Monthly Archives: January 2009

SSL Is Not The Security Cure All

January 27, 2009 in SSL Certificates by CEO/Founder, Supreme Center Hosting  |  Comments Off

safeSSL, or Secure Socket Layer, is not the answer to website security. SSL does provide an encrypted layer for Internet communications, however it is not the solution to all security concerns.

The advantage of SSL is its compatibility with most browsers, where it invisibly encrypts Internet communications and thwarts an attacker from catching sight of the data sent from your browser to a websites server. A hacker can see that you are making a connection to the server but not what is being transmitted. SSL also authenticates the server, so you know that you are conversing with the server, not a hacker situated between you and the server.

Regrettably many people, including the guys developing Eos Online Merchant, look at SSL as the perfect answer to website defense. They are currently attempting to create new open source standards, which force the use of SSL when using their ecommerce cart. Granted, SSL should be used on every website that accepts credit cards, as protecting customer financial data is a no-brainer. Believing that SSL is the answer is being naive.

Why is relying on SSL a mistake, David and Inetbiz? Because SSL does not protect you from the following:

1. Vulnerable Hosts – The idea that having an SSL certificate installed on your server secures the server itself is an enormous delusion. Protecting the transmission of data between a browser and a server is only half the battle. You need to keep patches for the operating system [e.g. Linux], server software [e.g. Apache] and scripting tools [e.g. PHP & MySQL] up to date. Turning off unneeded services and checking your server logs on a regular basis is also important.

2. Poor Programming – The communication between a browser and server may be encrypted but a hacker can still try to break in via poorly coded website applications, and because you installed an SSL certificate, your Intrusion detection system may not alert you about it. Keep your website applications [e.g. shopping carts, blog or forums] updated as often as possible.

3. Phishing & Spoofs – When you purchase an SSL certificate you are required to include your host name. Anyone who owns a domain name can get an SSL cert for that domain. There are people who create website that mirror the look and feel of other websites right down to an SSL Certificate. These “spoofs“ can look like your bank website or a popular ecommerce site and are created to obtain account numbers, passwords or credit card numbers. They can relay info so that it shows as it would if you were on the legitimate site, but save a decrypted copy of everything you entered into a form thus stealing your financial information.

Unfortunately, an SSL certificate can not protect you from phising and spoof sites either because a hacker can easily register a similar name to your bank domain. For example, your bank domain name might be “my_financial_institution.com” and a hacker could register “my_financial_institutions.com”, which is an error that you might never notice.

Many of the things listed above might seem obvious. I know a couple of people who are forcing SSL as a new open source standard who are most likely had no idea. People are frequently bemused and can’t comprehend SSL security begins and ends. An argument that turns into endless backbiting about security before one realizes precisely where the assumptions came from. I have been there… several days of posting in the osCommerce University forums about when SSL is needed, when it is not and who should be the one to decide when to use it. They [the Eos Online Merchant development team] didn’t get it, hopefully you do.

osDate Needs To Trim Some Fat

January 27, 2009 in Open Source, osDate by CEO/Founder, Supreme Center Hosting  |  Comments Off

fatosDate, still one of the noobs to the open source scene, is a dating / matchmaking application developed and distributed by Darren Gates of Tufat.com. I happened upon it about 3-4 years ago while looking for a dating script for a client. Although it was still in its infancy it did have appeal, and at the time I thought it had potential.

The main programmer, Vijaynair, made his start in MySQL and apparently never had any formal training in PHP. IMHO, it shows as many parts of osDate have always lacked any real forethought. This may not completely contribute to Vijay’s naïveté, but most likely is the shortcomings of its creator, Darren Gates. I always likened some features as being “doors to nowhere” simply because many features did not seem to work in the way you thought they should.

When osDate v2 was released, a plug-in system was added so those new features created by Tufat or osDate community members could be easily plugged into an installation of osDate. Evidently the plug-in system hit a brick wall. I say this because v2 was about 30MB unpacked and has since swelled to 80MB! More than twice the size of an initial v2 installation, and from what I can tell, there is not much more to the application to substantiate the girth.

