ProfitBricks and Transparency

The last week has been an exciting one here at ProfitBricks, with the overwhelmingly positive response we’ve had to our 50% price drop and the deeper analysis of cloud profit margins that has followed by a wide variety of sources in the tech media.   As anticipated, our announcement brought with it an onslaught of trial accounts, with people poking around our system in different ways.

Kenn White, a security specialist from the health care industry, discovered a partly bypassed security process on our part. It was the process of how Linux-based distributions are packaged prior to their being available in a drop down list of optionally available images supplied by ProfitBricks. We have checked if this breach of process had any negative effects on the integrity of the distributions supplied by ProfitBricks. We did not find any. But we will certainly make sure that the process will be followed strictly in the future. We want to thank Kenn White for bringing this to our attention.

Room for improvement

A few other comments regarding choices we have made have come to light that we’d like to address here:

  • SSH Keys – When our graphical user interface is used, our current provisioning process for virtual machines emails the root password to the email address associated with the account creating the VM.  This root password must be changed upon its first use.  While several other cloud providers also use the “email-the-root-password” method of communicating root access, we completely agree that a private-public key pair is the better choice. This feature has been scheduled for September on our 2013 roadmap.
    Users of our API can already submit a root password when creating an instance. If this method is used the password will not be sent in an email.
  • SSH enabled by default – Currently, through both our API and our GUI interface, customers have the ability to set port level security on every virtual machine they launch.  Per default we have the SSH process running because most of our customers use SSH to connect to their server after it has started. This is a standard setting at most other providers as well.  With our snapshot feature our customers are enabled to easily configure images with different behavior.  We leave it to our customers to additionally set up the free basic firewall we offer, either through the API or our graphical user interface.
  • Token Authenticated APIs – ProfitBricks currently secures its SOAP API with HTTP Basic authentication utilizing the username/password of the account, which is not uncommon among Internet-based APIs.  For some time, we have recognized that the more secure approach using separate API tokens but lack of customer interest in this feature has thus far kept it on our secondary roadmap.  These more recent concerns have raised our awareness and we will reconsider our primary roadmap to accommodate this feature.

Curiosity + Transparency = A Better Product

Sometimes, people outside of ProfitBricks will take issue with how we’ve implemented certain features.   We don’t think the product or our customers are best served in the end by ignoring such things or being unwilling to discuss them openly.  Instead, we believe in transparency and to embrace the suggestions of our community to make our product better for everyone.

As the list of items detailed here are resolved, we’ll be posting updates on this blog.  Otherwise, we’d love to answer any questions you might have in the comments below.