Dedicates IP's aren't required for SSL certs anymore unless you're concerned with old IE's in Enterprise environments. Every modern piece of browser software will send the domain with the TLS handshake. Doesn't look like these guys are targeting the entrenched enterprise, though.
Windows XP is still running on about 1 in 5 computers in the US. Internet Explorer is still the first or second-most used browser depending on whose market share methodology you prefer. SNI does not work with any version of IE on WinXP. SNI also doesn't work with Safari on XP, Android 2.x browser, BlackBerry browser, Opera Mobile, etc. No major sites use SNI and it's not because they have enterprise audiences. The compatibility isn't there yet -- if you're using SNI, you're throwing up errors on the screens of 10% or more of your visitors -- desktop, laptop, home, "enterprise", and mobile alike.
Giving error messages to people using IE on XP is probably a good thing. Web browsers need security updates, and they're about to be left out, in addition to facing rendering problems.
But even when you want to let people connect without SNI, there is no reason to skimp on security. How about sending people with bad browsers to a different port per site?
> How about sending people with bad browsers to a different port per site?
You can't do that for the very reason SNI exists. All you've got is the beginning of an SSL handshake on your single IP; you don't know what host they want yet, so you neither know what port to redirect to nor what certificate to serve.
The topic here is how the signup form is submitted. We're talking about starting with an http connection, so the server very much knows what port to redirect to.
And even if they bookmark the https, it keeps working.
And if they have something like 'https everywhere', then they're not using an obsolete version of IE.
The only failure point is if they click an https link by a third party.
The topic here is how the signup form is submitted.
Which protocol the form is submitted via is only half the security issue. The form itself needs to be served over https also to avoid a MITM attack on the destination of the form submission.
In theory if you're browsing a site over HTTP, the initial request to the form will be HTTP, and then you'll be 301'd to the secure signup form. A check could happen before the 301 is issued (instead displaying a warning message). That may not be how it is done on any given site, but my point is that it is possible to handle gracefully.
But yes, clicking an https link directly would cause issues.
It's always been there AFAIK. This is from their current policy document which you must agree to when you start applying for a free certificate:
> Class 1 certificates are limited to client and server
certificates, whereas the later is restricted in its usage for non-commercial purpose only. Subscribers MUST upgrade to Class 2 or higher level for any domain and site of commercial nature
Class 1 is "StartSSL Free", and Class 2 is "StartSSL Verified" which costs $59.90.
You can tie private information, such as your telephone number (for SMS) and various emails to your account that you can associate with alerts on various reminders you set up.
It's bad practice to not use a secure login, because anyone who is sniffing HTTP traffic can see your Uptime Robot username and password in plaintext.
This might not be that bad for this website, but keep in mind how many people use the same email/password for other services, or their email.
+1 for copperegg. Their free plan is much better than uptimerobot. My only comment is that their UI is not overly intuitive, but you don't really have to look at it after you've set it up.
Is it designed for a much larger screen than mine (1280x800 at the moment, the max on my laptop)? I have both horizontal and vertical scroll bars showing up, even when putting it to fullscreen, and some areas still overlap so I cannot see the content (that "sort monitors" section for example).
Otherwise I set up two monitors, look interesting, useful, and well done! Good job!
I really like the design and I am trying it with a couple of tests, but it seems to be reporting the opposite of reality. Shows one of my sites as down though it says Keyword Found and it shows the response time, while another one which is really down is shown as up:
Kinda-sorta-related: 10 years ago this month, I quit my job to finish my first product: a server monitoring system that I ultimately never launched. I did a little writeup of it earlier this year: http://sigma-star.com/blog/post/esonar-resurrection
So every time I see a post, ad or anything about server monitoring systems, it makes me smile. It's one of those projects that everyone has: "One of these days, I'll work on it."
The off the shelf services will only get you so far, even with keyword search. Sometimes you just have to roll your own.
With a complex ecommerce build you can run into situations where something has gone badly wrong with the pricing, e.g. everything is marked up as on sale, price £0.00. With a roll your own solution you can build an XML tree of the document, go through your HTML tags and put in some rules to make sure that all the prices are greater than zero (for instance).
As for keywords, you want something on the page in the footer, however, that can change. Eventually I ended up using the content between the <noscript> tags as that really did not change (even though they were at the top of the page).
Sending out an SMS is not hard to do, however, now that people have email on the phone it is not really that useful plus your credits can run out.
A 'roll your own' solution with advanced content checks can be used with a standard 'Uptime Robot' type of service. Clients can have the 'Uptime Robot' and manage it themselves, they will get great peace of mind. Meanwhile, the homebrew check can give a developer a heads up on things going wrong before they go wrong (as far as the client is concerned) and pick up on more subtle failings that a client really doesn't need to be told about at odd hours of the night.
Depending on your traffic levels you may also want to remember to take the IP address of your check program out of your stats.
