I stumbled on Eos Online Merchant [another osCommerce fork based off CRE Loaded] back in November when The Evil Greedy Overlord [Sal Iozzia of Chain Reaction Web] sprang the new pricing structure on the CRE community. David Graham, former employee of Chain Reaction and Dean of the osCommerce University, is part of the Eos Online Merchant collaboration led by StrikeHawk eCommerce. Knowing David, and what kind of person he is, I was optimistic that this application would end up beating CRE like a rented mule… now I am not so sure.

I downloaded and installed Eos in November. The installer, outside of a few cosmetic changes, was what I would have expected. Once I completed the installation, I loaded the backend and attempted to login… took me a couple of tries before I realized that the url was https, not http. I went right to the config file[s] and set SSL to false and tried again. Doh. These guys are forcing SSL! Could not figure out why they would consider forcing SSL so, I headed to osC U and sent David a private message:

“Hey David ~

Why is Eos forcing SSL? By default, SSL is set to true in the config files and setting it to false does no bit of good – it always wants to load the admin panel using HTTPS. I don’t know, not many people are going to go out and buy an SSL cert to test an application.”

David’s response:

“Security. Traffic on development and other frequently unsecured sites can give valuable clues to the structure of a live site. There is also the common practice of setting up a site before installing a certificate without changing all passwords at the time the site is taken live. Sucks to give your access codes away without even knowing it.

Any (ecommerce) host (or webmaster) should know how to generate a free cert usable for testing, and a test which does not include observation of correct behavior of the code and any templates applied under SSL conditions is not a valid test”

Hmmm… okay. He then went on to say:

“I think we all should be aware that PCI and other standards are going to have a heavy impact on the industry. This is one of them. While some planning needs to be done to deal with these issues yet, one thing we intend to do with EOS is to force SSL out of the box. It covers a frequently overlooked security hole to which no one should have to fall prey.“

Wait a minute… shouldn’t the SSL part of the application be my choice and responsibility? And since when is SSL the Only way to secure a website? So, I asked that and others questions in the thread “ESO 0.52 Alpha SSL Management.” Both David and inetbiz harped on credit cards. My position is not all websites accept credit cards and many that do use a third party processor such as PayPal or 2Checkout making SSL unnecessary. Both kept pointing out standards such as those of the PCI Security Standards Council, or Federal Trade Commission guidelines [suggestions], none mind you are law and again, if you do not accept credit cards on your website, then those standards or guidelines will never apply to you.

I could not figure out why they believe SSL is necessary enough to:

A.) Force it on the end user and,
B.) Treat the end user as if they are not capable of making their own decisions.

Is it that they are trying to create a new standard hoping it will catch on like bell bottoms in the 70’s?

I don’t find the need to force SSL necessary and said so in the thread:

“I still think forcing SSL is a bad idea. Again, an unsuspecting user will not be a happy camper after taking the time to download and install the application only to find out they can’t use it without an SSL cert – like I did. SSL is not necessary on many sites using an application such as EOS, CRE or osC unless you plan on accepting CC’s directly on your site. Many are using other payment gateway’s and payment processors [e.g. PayPal] which already have SSL in place.

As far as security goes, there are other ways to secure a site without the need for an SSL cert. There are not too many cases of someone hijacking usernames and passwords during transmission – there is more to it than that. If that were the case, all sites would be using SSL. Anyone with good knowledge of .htaccess, or those willing to take the time to learn, can secure their sites without the cost of a cert. One of the biggest issues is failure to use the correct permissions on configuration files and not using or improperly using .htaccess – not theft of passwords from the zeros and ones.

I think it would be better to STRESS the use of SSL on an ecommerce site – not forcing its use.”

David said:

“I think you are right, there is more to security than securing the transmission stream. However, being a little insecure is like being a little bit pregnant.”

Then he went on about credit cards again…

Fact is, nearly all the reasons they gave for forcing SSL really hold little water. Sure, SSL is a good thing and SSL certificates should be used on ALL sites that accept and process credit cards. However, by David’s and inetbizs’ standards, even the lowly hobby html site needs SSL. What really stuck out was when inetbiz said:

“We sell and so do many others a very inexpensive $14.95 RapidSSL certificate good for one year.”

That sounds way too much like a sales pitch, doesn’t it? So, Eos was created to sell products and services? That’s CRE loaded, isn’t it?

So my conclusion is that you don’t need Eos Online Merchant. I don’t think it’s worth all the hassle. There are plenty of free alternatives around that won’t force your to purchase and install other products or services in order to use it. It may be an open source application but its obvious that its a closed community and the “developers” don’t take kindly to anything that questions their ideas – have a look at the thread, specifically page 2 and decide for yourself.