Unfortunately from time to time I have the unpleasant task of dealing with GoDaddy in one form or another, and today I noticed another failure with their services that caught me by surprise. If you knew how low my opinion of GoDaddy was to begin with, then you’d realize how bad the problem must have been in order for me to have been surprised by it.
If you go to their home page, you’ll see that they have the typical username/password form for customers to login. The problem is that they’re allowing it to load over plain HTTP, rather than requiring HTTPS. What that means is that a hacker could perform a man in the middle attack to intercept the home page and redirect the form submission to his own server. That server could then record your username and password before transparently submitting the form to GoDaddy.
The attacker would have your credentials, and you’d never anything had happened until he used them to steal your domains, inject spam into your websites (which will drop their search engine rankings), or just delete them entirely.
Apparently this has been going on for awhile, since they’ve been placed on the list of offenders at StealMyLogin.com. The failure to properly secure login forms in this way has been widely denounced for at least 7 years, so it’s telling that they’re either aware of the problem and have chosen not to fix it, or are completely ignorant of it to begin with.
This is just one more reason why GoDaddy is, hands down, the worst major hosting provider on the Internet, and why I’ll never recommend them to a client.