I came across an interesting looking website called PHPAnywhere. The idea is that it is an online PHP editor where you can access your source code from any web browser. You supply the FTP details of your web server and it provides a web layer over the top to abstract away the FTP details. This sounds like a great idea, but I am surprised that anyone would use this site.

Up until a month ago they were not even using SSL. Now they are and tout that as a great security feature. I wonder though, how many developers clients would be happy knowing they have provided the full details of their FTP accounts to a third party website. Could this be viewed as professional negligence? I hope that PHPAnywhere are legitimate, but when it comes to security, this is just not enough. Perhaps if this site had already established trust with other applications then it might be worth considering.

It does bring up though that this is a great idea, but it needs to be implemented differently. If the code was available for purchase then it could be installed on your own server. Now security is back where it should be, under the developers control. Now the same system applies, PHP (or any other language) code could be accessed from any computer, but no third party has access to the FTP accounts.

With security it is better to be paranoid than trusting. I really am quite worried at the thought of how many servers can be owned if someone manages to hack into PHPAnywheres server.

But most worringly is how many blog entries out there are raving about this new service without even paying lip service to the incredible security risks it presents.