Security and Encryption

We take security seriously and if you have used other web-hosting services you may be slightly surprised at some of the lengths that we go to in order to maintain security. This page explains what steps we take, and why we bother.

Network Security

You may not be aware of just how easy it is to intercept and read information that you send over the internet. By default there is no encryption whatsoever of data on the internet. Anyone who has access to the computers between you and the server that you are connecting to can read everything that you send and everything that you receive. If you are simply browsing the web, and you aren't concerned about privacy, this is not a problem. If you are sending or receiving sensitive data such as credit card details or passwords for your accounts then this is definitely a problem. The solution here is to encrypt sensitive data before it is sent over the internet.

"But I don't have anything of value in my account!"

A common reason why people don't worry about the security of their account is because they believe that there is nothing of value in their account, therefore nobody would want to break in to it. Unfortunately there is something of value - the account itself. We offer shell accounts to our customers because of the power and flexibility they provide. It is this power that make shell accounts valuable to people wanting to cause trouble on the internet.

Our Policy

Our policy is to disallow access to any service that requires a shell account username and password to be sent unencrypted. This means that shell account users cannot use telnet, non-anonymous FTP, or unencrypted POP3 or IMAP. We provide alternatives to all of these protcols, secured using several different techniques:

Secure Sockets Layer (SSL)

As its name suggests, Secure Sockets Layer (SSL) adds a secure layer to existing internet protocols such as HTTP (the protocol used to browse the web), and IMAP/POP3 (mailbox protocols). Most web browsers, including Internet Explorer and Netscape support secure HTTP servers. You can spot secure servers by their URL, which will start with https:// rather than http://. Many mail clients support the secure version of the mail protocols, IMAP and POP3. Unfortunately, very few programs support the secure version of the File Transfer Protocol, FTP.

Secure Shell (SSH)

For various reasons, the most common method of securing the telnet protocol is to replace it with the Secure Shell (SSH) protocol, rather than using telnet and SSL. The design of SSH allows it to be used as the transport mechanism for other protocols. For example, SSH comes with a file transfer program, Secure Copy (SCP). It can also be used as the transport as rsync, a program used to syncronise files in two different locations. This is an ideal way to update your website.

Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG)

Pretty Good Privacy is a system that can be used by individuals to encrypt data so that only its intended recipient can read it. It can also be used to digitally sign data so that the recipient can verify that it has come from the person it claims to be from. GNU Privacy Guard (GPG) is a free replacement for PGP, and is available from our shell accounts.

PGP is most commonly used to encrypt email. In its lifetime, an email may be passed via any number of intermediate mail servers, and be held in temporary files on these servers. The only way to ensure that it cannot be snooped by an intermediate third party is to encrypt it yourself before sending it.

PGP works using public key / private key pairs. This is a complicated cryptographic setup, but the clever trick is that something encrypted using a public key can only be decrypted using the corresponding private key. As the names suggest, the private key is a key that you keep secret whereas the public key is a key that you distributed so that people can send you encrypted messages. It is actually good to distribute your public key widely as this allows people to cross check your key from several different sources - the weakness in PGP is in ensuring that the public key belongs to who you think it does.

We are more than happy to send and recieve PGP encrypted and/or signed message. Indeed, when you sign up for your account you may request that we do not carry out any instructions on your account unless they have been signed by you. Here is the Mythic Beasts GPG public key