If anyone does want a very simple PHP script to iterate over a list of URL's (and their respective search strings), do the CURL thing and some DOM parsing, with SMS mailout of whatever the 50x fail is then I can find you one.
I have been using this for a while on my servers. For some months, I had Pingdom and Uptime Robot monitor the same server. According to my experience, the latter has less false positives - with Pingdom, it sometimes looked as if it was monitoring its own network congestion, and not the availability of my websites.
Uptime Robot also has an API like Pingdom, but with the added benefit you can monitor up to 50 websites for free. The API allows me to almost never log in to the control panel, as I watch the status using my custom monitoring panels.
This. False positives are terrible. We monitor google & amazon along with our services. If us, google & amazon all look down, it's a false positive. Not sure why pingdom doesn't do this for us, but whatever.
If you have something critical to monitor, my advice is to stay away from Uptime Robot. I've used them for a couple years along side my Pingdom checks. They often don't deliver notifications. My last notification is ".... resource is down. We'll notify you when it's back up." That was 10 days ago and it was down for a few minutes. I was never notified of it coming back up. This is just typical. It's also common that I never get a notification of a down resource, too.
One benefit of using this over Pingdom: they have a location in outside of the US and Europe (Singapore). If a networking issue causes your site to appear down for Japan, China or India Pingdom won't know.
Looks like the front-end still needs some polishing. A cursory glance shows a type (My Settings -> Add Alert Contact -> Mobile (SMS) "...that suppor it..." , multiple clicks on the main logo pull up multiple "Loading" messages.
Also, I find it odd that the interface is > 1280px wide(at least it is for me presently). I'm not used to a horizontal scroll on a 13" MBP.
Overall, if it turns up less false positives than Pingdom, I'll be happy.
I work for PagerDuty. What issues are you having with the Pingdom integration? I'm sure some of our other integrations may be of interest: http://www.pagerduty.com/partners/. If you have any questions or need any help feel free to contact me.
re: using the API, we'd rather it did so also, but for the longest time Pingdom only sent out e-mail and didn't have any sort of webhook. They apparently have webhook support in their new Beep Manager offering, but that's still in beta.
re: misconfiguration, which check box are you referring to? The only two there are for ack timeouts and auto resolution.
Come check us out at https://www.statuscake.com - we do have Pagerduty integration via the API (It's not full featured yet to be honest, but I'd say within the next few weeks we'll have an even better connection)
I use pingdom tools (with sms notifications), port-monitor.com, think i'll add this to them as well. Never hurts to have a few things checking sites.
One thing this is missing is being able to look for a string on a page. (either checking it is there (like "Loaded"/"Latest Posts"...something to indicate all is working fine), or checking it isn't there (like "error", "database connection error" etc)
Always good to confirm what is actually being sent to the client. Never know whats happening inbetween. Some wrong configs and it could be showing the wrong content.
Yes. But this is a testing service, so if some change has made it so in some case the correct status code isn't returned, it's nice to get a fast warning.
Interesting...I created an MVP off of a domain I bought a few years ago called http://www.uptimebot.com
It has been on the back burner for a bit now because I wasn't able to get traction/vistors onto the site...I guess maybe I should figure out what I was doing wrong.
They seem to be having some odd errors in the signup that prevent it from showing it actually processed. Did get an email asking to verify the account so it sounds like its only a client side problem... seeing an error from jquery validation.
Have been using this service since the time id had pretty bad UI, was correct each time with most updates to SMS via Twitter in India. Now, the UI is amazing, though we use it only for few seconds.
Does you provider offer an email to MMS connection? I know with my cell carrier you can email to (my phone number)@telusblah.com and it'll forward it as an MMS.
I found the same thing. This occurs on forgot password as well. I refreshed to re-signup and it said email already exists. I went to forgot password and it didn't give me any kind of success/error messaging. I opened my Chrome dev tools and could see the AJAX requests being processed but there was an empty response on forgot password. I didn't receive emails for registration or forgot password, so I'm dead in the water.
So? Do it anyway. Competition stimulates demand and the fact you've got long-lived competitors indicates there's demand already. By coincidence I was literally about to sign up for Pingdom, but I'm going to try these guys out instead. If this had been your service, you'd have just had a new customer right now.
Your success will depend on the quality and efficacy of your marketing.
So was I - about 10 years ago. Registered the domain name, started working on the code and then realized there were 100 people doing it already. I mean, seriously, the code to do this is trivial to write.
So I mothballed it for a couple months and then got an unsolicited offer from a guy in Israel to buy the domain for $1,000. Easiest $990 I ever made.
It's a fun way to learn about a good variety of things; http and other protocols, distributed architecture, how poor most sites' uptime truly is...
I built https://servercheck.in/ for that reason, and because I wanted cheap 'real' SMS notifications (from a consistent phone number) so I could set a special ringtone on my phone when one of my servers goes down.
