Everyone's tried it. It's something that everyone who fancies themselves a computer genius tries when they're a kid--turning that knowledge into a quick buck as a web designer. Most of them either warez a program, or are happy they learned to string two tags together in HTML; almost all of them wouldn't think about testing on an alternate browser. At one point, these kids actually had a market, and even now, many "professional" sites don't seem to be tested on multiple browsers.
It seems as if several of these juvenile web designers have tried to expand in a shrinking vertical market by offering web hosting capabilities. The results are even more disheartening than being unable to access some mess of unreadable non-standard markup on some nobod company. Within the past couple weeks, I've noticed two domains with sites marketing "premium" web hosting (and also design in one case), yet these "premium" hosting sites [which don't even know how to set up a default domain, it seems, judging by a default site at one such "premium" web hosting company when going directly to their IP address] seem all too often to leave your site open to anyone with a little time and knowledge.
Granted, recent events this past summer (2002) have been hell on system admins--and I like to take every moment I can to voice my dislike of Theo who is to blame for most of it--but these security problems so widely announced have been fixed for several months now! These are security bugs on par with those exploited by Code Red, and like Code Red, a worm has already been created to take advantage of the OpenSSL issue.
Whereas a poorly designed site may reflect poorly on a company and possibly alienate users who cannot access it with their browser, an insecure site leaves the content of the site open to malicious users to change at will. This will result in damage magnitudes greater, especially if the site designer decides to not have an off-site backup of the web site hosted on a compromised box. While this would be a precaution no true professional would neglect, it may be very likely for the "professionals" who saw something they thought they could do to make a quick buck.
I have sent an email to a friend who hosts on one of these sites, warning him of the problems in the site's setup. As of October 22, 2002, this site was still running a vulnerable version of OpenSSL although it had upgraded PHP and I could not connect to verify what version of openssh it was running as it appeared to no longer be running, or filtered.
One of the more interesting sites actually upgraded from OpenSSL/0.9.6b to 0.9.6g by September 21st, and within a fortnigh of that date switched back. Even stranger, the site was running PHP/4.1.2 during the month of March but downgraded to version 4.0.6 by July 28th. Prior to 4.1.2 the site had been using 4.0.3pl1 for as long as Netcraft has the site in its database.
Of the "10 Best Web Site and Domain Hosting Services" on an arbitrary google add I followed, 4 weren't listed on the page, one was using OpenSSL0.9.6, one OpenSSL0.9.6.e which fixed 12 of the earlier problems, one was using a version other than OpenSSL, and two of the others appear to just be the same site as the one running OpenSSL0.9.6e.
In general, it seems that most people are having problems keeping OpenSSL up to date--althought 0.9.6e fixed the bugs which a worm had been exploiting, and earlier versions may have been patched so that they too might not be vulnerable (I am told Debian's 0.9.6c .deb release is clean). You can blame Theo if it makes you feel better, but everything has its share of bugs--like PHP. Most peope seem to have an up to date version of PHP--excepting the aforementioned, confused, site. For people who make it their business to keep people's data "highly available", they should also strive to keep it "highly secure".
--