SSL Certificates

eCommerce Hosting Manager Denver Prophit Shares Inaccurate Information

February 9, 2010 in SSL Certificates by SupremeCenterHosting  |  No Comments

In a recent post on his blog, Denver Prophit made some insinuations that I felt needed addressed. As many of those who are, or have been associated with CRE Loaded, Denver feels the lack of truth is the best way to profit off those who are Internet Illiterate.

Denver Prophit said; “If you request identity information such as billing address, name and telephone number, you need a secure encrypted channel to send it. You also need good P3P in place.

Fact is, CRE Loaded, osCommerce and 99% of all open source eCommerce applications never considered SSL important, that is until a couple years ago. Furthermore, an article on the InformationWeek website, [“Black Hat: Security Pro Shows How To Bypass SSL,”] suggests that MITM attacks are not impossible:

…Marlinspike explained that he obtained such data by placing proxy software he’d written, called ‘sslstrip,’ on a node of a Tor network, to conduct what’s known as a man-in-the-middle attack. The proxy software intercepts HTTPS traffic, generates and signs security certificates, and mediates data passing between the client and server, capturing everything in the process.

Martinspike captured 16 credit card numbers, seven PayPal logins, and 300 other miscellaneous secure login sessions in only 24 hours.

Marlinspike went on to say that:

Lots of times the security of HTTPS comes down to the security of HTTP, and HTTP is not secure…

Denver Prophit said; “The PCI standard requires Internet retailers to complete a 12-step security audit that must be certified annually and checked every three months.

That may be true IF you accept credit cards on your website. However, if you use a payment processor, such as Authorize.net, Google Checkout or PayPal for example, PCI compliance is not your responsibility.

I emailed PCI Security Standards and received this reply:

As described in PCI Data Security Standard Requirements and Security Assessment Procedures (available at https://www.pcisecuritystandards.org) the PCI Data Security Standard is intended to protect cardholder data and sensitive authentication data. As described on page 4 of that document cardholder data includes the primary account number, cardholder name, service code and expiration date, while sensitive authentication data includes full magnetic stripe data, CAV2/CVC2/CVV2/CID, and the PIN/PIN Block.”

You’ll notice that although cardholder name is mentioned, billing address and telephone number are not mentioned. Why? That is Not the information they [the card issuer] wants to protect. So, why would a small business owner need a “secure encrypted channel” if they are not accepting credit cards on their website?

Denver Prophit mentioned RSA in his post; “The point I stress, here, is * Encrypting transmission of cardholder data and sensitive information across public networks. your admin pages HAVE to be encrypted because it stores sensitive information and is required by federal law. See RSA.com 2005 A Corporate Minefield: FTC Demands “Reasonable & Appropriate” Measures to Protect Digital Assets (August 04) http://www.rsa.com/press_release.aspx?id=5991 (accessed January 14, 2009)

I am glad you mentioned RSA. Taking the time to read that press release, one would find that Art Coviello, president and CEO at RSA Security Inc. stated; “The question that many organizations are now asking is ‘what constitutes reasonable and appropriate action?’ In an increasingly complex regulatory environment, finding a comprehensive answer to that question can be a laborious task.

Who deceides what is “reasonable & appropriate?” One definition of reasonable is “Not excessive or extreme; fair.” The legal definition of reasonable is “Suitable; just; proper; ordinary; fair; usual. The term reasonable is a generic and relative one and applies to that which is appropriate for a particular situation.” (West’s Encyclopedia of American Law, edition 2. Copyright 2008 The Gale Group, Inc. All rights reserved.)

Based on Denver’s analysis, a small business owner, which would account for 90% of EOS Online Merchant’s user base, would be unable to do business on the Internet, if all that Denver claims is absolute. And, its is not.

SSL Is Not The Security Cure All

January 27, 2009 in SSL Certificates by SupremeCenterHosting  |  1 Comments

safeSSL, or Secure Socket Layer, is not the answer to website security. SSL does provide an encrypted layer for Internet communications, however it is not the solution to all security concerns.

The advantage of SSL is its compatibility with most browsers, where it invisibly encrypts Internet communications and thwarts an attacker from catching sight of the data sent from your browser to a websites server. A hacker can see that you are making a connection to the server but not what is being transmitted. SSL also authenticates the server, so you know that you are conversing with the server, not a hacker situated between you and the server.

Regrettably many people, including the guys developing Eos Online Merchant, look at SSL as the perfect answer to website defense. They are currently attempting to create new open source standards, which force the use of SSL when using their ecommerce cart. Granted, SSL should be used on every website that accepts credit cards, as protecting customer financial data is a no-brainer. Believing that SSL is the answer is being naive.

Why is relying on SSL a mistake, David and Inetbiz? Because SSL does not protect you from the following:

1. Vulnerable Hosts – The idea that having an SSL certificate installed on your server secures the server itself is an enormous delusion. Protecting the transmission of data between a browser and a server is only half the battle. You need to keep patches for the operating system [e.g. Linux], server software [e.g. Apache] and scripting tools [e.g. PHP & MySQL] up to date. Turning off unneeded services and checking your server logs on a regular basis is also important.

2. Poor Programming – The communication between a browser and server may be encrypted but a hacker can still try to break in via poorly coded website applications, and because you installed an SSL certificate, your Intrusion detection system may not alert you about it. Keep your website applications [e.g. shopping carts, blog or forums] updated as often as possible.

3. Phishing & Spoofs – When you purchase an SSL certificate you are required to include your host name. Anyone who owns a domain name can get an SSL cert for that domain. There are people who create website that mirror the look and feel of other websites right down to an SSL Certificate. These “spoofs“ can look like your bank website or a popular ecommerce site and are created to obtain account numbers, passwords or credit card numbers. They can relay info so that it shows as it would if you were on the legitimate site, but save a decrypted copy of everything you entered into a form thus stealing your financial information.

Unfortunately, an SSL certificate can not protect you from phising and spoof sites either because a hacker can easily register a similar name to your bank domain. For example, your bank domain name might be “my_financial_institution.com” and a hacker could register “my_financial_institutions.com”, which is an error that you might never notice.

Many of the things listed above might seem obvious. I know a couple of people who are forcing SSL as a new open source standard who are most likely had no idea. People are frequently bemused and can’t comprehend SSL security begins and ends. An argument that turns into endless backbiting about security before one realizes precisely where the assumptions came from. I have been there… several days of posting in the osCommerce University forums about when SSL is needed, when it is not and who should be the one to decide when to use it. They [the Eos Online Merchant development team] didn’t get it, hopefully you do.

Commercial vs. Open Source Software – Creating Standards For Profit

January 26, 2009 in CRE Loaded, Open Source, osCommerce, SSL Certificates by SupremeCenterHosting  |  1 Comments

opensourceinitiativeThe days of Open Source seem to be fading away. Now a day, open source is not much different than commercial software. There are a number of individuals and companies that take advantage of freely available applications as a means to profit. Gone it seems are the days of the Open Source Initiative and Linus Torvalds’ vision that “open source is the only right way to do software.”

What is Open Source?

Open source began as, and in part still is, software created by a community of people who are dedicated to working together in a mutual way.

Open source normally circumscribes software that is distributed under a license that guarantees that derivative works, or forks, will also be available as source code, protects the rights of the original creator, and prohibits limitations on how the software can be used or who can use it.

Commercial vs. Open Source Software

In many cases, the difference between software created by open source communities and commercial software is the license.

For example, osCommerce is an open source application freely developed and distributed by the osCommerce community. The community also freely develops and freely distributes contributions for use with osCommerce. CRE Loaded, a fork now developed by Sal Iozzia and Chain Reaction Web, has latched onto osCommerce and the community contributions like a leach, sucking all the communities hard work and sweat into his pocket. CRE Loaded once was a free open source application, that was until David Graham, a former CRE employee and now dean of the osCommerce University, suggested that it be sold. With CRE Loaded v6.2 came the dawn of a new era. CRE was released in three flavors, a free standard version, a $150 or so Pro version and a B2B version snatching $300 out of your palm. All three versions came with the same bugs that v6.15 did with the B2B and Pro versions promising support. Based on the CRE user forums and emails I received from end users, support for the application was poor or non-existent leaving many users wanting their money back. None of this sounds like what Linus Torvalds envisioned.

Creating Profit For Standards

For testing purposes, I recently installed Eos Online Merchant and found that the Eos “development” team had added code that overrides the original osCommerce and CRE Loaded code that allowed the end user to choose between using, and not using SSL [Secure Socket Layer]. By default, CRE Loaded and osCommerce does not require the use of SSL. Eos does and I asked David Graham why Eos would force the use of SSL and in short, Eos is creating standards. They cite FTC laws that don’t exist and payment card standards [The PCI movement] that have yet to be implemented. Suggesting that there are laws or security reasons for forcing the use of SSL is wrong. Telling an end user that name, address and phone numbers should be encrypted when transmitted is just plain dim-witted. How many of us have a mail box? How many of us have our name, address and phone number printed in a phone book? Has anyone ever used the Internet to find the name and address of a person using reverse lookup directories… and found that info on a reputable website that is Not using SSL?

One of the Eos dev team members, Inetbiz, insisted that name, address and phone numbers that are collected by a website are required to be encrypted by SSL – although both he and David Graham have used CRE Loaded for years and I have never noticed any complaints from either about SSL in the CRE Loaded forums. That might be that they had no control over CRE, and considering Inetbiz provides hosting services including the sale of SSL certificates, I am not surprised by the sudden move to forcing SSL in Eos Online Merchant. Create a new standard, force the purchase of SSL certificates and maybe it will catch on and no one will complain? Well I did and they did not like it. I don’t feel bad about it though. Much like CE Loaded, Eos Online Merchant is poised itself to fall flat on its commercial face. I think that is what happens when you take an open source application, add greed and indifference, and expect the world to follow you like the pied piper.

Just because you make it does not mean they will come

I am 100% for the development and distribution of open source applications. The likes of Joomla, WordPress and osCommerce are a few examples of what I believe open source should mean. Sure, there are people that create paid templates, add-ons, plug-ins and contributions for these applications – not unethical. There are just as many that do the same for free. What I find unethical is the type of thing that some forks of these applications are doing. I find it unacceptable that a fork would create standards and suggest that there are laws or security reasons for forcing something onto an end user merely for profit – the end user should be in the position of making their own decisions, not the developer. I find it disconcerting that groups of people feel comfortable taking an application, changing little of it, only to turn around and profit from it. I myself have a version of CE Loaded that I use on my hosting website. I do not openly develop or distribute the application – I have no time to support it. I modified the application to suit my needs. I removed the bugs for the features I did use. I do offer it to my hosting customers and will support its use by my hosting customers, but I don’t expect them to pay me for its use.

Open source had always been free. Free to modify, free to distribute. Adding greed into the mix does little for the open source community. Supporting the open source community does not mean that you should bend over for the developers. There are a slew of ways that one can support the open source community without having to know how to code. Participating in community forums is just as important as those behind the scenes writing the code. Helping to keep open source free is the goal…

Eos Online Merchant – First Look, Maybe The Last

January 16, 2009 in Open Source, SSL Certificates by SupremeCenterHosting  |  No Comments

sslI stumbled on Eos Online Merchant [another osCommerce fork based off CRE Loaded] back in November when The Evil Greedy Overlord [Sal Iozzia of Chain Reaction Web] sprang the new pricing structure on the CRE community. David Graham, former employee of Chain Reaction and Dean of the osCommerce University, is part of the Eos Online Merchant collaboration led by StrikeHawk eCommerce. Knowing David, and what kind of person he is, I was optimistic that this application would end up beating CRE like a rented mule… now I am not so sure.

I downloaded and installed Eos in November. The installer, outside of a few cosmetic changes, was what I would have expected. Once I completed the installation, I loaded the backend and attempted to login… took me a couple of tries before I realized that the url was https, not http. I went right to the config file[s] and set SSL to false and tried again. Doh. These guys are forcing SSL! Could not figure out why they would consider forcing SSL so, I headed to osC U and sent David a private message:

“Hey David ~

Why is Eos forcing SSL? By default, SSL is set to true in the config files and setting it to false does no bit of good – it always wants to load the admin panel using HTTPS. I don’t know, not many people are going to go out and buy an SSL cert to test an application.”

David’s response:

“Security. Traffic on development and other frequently unsecured sites can give valuable clues to the structure of a live site. There is also the common practice of setting up a site before installing a certificate without changing all passwords at the time the site is taken live. Sucks to give your access codes away without even knowing it.

Any (ecommerce) host (or webmaster) should know how to generate a free cert usable for testing, and a test which does not include observation of correct behavior of the code and any templates applied under SSL conditions is not a valid test”

Hmmm… okay. He then went on to say:

“I think we all should be aware that PCI and other standards are going to have a heavy impact on the industry. This is one of them. While some planning needs to be done to deal with these issues yet, one thing we intend to do with EOS is to force SSL out of the box. It covers a frequently overlooked security hole to which no one should have to fall prey.“

Wait a minute… shouldn’t the SSL part of the application be my choice and responsibility? And since when is SSL the Only way to secure a website? So, I asked that and others questions in the thread “ESO 0.52 Alpha SSL Management.” Both David and inetbiz harped on credit cards. My position is not all websites accept credit cards and many that do use a third party processor such as PayPal or 2Checkout making SSL unnecessary. Both kept pointing out standards such as those of the PCI Security Standards Council, or Federal Trade Commission guidelines [suggestions], none mind you are law and again, if you do not accept credit cards on your website, then those standards or guidelines will never apply to you.

I could not figure out why they believe SSL is necessary enough to:

A.) Force it on the end user and,
B.) Treat the end user as if they are not capable of making their own decisions.

Is it that they are trying to create a new standard hoping it will catch on like bell bottoms in the 70’s?

I don’t find the need to force SSL necessary and said so in the thread:

“I still think forcing SSL is a bad idea. Again, an unsuspecting user will not be a happy camper after taking the time to download and install the application only to find out they can’t use it without an SSL cert – like I did. SSL is not necessary on many sites using an application such as EOS, CRE or osC unless you plan on accepting CC’s directly on your site. Many are using other payment gateway’s and payment processors [e.g. PayPal] which already have SSL in place.

As far as security goes, there are other ways to secure a site without the need for an SSL cert. There are not too many cases of someone hijacking usernames and passwords during transmission – there is more to it than that. If that were the case, all sites would be using SSL. Anyone with good knowledge of .htaccess, or those willing to take the time to learn, can secure their sites without the cost of a cert. One of the biggest issues is failure to use the correct permissions on configuration files and not using or improperly using .htaccess – not theft of passwords from the zeros and ones.

I think it would be better to STRESS the use of SSL on an ecommerce site – not forcing its use.”

David said:

“I think you are right, there is more to security than securing the transmission stream. However, being a little insecure is like being a little bit pregnant.”

Then he went on about credit cards again…

Fact is, nearly all the reasons they gave for forcing SSL really hold little water. Sure, SSL is a good thing and SSL certificates should be used on ALL sites that accept and process credit cards. However, by David’s and inetbizs’ standards, even the lowly hobby html site needs SSL. What really stuck out was when inetbiz said:

“We sell and so do many others a very inexpensive $14.95 RapidSSL certificate good for one year.”

That sounds way too much like a sales pitch, doesn’t it? So, Eos was created to sell products and services? That’s CRE loaded, isn’t it?

So my conclusion is that you don’t need Eos Online Merchant. I don’t think it’s worth all the hassle. There are plenty of free alternatives around that won’t force your to purchase and install other products or services in order to use it. It may be an open source application but its obvious that its a closed community and the “developers” don’t take kindly to anything that questions their ideas – have a look at the thread, specifically page 2 and decide for yourself.