Hosting Provider Automatically Fixes Vulnerabilities In Customers' Websites 73
An anonymous reader writes "Dutch hosting provider Antagonist announced their in-house developed technology that automatically detects and fixes vulnerabilities in their customers' websites. The service is aimed at popular software such as WordPress, Drupal and Joomla. 'As soon as a vulnerability is detected, we inform the customer. We also explain how the customer can resolve the issue. In case the customer does not respond to our first notice within the next two weeks, we automatically patch the vulnerability.' Antagonist plans to license the technology to other hosting providers as well."
Why not fix it immediately? (Score:4, Insightful)
In two weeks it might be too late.
Re:Liability (Score:5, Insightful)
They probably claim no such thing as having patched all WP vulnerabilities. Also, keep in mind that culture in Netherlands is really not to sue people for any minor thing (and if there was a lawsuit, damages awarded would be quite proportional, and costs are lower than some other countries).
Re:Thanks for your help (Score:5, Insightful)
At this point, if you want control over your site you can easily run some kind of VPS. If you use shared hosting, do you really want to share your server with a bunch of vastly outdated joomla and wordpress sites? This constitutes the majority of sites on your average shared hosting provider... leading to potential escalations to other sites (not always true, but it's possible), being used to host or send spam, leading to blacklisting of the server on spam lists etc.
Re:Why not fix it immediately? (Score:4, Insightful)
So, if you're running WordPress or a popular message board (e.g. phpBB, vBulletin, whatever, take your pick) and the developer releases a general security update that applies to everyone, you'd be fine with your host disabling essentially your entire site until you fixed it? And if you're on vacation for a week or two when it happens? What then? I rather like the fact that the stuff I run can essentially sustain itself in my absence.
I might be okay with it if it was in the terms of service and the customer had been given fair warning that their site would be disabled if they didn't take action (though I'd never host with them). I may also be okay with it in cases where a vulnerability is actively being exploited and it's causing some form of harm to the host. But to pro-actively disable "vulnerable files" which may be necessary to the functioning of a site without first providing notice is not something that I could condone. I'm still undecided on even having them apply their own fixes, to be honest.