Encrypt removes the last reason why a site shouldn't be all HTTPS.

Note: fixing redirect rules for logins on some sites is a significant PITA, but should be adjusted accordingly by now anyway.

Just to be clear, this is a different kind of injection. Yours is at the visitor end (the ISP modifies the page while delivering it) while the original is at the server end (GoDaddy modifies the page while serving it).

Enabling HTTPS only should stop this right?

Or are they able to inject it even then since they are the hosting provider?

No and yes.

Are you sure they have full access to your TLS certificates? Or can't you bring your own in this case?

They host the website thus they can inject anything anywhere in the body before https kicks in.

It depends how the code is being injected. If they’re using a an output filter on the web server, they could do it before the encryption stage.

See http://nginx.org/en/docs/http/ngx_http_sub_module.html & https://httpd.apache.org/docs/2.4/filter.html

I see a lot of mentions of Namecheap in these comments, but I recently discovered another option on tld-list[1]: Porkbun[2]. I don't need much out of a registrar, so price is the main consideration, and Porkbun's renewal prices are significantly cheaper ($8.70 for a .com, versus $13.16 on Namecheap).

I would consider using Cloudflare's new at-cost registrar service[3] for everything, but they don't allow you to use non-Cloudflare nameservers.

I've also experienced strange issues with logging in to Namecheap. From what I remember, I kept getting a server error message. Sometimes it happened after submitting my password, and sometimes it happened after submitting my 2FA code. Customer support couldn't help, and the issue went away the next day.

[1]: https://tld-list.com

[2]: https://porkbun.com

[3]: https://www.cloudflare.com/products/registrar/

It is kind of sad how every single web-based technology is turned against us. I shudder to think what they will be able to do with Web Assembly.

The best way to stop it is to stop using GoDaddy. About 10 years ago.

How is this company still in business is beyond me. Maybe their clients are less savvy (non-HN-frequenting) site owners

I think that's exactly their target market.

I originally built a service to detect exactly this kind of large-scale injection of content and similar occurrences (e.g. library prevalence etc). This is a perfect example of how to find the GoDaddy injected content: https://urlscan.io/search/#%22tcc_l.combined.1.0.6.min.js%22

Another provider I found doing something similar is 000WebHost: https://urlscan.io/search/#filename%3A000webhost They "just" inject a footer with an image and a link to their service though. Not sure how common this is in the low-cost hosting space.

000webhost also had their database leaked with plain text passwords.

GoDaddy has always been horrible.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact