Newbie guide to select hosting
A guide for small to medium-sized NGOS on choosing a hosting provider for their website
Contents
- 1 Outputs
- 2 Connection to previous RDFs
- 3 How to Choose a Responsible Hosting Provider
- 3.1 Introduction
- 3.2 Relationship with the Provider
- 3.3 What communication methods does the provider offer?
- 3.4 What payment options are accepted?
- 3.5 Is anonymous registration and payment an option?
- 3.6 What happens if you stop paying?
- 3.7 Technical Requirements
- 3.8 Does your website require special permissions?
- 3.9 Does your provider suppport SSL for your website?
- 3.10 How can you manage your services?
- 4 Security Procedures
- 5 Security Set Up
- 6 Legal matters
- 7 Summary
- 8 Audience
- 9 Next steps
- 10 Contributors
- 11 Resources (we <3 links!)
Outputs
An updated guide that walks users from A ("I need help!") to Z ("I learned a lot and solved my problem") that was tested by at least two potential users. Plus dissemination plan. Stretch goals: additional elements, e.g. boxes, illustrations, pictures or concepts for those
Connection to previous RDFs
The guide rests on a previous version created during the RDF on Hosting in Amsterdam. It has been published here: http://internetprotectionlab.net/considerations-when-picking-a-hosting-provider/
How to Choose a Responsible Hosting Provider
Introduction
When building a website, choosing a hosting provider can seem like a difficult task. What do all the technical terms mean? Do they matter? Do they matter to me and my project? This guide helps you navigate the process, including some questions to ask and topics to discuss with providers, so you can make a better, more well informed choice. Choosing a hosting provider is not about choosing the best provider, but about choosing the best provider for you.
Relationship with the Provider
The first point to consider is being clear about what you want from the provider. That will help you create a good relationship from the start. Does your provider offer the right package? The type of hosting you will need depends on how much control you want over your hosting, the number of visitors and your budget available. Usually, providers offer three different types:
Shared hosting Shared hosting means your content will be stored in a computer that hosts other websites. Your website will share the resources of the machine (such as memory, processing power and bandwidth) with others. Shared hosting is usually the cheapest and most convenient option, but it is also the one where you have the least control over the hosting computer. This can be a good thing, because you don't need to have the capacity internally to manage most of the technology. But this can be troubling if your website needs configurations not supported by a provider's set up (more on pitfalls of shared hosting in the box).
Dedicated server A dedicated server means the computer in the hosting provider is setup only for your website so you don't have to share its resources with other websites you don't control. Usually, that also means you have full control over what you can install. Note, however, that if you do not have a systems administrator to update the software regularly, you can be at great security risk very fast. Some providers offer to manage this for you - for a fee - so you can have the flexibility you need, while security risk is managed. Be sure to discuss the terms of what is covered and what is not, in case you decide to go with this option.
Virtual Private Servers (VPS) A Virtual Private Server is a mixture of shared hosting and a dedicated server. While you will be sharing the computer's resources with other accounts in the hosting provider, since it is a virtual machine, you will have full control over what you can install.
Domains Your hosting provider does not have to be the provider of your domain, but can be. If it is, ensure they offer you the right domain ending. Also, if you want to hide that you registered the domain, make sure they offer you to hide it, because otherwise it will be publicly accessible in a whois directory.
BOX NEXT TO SHARED HOSTING: How will other customers affect me? When you share a server with others, this might impact the availability of your website, because they are attacked. Ask your hosting provider how the different customers are separated from each other to ensure these situations will have limited or no impact on the availability of your website.
What communication methods does the provider offer?
Some providers only wish to be contacted via e-mail. Others will gladly talk to you on the phone as well, or via online chat. What communication methods are important to you? Here's a list of examples to consider:
- Telephone
- Skype
- Chat
- Ticket system
Is it important to you that the provider offers secure means to communicate your access credentials with you? If so, ensure that they do, before entering into a relationship with them. If that is the case, ask them if they have secure channels and make sure you are able to use them at all times.
If the provider you want to work with is geographically close to you, then visiting them is a great way to find out, if these are the people you want to trust your data with.
What payment options are accepted?
How can you pay your provider for the services you buy from them? Ensure you can pay using the means easiest for you, be it bank transfer, credit card, Paypal, Bitcoin (Bitcoin is a virtual currency and an online payment system). Many providers have limited options available, so it is worth double-checking.
Is anonymous registration and payment an option?
Perhaps the website you are hosting is so controversial you do not even want your hosting provider to know who you are. Ask them if it is possible to host the website anonymously and pay anonymously, via Bitcoin for example.
What happens if you stop paying?
Obviously you want to pay for the services you buy. But what if you might be unable to pay for a certain period, for example because you reached your credit card limit within a given month. Will the hosting provider simply delete your website and all its content after missing one payment or will they keep the website up and running for half a year? This might be particularly relevant if you are operating from an environment that is sensitive to financial sanctions or if your operations might be vulnerable to a banking blockade.
Technical Requirements
How can you upload and maintain your website? Before people can visit your website, you will need to upload it from the computer it was originally developed to the hosting provider. What methods are available to do so? There are many options, but not all options are equal. The way you connect to the webserver to upload the website files to the server matter.
The File Transfer Protocol (FTP) This is the most used method to connect to a webserver, but it does not provide security. Everything you transfer via FTP is "transparent", in the sense that anyone that might be monitoring your network (or the server's) could read and copy your passwords as well as the contents of the files while they are being transfered.
Secure channels A lot of providers offer safer options to receive your files, such as the Secure Shell (SSH) and the Secure File Transfer Protocol (sFTP). When files are uploaded via SSH or sFTP their contents are encrypted on your machine and they travel to the host provider as if they were noise, making it very difficult to anyone monitoring the network to figure out what they are about. Once they're in the server, the files are decrypted to their original form. There are many applications that will do SSH and sFTP connections automatically to your host provider, with minumum technical expertise required.
Important for you is to know that your provider offers you the protocol you and your developer need.
BOX ON PROTOCOLS: FTP: the most common protocol, but one that does not provide any security for the data you transmit. Avoid, if you can. SFTP, like FTP but with encryption of the information being transmitted. Much better, but can be slow for many files or large amounts of information. SSH: An encrypted and reliable means of transport using the command line interface(which many find difficult to use). Some developers and system administrators prefer it and often it is not available on shared hosting; so if your team needs it, ensure your provider offers it.
Does your website require special permissions?
Sometimes your website might offer features that require special permissions to function optimally. For example, if you want users to be able to upload photos, the website will need permission to write information on the webserver's disk. Not all hosting providers allow for these options or allow for these options in the same way. Checking this with your website developer and hosting providers can prevent a lot of headaches.
Does your provider suppport SSL for your website?
Your words are valuable, and so are those of your visitors. If they read your stuff, or they leave a message on your website, it is traffic between you and them. No one in between should be able to read along. With SSL, the only publicly visible information is that visitor access the main URL of your website. For example, they know you're browsing wikipedia, but not "wikipedia.org/human_rights". SSL makes sure no one "on the line" can tell what your visitors are reading or writing once inside. So, to protect your users using SSL is really important. Make sure your provider allows you to use SSL, makes the process easy or even manages it for you.
How can you manage your services?
Your website might use some additional services, such as a database (where you will record and store data for later use) and a domain name (for example: yourwebsite.com). Does the hosting provider offer easy to use services that allow you to quickly configure these options yourself, or do you need to contact them to do that for you? Please note that if you're not very technical, the latter option of them doing it for you might actually be preferable to doing it yourself!
Security Procedures
No matter what type of website you're running, security is always important. Even if it is just a single page website which displays your organisation's information, having that page altered will look bad for you. This section looks at the procedures your hosting provider should have to make sure such incidents do not happen or are resolved as soon as possible when they do. Take a moment to think about your website and what type of negative attention it might attract. Keep that in mind when looking at the following questions:
Does the provider have a security policy? Details!
A security policy is a policy that describes various security related issues, ranging from authentication of customers (how do they know it is you who is calling them?) to how to deal with hacked websites. If the hosting provider has such a policy, it is a good indication that they have given serious thought to the matter. This is important to you as a customer as it indicates they will be able to respond quickly and adequately to any security issues that might arise.
Does the provider have an abuse policy?
An abuse policy is a policy that describes various abuse related issues. Abuse is a term for unwanted behaviour, for example, what will the provider do if your website starts sending out a lot of messages that could be considered spam in the provider's own policy terms? Will they simply shut it down or will they notify you and try to help resolve the problem? How long will they take to verify that you have resolved the abuse issue before they turn your website back on?
How does the provider deal with security incidents? (merge with "details!" above?)
What if despite your best efforts, someone manages to hack your website? Or that of another customer at your hosting provider? How does the provider deal with such incidents? If the incident involves your website, will they help you resolve the issue or simply shut you down? If it was a breach somewhere else in their network that might have affected you, will they notify you of such an incident? If their customer database is hacked, will they inform you?
What privacy policy does the provider have?
Privacy of customers and customer data is important. In some cases, it can even be vital information. Ask your provider about their privacy policy and how they deal with certain requests for information. Do they have a strong privacy policy with strict rules or will they sell your data on to anyone who is willing to pay? Will they give in to any government request or will they require legal documents that force them to do so?
How is logging being done?
All computers keep logs. Websites for example, keep logs of what computers requested what pages. These logs can be useful for analytical purposes but in the wrong hands they can also reveal exactly what people visited your website. Ask your provider if information is being logged, for what purpose and for how long. Also, who has access to the logs? Are they covered by the earlier mentioned privacy policy?
Logging can be very useful to find out what is happening with your website, especially if something went wrong. Often visualizations can help you make sense of your logs, a chart simply tells a different story than a wall of text.
However, if you are afraid that people might get in trouble if they are found in your logs, consider turning logging of completely. Make sure your provider also does not keep them in this case.
Security Set Up
What availability can the provider offer and what do you need?
In our houses, computers crash, connections can be taken down, the power might go offline. The same can happen to computers in your host provider's facilities. In some cases, it might not be such a big problem if your website doesn't function for a couple of hours a month. In other cases, it could be a disaster. Ask yourself how critical your website's availability is and inform the provider. The higher the (guaranteed) availability needs to be, the higher the costs involved.
Does the provider make backups?
A backup is the lifeline of your website, because it will enable you to get it back up quickly, in case of machine failure, data loss or a cyberattack. Do you have the capacity to make regular back ups? If not, you should ensure your provider does that for you. Ask them if they create backups, how often they create them and for how long they keep them. If your site doesn't change that much, a weekly backup that is kept for a month might be fine. If it changes daily, you will want at least daily backups.
How robust is the provider's infrastructure?
Not every opinion is popular with everyone. Hosting websites that advocate certain rights or causes might come under attack from parties who oppose those rights. Often this comes in the form of a so-called Distributed Denial of Service attack, or DDoS. In these types of attacks, your website will be flooded with so many bogus requests it will crumble under the load. Ask your provider if they have systems in place to mitigate these types of attacks and if they can give examples of how they have dealt with them in the past. How do they support you in dealing with the attack - or do they simply take you offline in order for their other customers not being affected? Alternatively, you need to ensure that they support you using a service like Deflect (deflect.ca), which is free for civil society and independent media, or Cloudflare.
Is there an intrusion detection system?
An intrusion detection system is the online version of a home alarm system. It monitors the network at the provider and detects suspicious activity and attacks. If you're hosting a website that you fear might be under threat, this can be very helpful both for preventing known attacks and or analyzing what happened after a sophisticated attack occured.
Has someone with good intentions hacked their system?
If security is important to you, you want to be sure that what a provider is saying about their systems has been verified by an external, independent party. Ask your provider, if they have been audited or gone through a penetration test. This is basically a process through which someone tries to hack the provider with the aim to get into the system or interrupt it, with the goal of discovering wholes. As a follow up to this, the provider will improve their set up, to prevent similar attacks in the future. A provider who has gone through this process is usual very serious about security. Ask for their report. Even if you do not understand it (fully), the fact they are sharing it with you is a sign that they haven taken measures and are transparent about what is important to you: security.
Legal matters
Keeping in mind certain legal issues that could arise is important when choosing a hosting provider. Here are some examples:
What laws in your country might affect your website and its hosting?
The legal frameworks regulating the Internet and content of websites vary widely around the world. When looking for a hosting provider, you should look into what laws regulate your hosting provider, what kind of information they might be required to share with the government, and under what circumstances the authorities can approach a hosting provider with a request or order to share information. You should also ask a potential hosting provider what their policies are when approached by government authorities with request or orders for information. Will they give up information about you, your organisation, or visitors to your website to avoid potential trouble, or will they use legal means to refuse or delay giving up this information?
There are some other matters to consider as well. Your hosting provider might seem a company in your country, but it might actually be a legal entity in another. Similarly, although the hosting provider might seem to be operating in your country, their actual servers might be located somewhere else. This is important to keep in mind, your website might not be in violation of local laws but might violate others. Similarly, if your website is in violation of local laws, hosting it in another country might save you a lot of trouble. When should you consider hosting your website outside of your country?
If one or more of the following conditions apply, you should look into working with a hosting provider that is outside of your country and has infrastructure that is not within your country:
- the legal environment in your country regulating the internet enables the government to easily compel hosting providers to share information about your website, or else laws protecting information are believed to be widely ignored by security services;
- your website contains sensitive information or discusses a socially or politically sensitive issue which might attract negative attention from the government, or;
- you have serious concerns about the ability of a hosting provider in your country (or if the website will be hosted on a server in your country) to keep your website secure.
