Yet Another Reason Not to Use GoDaddy
Update: It seems GoDaddy fixed this issue. Glad they fixed it, though I still can’t say I recommend them. Thanks Sean for pointing that out to me.
I recently gave a talk on WordPress plugins at the Boston WordPress Meetup (slides are online on their meetup.com page). During this talk the question came up of which webhost to use. Everyone has their own recommendation of webhost, but the one host that was universally panned is GoDaddy.
I’ve long since moved on from shared webhosts on to VPSes (I’ve been using VPSLink since they started. Use this link to get 10% off for life and snag me a nice referral bonus 
), but GoDaddy was my first web host, and since then I have heard nothing but terrible things about their marketing practices, upsells, and other sketchiness. But they will show you videos of women taking their clothes off on their website, which is great if you’re into that sort of stuff, but not what I need from a webhost.
But until recently I never discovered anything actually wrong with their hosting service…it worked, and while it was cheap, they at least delivered what you paid for (though granted, you’re not paying or getting a lot). Yesterday, while looking through some code for a GoDaddy site, I discovered something painfully bad with their service that makes them a terrible idea for any ecommerce site.
It seems GoDaddy doesn’t allow outgoing connections from their shared hosting packages. So, for example, you can’t connect to authorize.net or paypal.com from your server. How do they recommend you accept payments? Send it through some unsecured proxy they have.
That’s right, GoDaddy is actually telling people to send credit card information to another server in unsecured plaintext. They then forward it along and send you the response. There are 2 things wrong with this.
- Man in the middle attacks up the wazoo. Not only can someone possible get in between the proxy and your server, but who knows whether or not the proxy requires valid certificates. If not then the entire workflow is vulnerable.
- There’s a now a single point of failure for all of that hosting. If that server is compromised, all those sites get compromised too. This is a huge risk.
If I were issuing merchant accounts and knew about this, I wouldn’t accept accounts from anyone hosted with GoDaddy. There are very few reasons for GoDaddy to be doing this. The only one I can think of is preventing the spread of website worms that use holes in website scripts. This is a pretty lame reason to lock websites into their own box, and there are much better ways to stop this.
View Brian Krausz's profile
I actually just finished work on an Authorize.net integrated site that’s (not my decision) hosted by GoDaddy. I didn’t have to do any crazy stuff to make it work, either — it Just Worked with the URL Authorize.net gave me.
Mind you, I’m on one of their Windows hosting packages. Perhaps they only restrict their Linux packages; I dunno.
@Cap’n Refsmmat: Do you have a standard hosting account, or some kind of special add-on. I find this unacceptable for any level of hosting, since it encourages an insecure practice.
I’ve never liked GoDaddy (website feels horribly cluttered) but I too find it unacceptable for them to encourage such insecure practices. I’m going to tweet about this both my twitter accounts and hope I reach at least a few people.
Thanks for bringing this up.
You can connect to outside servers with their shared hosting. You just have to use their proxy server to do it: http://proxy.shr.secureserver.net:3128
If you’re using cURL with PHP this code should do it:
curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);
curl_setopt($ch, CURLOPT_PROXY, ‘http://proxy.shr.secureserver.net:3128′);
@John Conde: That’s what I said, they provide a proxy to use, but it’s not HTTPS between you and them, we know nothing about their proxy implementation, and it’s a single point of security failure.
I’m not sure what the problem you had was, but this is from their help center.
http://help.godaddy.com/article/4764
Proxy servers are not required for outbound shared hosting connections as of September 10, 2008. Although it will continue to function after this date, we recommend code utilizing proxy servers be updated to reflect this change.
The other problem is that to my knowledge godaddy doesnt have cPanel access or SSH root access? Or am I expecting too much with a shared hosting package and these are available only on dedicated hosting? But I remember seeing something like a cPanel when using hostgator.
Thanks Brian! I have recently been looking into starting a clickbank, adsense, etc. account. I have bought domains from GoDaddy in the past but never hosted with them. You just saved me from trying their hosting services. Thank You!
Thanks for the update. I’ll check out your link for hosting services http://vpslink.com/?ref=D2NF81