https://yourdomain.com is not secure.

If you have a domain host in hostmonster. Try to use the https://yourdomain.com.

You will find out it will redirect to https://yourdomain.com/~username and show all folders. Anybody can see your strucrture and get your username in HostMonster.

Even you put the .httaccess or index.* under /public_html, the SSL connection wil not take the index.* for default page. So the web server show all the files under /public_html.

HostMonster should fix this problem. Just Edit the httpd.conf of SSL apache.

:eek: :confused: :p

My https://yourdomain.com is redirected to http://www.yourdomain.com.

It is Ok.

Mine redirects to mydomain/~username as well however I do not have mine configured to show directory structure.

I agree that there is a modest level of insecurity there as my basic HM username is revealed. Anyone could figure this out though from taking the first 8 characters of my registered domain. All the more important to have a good, secure password. I'm off to change mine!

No directory structure is revealed in my case, it just goes to the website in a sort of 'broken' mode (a page counter doesn't work).

Wow, that sort of is crap. ~username... anyone with a decent brute forcer/ proxies could hack into our accounts.

If your password is secure enough there's no bruteforce which can beat it in a reasonable time (less than a month, for example). With secure enough I mean using capital and normal letters, numbers, and symbols in a random way, and at least 8 characters long. Otherwise you're maybe vulnerable, although I suppose that hostmonster have a maximum namber of login tries per second which can slow a great deal any bruteforce attempt.

...

Anybody can see your strucrture and get your username in HostMonster.

...

:eek: :confused: :p

Just to clarify, your username is pretty much available to anyone with a decent brain. Most hosting companies use the first 8 characters of your domain name as your main account's username. That means if I visit your site, say, www.verycooldomain.com (http://www.verycooldomain.com) and I wanted to try to get into your account, I would attempt to see if you had CPanel first and then take the first 8 characters of the domain, verycool and then try to hack your password.

Very few hosts I know let you change your main account login information.

To be fair, having a listing of your entire directory is not a very good thing as far as security is concerned and that issue should be addressed, but if you are using a bunch of php scripts, of scripts that don't include an index.html file, then simply create a blank index.html file, so when someone attempts to get a listing of your directory by doing what you mentioned, then they get a blank page.

~regards,
Shadmego

:confused: host45 have this problem. :eek:

Just to clarify, your username is pretty much available to anyone with a decent brain. Most hosting companies use the first 8 characters of your domain name as your main account's username. That means if I visit your site, say, www.verycooldomain.com (http://www.verycooldomain.com) and I wanted to try to get into your account, I would attempt to see if you had CPanel first and then take the first 8 characters of the domain, verycool and then try to hack your password.

Very few hosts I know let you change your main account login information.

To be fair, having a listing of your entire directory is not a very good thing as far as security is concerned and that issue should be addressed, but if you are using a bunch of php scripts, of scripts that don't include an index.html file, then simply create a blank index.html file, so when someone attempts to get a listing of your directory by doing what you mentioned, then they get a blank page.

~regards,
Shadmego

or you can setup your .htaccess to not allow indexing.

or you can setup your .htaccess to not allow indexing.

I'm not very good with page rankings, but would this not cause problems with search engines crawling your site?