How does your provider respond to seize and desist requests?
Law enforcement institutions can request information on your hosting provider or about the people visiting your website. The processes for this vary across countries, but ensure that your provider is based in a location where they have to follow a due process, involving judiciary approval, where providers are allowed to inform you of such requests.
Ask your provider about how they have dealt with such requests in the past. Have they tried to challenge them? Have they informed users? Have they verified that the process that is spelled out in the law has been followed by the requesting authority? It is particularly important to look out for this when you want to ensure that data about who is visiting your site accidentally gets into the wrong hands, with potential repercussions for your visitors.
What is the notice and take down policy?
"Notice and take down" is a term used for when your hosting provider is notified that your website is in violation of the law and requested to take it down. This mainly happens in case of copyright infringements but has been known to happen on based on other matters. Some providers will comply with any notice and take down letter they receive; other providers might simply ignore them. How your hosting provider deals with these notifications can have important consequences for your website. You don't want your website taken down because a user uploaded a copyrighted movie, song or picture to it, so ask your provider how they deal with these situations.
Is your provider technically a provider?
Does your hosting provider own and operate their own infrastructure or are they a reseller? Your hosting provider might not actually be much of a hosting provider. It could be nothing more than an office that is reselling the services of another hosting provider. This severely impacts how they will be able to assist you and how much freedom they have in addressing issues ranging from your website being down to how they respond to a take down notice or legal challenge. Knowing if your hosting provider operates their own infrastructure or is a reseller is very important.
BOX ON Legal/policies:
- What laws in your country might have an effect on your website and a provider hosting it?
- Have you thought about hosting your website with a provider outside of your country?
- What are the positives and negatives associated with hosting your website on a provider in another country?
- What is your provider's notice and take down policy?
- Does your provider own and manage it's own infrastructure?
Summary
Choosing the right hosting provider is important, because when an incident happens it is often too late or too complicated to reverse earlier decisions. At the same time, it is not hard, all you need to is discover, if their offer matches what you are looking for in terms of:
- Relationship: means of contact, payment, languages spoken, hours when they are reachable and time a response usually takes.
- Technical Requirements: their package gives you the right permissions and software that you need to run your site.
- Security Procedures: a set of policies on how to prevent incidents and deal with them, how to respond to abuse and requests for takedown and data access.
- Security Set-Up: server infrastructure that is as reliable and resiliant as you need it.
- Legal Regime: The laws of the country or countries where the provider and servers are based in should give you the level of protection that you need, in particular with regard to privacy and freedom of expression.
- Budget: You need to be able to afford your hosting package in the long run and unfortunately this means you might to make trade-offs for other requirements. We hope this guide helps you to make an informed choice about this.
Audience
The guide is directed towards non-technical staff in small to medium-sized organisations that need to make decisions on hosting. They often are faced with this problem for the first time and are overwhelmed by the number of hosting solutions that exist.
The organisations that it is aimed at are often NGOs that publish or receive sensitive or controversial information through their websites. Their websites are often at a higher risk than usual.
The guide should also be useful for intermediaries advising organisations, and funders who care about responsible data use of their grantees.
Next steps
Contributors
- the original guide was created at the RDF on hosting in Amsterdam, where Menso Heus was lead author
- at RDF Budapest Adrian Sawczyn, Marco Túlio Pires and Friedhelm Weinberg
Resources (we <3 links!)
pad for editing: https://pad.riseup.net/p/rdf-hosting
Reset the Net - a campaign to plug security holes on the internet: https://www.resetthenet.org/
Open Net Initiative - classifies censorship or filtering occurring in a countries around the world: https://opennet.net/
Should my website have SSL? - shouldmywebsitehavessl.com/
The International Comparative Legal Guide to Telecoms, Media & Internet Laws & Regulations 2015 - http://www.olswang.com/articles/2014/09/an-overview-of-the-eu-regulatory-framework/
Secure Hosting Guide by equalit.ie and HURIDOCS - https://learn.equalit.ie/wiki/Secure_hosting_guide
Provider review by equalit.ie (focussed more on the tech, as machines were configured by experienced systems administrators): https://wiki.deflect.ca/wiki/ISP_reviews
RDF outputs from hosting event on GitHub https://github.com/the-engine-room/responsible-data/tree/master/RDF-Amsterdam-Hosting