There might be a few things I have not noticed, but despite of what is in it, I thought the intention of the plug-in system was for plugging in new features. Look as if osDate could go on a diet and the extra fat could be sucked out and discharged into the plug-in system. I would think that the end user should be able to download and install just the plug-ins they want. This could significantly trim down the size of the application by 20-30MB.

osDate is starting to look like a overfed Microsoft application. Perhaps it is time that someone come up with a diet pill for overweight open source applications [or bloat-ware as I like to call it]… osDate could surely use one… its too fat.

Commercial vs. Open Source Software – Creating Standards For Profit

January 26, 2009 in CRE Loaded, Open Source, osCommerce, SSL Certificates by CEO/Founder, Supreme Center Hosting  |  Comments Off

opensourceinitiativeThe days of Open Source seem to be fading away. Now a day, open source is not much different than commercial software. There are a number of individuals and companies that take advantage of freely available applications as a means to profit. Gone it seems are the days of the Open Source Initiative and Linus Torvalds’ vision that “open source is the only right way to do software.”

What is Open Source?

Open source began as, and in part still is, software created by a community of people who are dedicated to working together in a mutual way.

Open source normally circumscribes software that is distributed under a license that guarantees that derivative works, or forks, will also be available as source code, protects the rights of the original creator, and prohibits limitations on how the software can be used or who can use it.

Commercial vs. Open Source Software

In many cases, the difference between software created by open source communities and commercial software is the license.

For example, osCommerce is an open source application freely developed and distributed by the osCommerce community. The community also freely develops and freely distributes contributions for use with osCommerce. CRE Loaded, a fork now developed by Sal Iozzia and Chain Reaction Web, has latched onto osCommerce and the community contributions like a leach, sucking all the communities hard work and sweat into his pocket. CRE Loaded once was a free open source application, that was until David Graham, a former CRE employee and now dean of the osCommerce University, suggested that it be sold. With CRE Loaded v6.2 came the dawn of a new era. CRE was released in three flavors, a free standard version, a $150 or so Pro version and a B2B version snatching $300 out of your palm. All three versions came with the same bugs that v6.15 did with the B2B and Pro versions promising support. Based on the CRE user forums and emails I received from end users, support for the application was poor or non-existent leaving many users wanting their money back. None of this sounds like what Linus Torvalds envisioned.

Creating Profit For Standards

For testing purposes, I recently installed Eos Online Merchant and found that the Eos “development” team had added code that overrides the original osCommerce and CRE Loaded code that allowed the end user to choose between using, and not using SSL [Secure Socket Layer]. By default, CRE Loaded and osCommerce does not require the use of SSL. Eos does and I asked David Graham why Eos would force the use of SSL and in short, Eos is creating standards. They cite FTC laws that don’t exist and payment card standards [The PCI movement] that have yet to be implemented. Suggesting that there are laws or security reasons for forcing the use of SSL is wrong. Telling an end user that name, address and phone numbers should be encrypted when transmitted is just plain dim-witted. How many of us have a mail box? How many of us have our name, address and phone number printed in a phone book? Has anyone ever used the Internet to find the name and address of a person using reverse lookup directories… and found that info on a reputable website that is Not using SSL?

One of the Eos dev team members, Inetbiz, insisted that name, address and phone numbers that are collected by a website are required to be encrypted by SSL – although both he and David Graham have used CRE Loaded for years and I have never noticed any complaints from either about SSL in the CRE Loaded forums. That might be that they had no control over CRE, and considering Inetbiz provides hosting services including the sale of SSL certificates, I am not surprised by the sudden move to forcing SSL in Eos Online Merchant. Create a new standard, force the purchase of SSL certificates and maybe it will catch on and no one will complain? Well I did and they did not like it. I don’t feel bad about it though. Much like CE Loaded, Eos Online Merchant is poised itself to fall flat on its commercial face. I think that is what happens when you take an open source application, add greed and indifference, and expect the world to follow you like the pied piper.

Just because you make it does not mean they will come

I am 100% for the development and distribution of open source applications. The likes of Joomla, WordPress and osCommerce are a few examples of what I believe open source should mean. Sure, there are people that create paid templates, add-ons, plug-ins and contributions for these applications – not unethical. There are just as many that do the same for free. What I find unethical is the type of thing that some forks of these applications are doing. I find it unacceptable that a fork would create standards and suggest that there are laws or security reasons for forcing something onto an end user merely for profit – the end user should be in the position of making their own decisions, not the developer. I find it disconcerting that groups of people feel comfortable taking an application, changing little of it, only to turn around and profit from it. I myself have a version of CE Loaded that I use on my hosting website. I do not openly develop or distribute the application – I have no time to support it. I modified the application to suit my needs. I removed the bugs for the features I did use. I do offer it to my hosting customers and will support its use by my hosting customers, but I don’t expect them to pay me for its use.

Open source had always been free. Free to modify, free to distribute. Adding greed into the mix does little for the open source community. Supporting the open source community does not mean that you should bend over for the developers. There are a slew of ways that one can support the open source community without having to know how to code. Participating in community forums is just as important as those behind the scenes writing the code. Helping to keep open source free is the goal…

EnterUrl – Blast or Bull

January 21, 2009 in Web Site Marketing by CEO/Founder, Supreme Center Hosting  |  Comments Off

nuclear_explosionWe had several customers ask us if EnterUrl.com was a legitimate service. If you are not familiar with EnterUrl, they claim to provide “Blast submission of your Web site to more than 300,000 search engines, directories and specialty sites globally.” With so many popular websites and services like InternetSeer or Web Pro news promoting EnterUrl, I guess we just assumed that the service they were providing was as advertised. In late December, one of our biggest hosting clients asked us about EnterUrl and we thought it was about time to find out if they were blowing smoke up everyone’s a**.

On 12/26/2008 we placed an order for One monthly submission [$19.95]. That submission claims:

“One-time Blast submission of your Web site to more than 300,000 search engines, directories and specialty sites globally. Service includes a submission email report from our search engine experts with valuable services and information to get you better rankings. Use the information to get you a better ranking on search engines.”

After clicking on the Sign up now button, we were taken to a page where we could enter our website, account and billing info. At the top of that page, it states:

“Blast your site across the web!

* Submit your website to over 300,000 search engines, specialty sites and directories
* 3 easy steps
* Purchase a 12-month submission and save $110!”

Note that EnterUrl claims that they will “submit your website to over 300,000 search engines, specialty sites and directories.”

We filled out the form and clicked “Activate Account” and found the confirmation page to be quite surprising… it no longer mentioned “over 300,000 search engines, specialty sites and directories” but instead stated some 65,000+. Already, it was clear that what EnterUrl was advertising was clearly false. I sent them an email regarding the difference and received no response.

Although the order stated the submission would be done on 12/26, it was not until 12/29 that we received the submission confirmation email. The total search engines, specialty sites and directories is advertised to be 300,000 and some how EnterUrl managed to surpass that amount by 325,091 search engines, specialty sites and directories, but only listed 93 in the submission results – 60 of which were successful while 33 failed… what happened to the 624,998 search engines, specialty sites and directories EnterUrl claimed to have submitted to in the submission report? What were the 624,998 sites? We asked that question as well and did not receive a response.

You could say that 625,058 successful submissions merit the $19.95 that we paid. However, we find it perplexing that EnterUrl did not list the sites it claimed to have submitted to. Today I went through the list of 60 that were successful and could not find our site listed. I can’t help but be a doubting Thomas in this case. So in closing… buyer beware.

Eos Online Merchant – First Look, Maybe The Last

January 16, 2009 in Open Source, SSL Certificates by CEO/Founder, Supreme Center Hosting  |  Comments Off

sslI stumbled on Eos Online Merchant [another osCommerce fork based off CRE Loaded] back in November when The Evil Greedy Overlord [Sal Iozzia of Chain Reaction Web] sprang the new pricing structure on the CRE community. David Graham, former employee of Chain Reaction and Dean of the osCommerce University, is part of the Eos Online Merchant collaboration led by StrikeHawk eCommerce. Knowing David, and what kind of person he is, I was optimistic that this application would end up beating CRE like a rented mule… now I am not so sure.

I downloaded and installed Eos in November. The installer, outside of a few cosmetic changes, was what I would have expected. Once I completed the installation, I loaded the backend and attempted to login… took me a couple of tries before I realized that the url was https, not http. I went right to the config file[s] and set SSL to false and tried again. Doh. These guys are forcing SSL! Could not figure out why they would consider forcing SSL so, I headed to osC U and sent David a private message:

“Hey David ~

Why is Eos forcing SSL? By default, SSL is set to true in the config files and setting it to false does no bit of good – it always wants to load the admin panel using HTTPS. I don’t know, not many people are going to go out and buy an SSL cert to test an application.”

