No security awareness on HostPapa

I recently moved and consolidated the web presence (photos, blog, etc), see this blog entry, to Up till a few days ago they provided sftp, that is secure ftp upload options. This has been cancelled now, and that means at the current moment there is no way to upload stuff to their servers without using a browser. All that is provided is plain, unencrypted, ftp.

This is technology and security attitude from the last century. I fully doubt that the whole company has any security awareness or concern at all. Thus, here is a big WARNING: Do not use HostPapa if you want even a basic level of security.

As a consequence, although it will hurt and take time, I will have to move again. I am currently considering, as it also provides compensation for energy usage. The negative point is that they are situated in the US.

A short comparison (should have done that earlier, I know):

HostPapa GreenGeeks
IMAPS/POPS Yes with private IP Yes (private IP needed?)
ssh access No Yes


Well, I will keep you posted on how it goes.

10 Responses

  1. foolonthehill says:

    Finally, someone else who seems to have been caught unawares by this!

    I have been in a long (30+ messages) discussion with HostPapa support about (S)FTP(S) over the past couple of weeks. Like you, I suddently noticed my SFTP sync was failing, so contacted support.

    Eventually, I discovered that they have blocked port 22 because of the SSHD Rootkit that has been discovered on some cPanel servers. This was *after* cPanel announced that the attack source was one of their compromised support machines (though, to be fair, blocking 22 is still relevant for machines already infected). They have given no timescale for re-enabling SFTP.

    However, they also support, and recommend, FTPES (ie FTP with Explicit SSL), which they assure me is working, despite the fact that the 4 unfirewalled clients I used (on different networks) have never successfully connected! They insist it is a problem with my client – if you have better success, I’d be delighted to hear.

    • Thanks for the helpful comment, I’ll try out ftpes. Though, I’ll probably move to a provider with ssh (and thus in most cases rsync) support.

      • foolonthehill says:

        Agreed – SFTP is considerably easier to deal with (ports/SSL certificates/etc), particularly with syncing to a local folder. Though if I _can_ get FTPS working, then lftp provides a ‘mirror’ command which has similar functionality to rsync (as I understand it).

        In fact, did you manage to use rsync previously? I thought rsync required an SSH shell, ie “FTP over SSH”, rather than “SSH FTP”. As HostPapa have never provided shell access to their servers, I assumed that rsync would have been any use?

        • I have now tried to get ftp(e)s working, the status is a pain:

          • lftp breaks at gnu-tls handshake (I hate gnu-tls, it is so broken compared to openssl)
          • ftp(-ssl):
            • ftp without ssl works both in active and passive mode, no problem
            • ftp with ssl connects properly, but:
              • with active mode tells me: I won’t open a connection to (only to NN.NN.NN.NN)
                (where NN.NN.NN.NN is my external ip)
              • with passive mode it times out

          Bottom line:

          • normal ftp works
          • secure ftp does not work, probably due to some port blocking at the hostpapa side

          Concerning rsync: no, that doesn’t work, of course. I used sitecopy to send my stuff up and keep in sync, but it requires me *not* to make any changes manually on the server, otherwise it looses the sync.

  2. foolonthehill says:

    After two weeks of “support” messages, HostPapa have now changed their mind. I got this message last night (despite them recommending the use FTPS in their Knowledgebase):

    “FTP over SSL/TLS wont be supported on our servers.”

    Previously, I was told:
    “We do not provide with SFTP at HostPapa anymore.”

    So I think leaving (and encouraging others to do so) is the best option at this stage. I simply do not understand how a webhost can not offer a secure form of upload.

    Good luck with

  3. gluepack says:

    I moved to them in September after a problem with support staff at Bravenet (at least the hosting was ok). I have had no (well, minimal) problems since but I have a weather station and feed data to my site every minute. Suddenly their FTP server stopped enabling access to my directory at between 02:00 and 03:00 UTC on 6th December. They have done nothing since to resolve the problem, despite an exchange of emails. I’m now at 60 hours lost data and the last communication from them was 6 hrs ago when they asked for permission to reset the CPanel password so they could check it. Now I know how to switch hosts, the next time should be easier, hopefully.

    • Hi gluepack,
      Since I have moved to greengeeks I have nothing to complain about. The only thing that I am missing is the chance to run a git server there …

  4. Doug says:

    HostPapa are now supporting SFTP. I am using it as we speak. I checked before I recently moved from GoDaddy.

    • Hi Doug,
      that is good to hear in the light of NSA etc, but as I said, it was working before, too, until from one second to the other it was turned off, without notification.

      That is, as long as they do no advertise and guarantee sftp access, the are out of discussion for me.

      Furthermore, now with greengeeks where I am at the moment, I have full ssh access, which means I can run rsync or unison, something that is soooo much more easy to handle then sftp.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>