Last week we touched on a continued lie from the makers of the Wordfence Security plugin and mentioned the general problem of lying within the security industry. Not every lie involving the security industry involves something that is said, it can also be something not said.
As an example take what we noticed in a recent post by the web security company Sucuri promoting their partnership program for web hosts. What they neglect to mention despite being rather important, as we will get to, is that they are in fact owned by the web hosting company GoDaddy.
But before we get to that, the whole post is cringe worthy if you have followed our posts on the web security company SiteLock, whose business seems to largely built around partnerships with web hosts. Many of those web hosts are run by the majority owners of SiteLock, which might have given GoDaddy the idea to move from a partnership with SiteLock to do the same on their own.
At one of point in the Sucuri’s post they write the following:
We have found that doing active scans of your user base’s websites on a continual basis and doing outreach to help them better understand their security status is helpful in educating customers all while helping gain a better understanding of the overall health of accounts in the environment.
In the case of SiteLock, because SiteLock’s scanner isn’t very good that sort of thing has led to lots of people falsely being told that their websites have been hacked and then offered overpriced services to fix the non-issues. Sucuri’s scanner has also been bad for years, the most recent example of that we documented involved them claiming that Washington Post’s website contained malware. We noticed that while looking into a situation where someone was contacted by their web host with Sucuri’s results falsely claiming that their website hacked, much like they had falsely, but hilariously, claimed of ours not too long ago.
Elsewhere in Sucuri’s post they write:
They want a site that is fully secure and stays that way. From our experience, they don’t care about, or understand ambiguous services and up-sells. If it gets hacked, they want someone else to deal with it now, at an affordable cost. Once cleaned, they don’t want to be hacked ever again.
That isn’t what you are get with Sucuri, if one person that came to us after having Sucuri failed to take care of a credit card compromise on their website. Not only did Sucuri fail to detect an easy spot piece of malicious code, but kept telling them the website was clean despite the person telling Sucuri that credit cards were still being comprised on the website.
That ties in with something in the post:
A good website security provider also requires a customer-first approach that prioritizes time to resolution with respect to each customer’s level of technical ability. As an example, Sucuri is recommended by web professionals for our commitment to providing users with cutting-edge technology and excellent customer service.
Clearly the customer service was terrible in that situation. But the other striking element of this is that we were able to identify the issue without using any “cutting-edge technology”. Also, when it comes to security services, web professional are not necessarily who you would want a recommendation from, since they don’t necessarily have a good idea about security. Certainly any of them recommending Sucuri, based on what we have seen, would be someone that shouldn’t be providing that type of recommendation.
If what another recent example of poor security from Sucuri and GoDaddy take this recent example of Sucuri’s web application firewall (WAF) being bypassed by simply encoding a character as reported by ZDNet. That is an indication that the product is rather poor at what it is supposed to be doing, which isn’t surprising based on everything we have seen from this company (they don’t even seem to understand security basics). This also looks like another situation where they are not being honest, as the article states that:
For its part, GoDaddy said it patched the bug within a day of the security researcher’s private disclosure to the company.
But a quote from the company neglects to mention that it was fixed after they were notified of the issue
“In reviewing this situation, it appears someone was able to find a vulnerable website and manipulate their requests to temporarily bypass our WAF,” said Daniel Cid, GoDaddy’s vice-president of engineering.
“Within less than a day, our systems were able to pick up this attempt and put a stop to it,” he said.
What isn’t mentioned anywhere in the post is that SiteLock is owned by GoDaddy and therefore web host partnering are really partnering with a competitor and possible providing them with sensitive information.
That also isn’t mention on the linked to Sucuri Partner Program page.
What is mentioned there is that this is way for web hosts to make a lot of money:
As we have seen with SiteLock, that doesn’t lead to good things.
You also won’t find mention of the ownership on the about page on Sucuri’s website which states:
Sucuri, Inc. is a Delaware Corporation, with a globally-
distributed team spread over a dozen countries around
Beyond the fact that web hosts might not want to be partnering with a competitor in this way, there is the issue that GoDaddy has a bad reputation when it comes to security.
One element of that is obliquely mentioned in the Sucuri post when the write:
For example, cross-contamination over multiple shared hosting accounts used to be a major problem for large website hosting providers, but this isn’t really a huge threat today.
One such provider that happened with was GoDaddy, which had ignored attempts by people we were helping to deal those hacks, to get them to do something about it before it became a major issue. GoDaddy then made ever changing claims as to the source of, but notable didn’t blame themselves.
In more recent times there have been issues with them distributing outdated and insecure software to their customers, using outdated and insecure software on their servers, being unable to properly control FTP access to websites, not providing a basic security feature with their managed WordPress hosting, and worst of all, screwing up the security of databases that lead to website that otherwise would not have been hacked, being hacked.
It isn’t really surprising with that type of track record that they would have bought a security company that inadvertently made a good case that you should avoid them. But that all would be a good reason why other web hosts would probably want to avoid getting involved in this if they truly care about their customers and that might be why it goes unmentioned.