David’s response:

“Security. Traffic on development and other frequently unsecured sites can give valuable clues to the structure of a live site. There is also the common practice of setting up a site before installing a certificate without changing all passwords at the time the site is taken live. Sucks to give your access codes away without even knowing it.

Any (ecommerce) host (or webmaster) should know how to generate a free cert usable for testing, and a test which does not include observation of correct behavior of the code and any templates applied under SSL conditions is not a valid test”

Hmmm… okay. He then went on to say:

“I think we all should be aware that PCI and other standards are going to have a heavy impact on the industry. This is one of them. While some planning needs to be done to deal with these issues yet, one thing we intend to do with EOS is to force SSL out of the box. It covers a frequently overlooked security hole to which no one should have to fall prey.“

Wait a minute… shouldn’t the SSL part of the application be my choice and responsibility? And since when is SSL the Only way to secure a website? So, I asked that and others questions in the thread “ESO 0.52 Alpha SSL Management.” Both David and inetbiz harped on credit cards. My position is not all websites accept credit cards and many that do use a third party processor such as PayPal or 2Checkout making SSL unnecessary. Both kept pointing out standards such as those of the PCI Security Standards Council, or Federal Trade Commission guidelines [suggestions], none mind you are law and again, if you do not accept credit cards on your website, then those standards or guidelines will never apply to you.

I could not figure out why they believe SSL is necessary enough to:

A.) Force it on the end user and,
B.) Treat the end user as if they are not capable of making their own decisions.

Is it that they are trying to create a new standard hoping it will catch on like bell bottoms in the 70’s?

I don’t find the need to force SSL necessary and said so in the thread:

“I still think forcing SSL is a bad idea. Again, an unsuspecting user will not be a happy camper after taking the time to download and install the application only to find out they can’t use it without an SSL cert – like I did. SSL is not necessary on many sites using an application such as EOS, CRE or osC unless you plan on accepting CC’s directly on your site. Many are using other payment gateway’s and payment processors [e.g. PayPal] which already have SSL in place.

As far as security goes, there are other ways to secure a site without the need for an SSL cert. There are not too many cases of someone hijacking usernames and passwords during transmission – there is more to it than that. If that were the case, all sites would be using SSL. Anyone with good knowledge of .htaccess, or those willing to take the time to learn, can secure their sites without the cost of a cert. One of the biggest issues is failure to use the correct permissions on configuration files and not using or improperly using .htaccess – not theft of passwords from the zeros and ones.

I think it would be better to STRESS the use of SSL on an ecommerce site – not forcing its use.”

David said:

“I think you are right, there is more to security than securing the transmission stream. However, being a little insecure is like being a little bit pregnant.”

Then he went on about credit cards again…

Fact is, nearly all the reasons they gave for forcing SSL really hold little water. Sure, SSL is a good thing and SSL certificates should be used on ALL sites that accept and process credit cards. However, by David’s and inetbizs’ standards, even the lowly hobby html site needs SSL. What really stuck out was when inetbiz said:

“We sell and so do many others a very inexpensive $14.95 RapidSSL certificate good for one year.”

That sounds way too much like a sales pitch, doesn’t it? So, Eos was created to sell products and services? That’s CRE loaded, isn’t it?

So my conclusion is that you don’t need Eos Online Merchant. I don’t think it’s worth all the hassle. There are plenty of free alternatives around that won’t force your to purchase and install other products or services in order to use it. It may be an open source application but its obvious that its a closed community and the “developers” don’t take kindly to anything that questions their ideas – have a look at the thread, specifically page 2 and decide for yourself.

Paid Scripts – Forced Advertising

January 6, 2009 in Web Site Marketing by CEO/Founder, Supreme Center Hosting  |  Comments Off

copyrightI am going to get right down to it… when a script or template developer compels customers [who pay license fees for the script or template] to advertise the developers website for free is disreputable. There is a slew of website application developers and website designers, who I might add, are charging a hefty some for their work, expecting you to freely advertise their websites, products and/or services. Some developers, such as the slimy Evil Greedy Overlord of CRE Loaded, code advertisements right into the application. So in the end, not only are you paying for the script and/or template, you are also paying the developer to advertise for them… for free! Sounds a bit ass backwards… doesn’t it?

