The Corrupted State Of Shared Hosting

Endurance International Group (EIG) delivers hosting, backup, analytics, digital advertising, and email marketing solutions to 5.37 million subscribers globally. Like a drug dealer, the company refers to their hosting packages as "gateway products". This is not an exaggeration, this is how they are described in the company's own annual report.

EIG operates over 80 subsidiary brands, including Bluehost, Constant Contact,, FastDomain, HostGator, HostMonster, iPage, MyDomain, SiteBuilder, SinglePlatform, and TypePad. Each brand has its own marketing, social media fan base, and thousands of positive reviews. Some have Terms Of Use clauses which have influenced government policy and censored content on religious grounds.

This type of media consolidation promotes consumerism while limiting discussion and innovation, yet industry-authored campaigns brazenly claim consumerism is an "expression of innovative capacity". Federal regulators appear uninterested in addressing the issue. The resulting uncontested market space has been a boon for EIG, which earned $1.1 billion in revenue and $351 million in profit during the last fiscal year.

Security Risks From 1995

How do these companies generate so much profit? By using outdated technology. Both Microsoft IIS and Apache web servers were introduced in 1995, in an era before default TLS and HTTP2 were even considered. No matter how many updates they receive, they're built on outdated principles and architectures, their patched vulnerabilities stacked like an unstable tower of jenga blocks. And that makes them cheap. They're cheap to install, to run, and to manage.

Even newer shared hosting platforms are (typically) configured with the most permissive security settings. This drives revenue for the hosting company in three ways. First, allowing clients to run virtually any code without restriction reduces potential calls to customer support. Second, tracking code is quietly inserted into each client site, collecting visitor information which is then sold to data mining companies. Third, relaxed security settings open doors for advertising partners to track site visitors after they leave the site.

5.37 Million Legal Timebombs

Many of the sites hosted on these platforms showcase meticulously crafted privacy policies which promise various data protections for visitors. But in truth, permissive security settings leave visitors exposed to weak authentication methods, cross-site tracking and exploits, and leaks of personally identifiable information.

This represents a massive legal risk to every organization (small businesses, universities, hospitals) using a shared hosting platform. They could be sued for failing to protect user data, and in the EU, website operators face significant fines under the General Data Protection Regulation (GDPR) when it goes into effect on May 25, 2018.

Captive Market By Any Other Name

Developing independently hosted content can be challenging for users who lack the requisite technical knowledge. Coupled with national security concerns, that leaves the majority of independent developers and consumers with limited shared hosting options.

Published October 07, 2017 by Ethan F Grant