If you look at some of the more popular and expense scripts, you can pay upwards of $600 or more for the exclusive right to advertise for the developer. They have you by the short and curlys for the mere reason that the developer coded the script you purchased and he owns that code… not you. There is no legal standard as far as licensing goes so the copyright holder can hold you over the colas and there is little you can do about it, other than to not purchase the wares peddled by these unprofessional, money hungry burglars. I say that is a good first step.

When we custom code a website for a client, there are no strings attached. When the project is finished you don’t owe us anymore then was quoted. We don’t expect a link on your site to ours. Linking should be optional and up to the domain holder. Sure, we would love a link to our site but we would never force you to link back. As a matter of fact, you would most likely find a link to your site from ours, as it is a way for us to showcase what we have done for previous customers – and we don’t expect anything for it.

Due to time restraints, I recently was about to purchase a template from Themes Arena for our blog, that was until I noticed the designer states:

“This license entitles you to use the theme on one domain / website. The copyright information in the footer must remain intact.”

I asked Jauhari from Themes Arena the following questions:

ME: “The cost for the single user license is $54.95, which entitles the me to use the template on one domain. So what in reality is the license for and why the free link back to Themes Arena?”

JAUHARI: It is because with single user license you can use only for 1 domain and you can’t be able to remove the link back. This premium themes mainly offered good administration and design customize without breaking the codes.

What does that have to do with the price of tea in China, Jauhari? You never answered my question… why the free LINK back to Themes Arena?

ME: “If I am paying for a license, shouldn’t that also relieve me of the link back requirement?”

JAUHARI: “This is standard license in almost Premium Themes available on the net, for single license that needed to keep the copyright, excluded the developer license.”

So what you are saying is your GREEDY? Or, are you saying that if other website designers started jumping in front of moving cars you would also? I never questioned the copyright, just the free LINK.

ME: “Do you think it is fair to charge customers a fee for your time and effort and then force them to provide free advertisements to your site?”

JAUHARI: “If you need to remove the link you need to bought the developer license.”

Jauhari obviously translates a copyright notice or license into free advertising too. Hello? That’s not the purpose of the copyright or license. A copyright gives the author [or creator] of an original work exclusivity, usually for a limited time. It also gives the copyright holder the right to be recognized for the work, to decide who (if anyone) can perform it or modify it to other forms and to profit financially from the work.

According to the U.S. Copyright Office:

Copyright is a form of protection provided by the laws of the United States (title 17, U. S. Code) to the authors of “original works of authorship,” including literary, dramatic, musical, artistic, and certain other intellectual works. This protection is available to both published and unpublished works. Section 106 of the 1976 Copyright Act generally gives the owner of copyright the exclusive right to do and to authorize others to do the following:

* To reproduce the work in copies or phonorecords;
* To prepare derivative works based upon the work;
* To distribute copies or phonorecords of the work to the public by sale or other transfer of ownership, or by rental, lease, or lending;
* To perform the work publicly, in the case of literary, musical, dramatic, and choreographic works, pantomimes, and motion pictures and other audiovisual works;
* To display the work publicly, in the case of literary, musical, dramatic, and choreographic works, pantomimes, and pictorial, graphic, or sculptural works, including the individual images of a motion picture or other audiovisual work; and
* In the case of sound recordings, to perform the work publicly by means of a digital audio transmission.

In addition, certain authors of works of visual art have the rights of attribution and integrity as described in section 106A of the 1976 Copyright Act.

Granted, the copyright holder can ask for whatever he wants as compensation for using the copyrighted work but I don’t think it gives the copyright holder the right to take advantage of people. You can’t have your cake and eat it too, right?

What I am trying to point out is that there are a number of people [and companies] on the Internet that take advantage of consumers. Charging extreme sums for templates or scripts while expecting that the customer continue to reimburse the designer or coder with free advertising, ad infinitum, is taking it too far and as a business owner, I find that disreputable and unnecessary.

  • Domain Availability

    Domain Name: Choose Extension: