Open Source

eCommerce Hosting Manager Denver Prophit Shares Inaccurate Information

February 9, 2010 in SSL Certificates by SupremeCenterHosting  |  No Comments

In a recent post on his blog, Denver Prophit made some insinuations that I felt needed addressed. As many of those who are, or have been associated with CRE Loaded, Denver feels the lack of truth is the best way to profit off those who are Internet Illiterate.

Denver Prophit said; “If you request identity information such as billing address, name and telephone number, you need a secure encrypted channel to send it. You also need good P3P in place.

Fact is, CRE Loaded, osCommerce and 99% of all open source eCommerce applications never considered SSL important, that is until a couple years ago. Furthermore, an article on the InformationWeek website, ["Black Hat: Security Pro Shows How To Bypass SSL,"] suggests that MITM attacks are not impossible:

…Marlinspike explained that he obtained such data by placing proxy software he’d written, called ‘sslstrip,’ on a node of a Tor network, to conduct what’s known as a man-in-the-middle attack. The proxy software intercepts HTTPS traffic, generates and signs security certificates, and mediates data passing between the client and server, capturing everything in the process.

Martinspike captured 16 credit card numbers, seven PayPal logins, and 300 other miscellaneous secure login sessions in only 24 hours.

Marlinspike went on to say that:

Lots of times the security of HTTPS comes down to the security of HTTP, and HTTP is not secure…

Denver Prophit said; “The PCI standard requires Internet retailers to complete a 12-step security audit that must be certified annually and checked every three months.

That may be true IF you accept credit cards on your website. However, if you use a payment processor, such as Authorize.net, Google Checkout or PayPal for example, PCI compliance is not your responsibility.

I emailed PCI Security Standards and received this reply:

As described in PCI Data Security Standard Requirements and Security Assessment Procedures (available at https://www.pcisecuritystandards.org) the PCI Data Security Standard is intended to protect cardholder data and sensitive authentication data. As described on page 4 of that document cardholder data includes the primary account number, cardholder name, service code and expiration date, while sensitive authentication data includes full magnetic stripe data, CAV2/CVC2/CVV2/CID, and the PIN/PIN Block.”

You’ll notice that although cardholder name is mentioned, billing address and telephone number are not mentioned. Why? That is Not the information they [the card issuer] wants to protect. So, why would a small business owner need a “secure encrypted channel” if they are not accepting credit cards on their website?

Denver Prophit mentioned RSA in his post; “The point I stress, here, is * Encrypting transmission of cardholder data and sensitive information across public networks. your admin pages HAVE to be encrypted because it stores sensitive information and is required by federal law. See RSA.com 2005 A Corporate Minefield: FTC Demands “Reasonable & Appropriate” Measures to Protect Digital Assets (August 04) http://www.rsa.com/press_release.aspx?id=5991 (accessed January 14, 2009)

I am glad you mentioned RSA. Taking the time to read that press release, one would find that Art Coviello, president and CEO at RSA Security Inc. stated; “The question that many organizations are now asking is ‘what constitutes reasonable and appropriate action?’ In an increasingly complex regulatory environment, finding a comprehensive answer to that question can be a laborious task.

Who deceides what is “reasonable & appropriate?” One definition of reasonable is “Not excessive or extreme; fair.” The legal definition of reasonable is “Suitable; just; proper; ordinary; fair; usual. The term reasonable is a generic and relative one and applies to that which is appropriate for a particular situation.” (West’s Encyclopedia of American Law, edition 2. Copyright 2008 The Gale Group, Inc. All rights reserved.)

Based on Denver’s analysis, a small business owner, which would account for 90% of EOS Online Merchant’s user base, would be unable to do business on the Internet, if all that Denver claims is absolute. And, its is not.

osDate Needs To Trim Some Fat

January 27, 2009 in Open Source, osDate by SupremeCenterHosting  |  No Comments

fatosDate, still one of the noobs to the open source scene, is a dating / matchmaking application developed and distributed by Darren Gates of Tufat.com. I happened upon it about 3-4 years ago while looking for a dating script for a client. Although it was still in its infancy it did have appeal, and at the time I thought it had potential.

The main programmer, Vijaynair, made his start in MySQL and apparently never had any formal training in PHP. IMHO, it shows as many parts of osDate have always lacked any real forethought. This may not completely contribute to Vijay’s naïveté, but most likely is the shortcomings of its creator, Darren Gates. I always likened some features as being “doors to nowhere” simply because many features did not seem to work in the way you thought they should.

When osDate v2 was released, a plug-in system was added so those new features created by Tufat or osDate community members could be easily plugged into an installation of osDate. Evidently the plug-in system hit a brick wall. I say this because v2 was about 30MB unpacked and has since swelled to 80MB! More than twice the size of an initial v2 installation, and from what I can tell, there is not much more to the application to substantiate the girth.

There might be a few things I have not noticed, but despite of what is in it, I thought the intention of the plug-in system was for plugging in new features. Look as if osDate could go on a diet and the extra fat could be sucked out and discharged into the plug-in system. I would think that the end user should be able to download and install just the plug-ins they want. This could significantly trim down the size of the application by 20-30MB.

osDate is starting to look like a overfed Microsoft application. Perhaps it is time that someone come up with a diet pill for overweight open source applications [or bloat-ware as I like to call it]… osDate could surely use one… its too fat.

Eos Online Merchant – First Look, Maybe The Last

January 16, 2009 in Open Source, SSL Certificates by SupremeCenterHosting  |  No Comments

sslI stumbled on Eos Online Merchant [another osCommerce fork based off CRE Loaded] back in November when The Evil Greedy Overlord [Sal Iozzia of Chain Reaction Web] sprang the new pricing structure on the CRE community. David Graham, former employee of Chain Reaction and Dean of the osCommerce University, is part of the Eos Online Merchant collaboration led by StrikeHawk eCommerce. Knowing David, and what kind of person he is, I was optimistic that this application would end up beating CRE like a rented mule… now I am not so sure.

I downloaded and installed Eos in November. The installer, outside of a few cosmetic changes, was what I would have expected. Once I completed the installation, I loaded the backend and attempted to login… took me a couple of tries before I realized that the url was https, not http. I went right to the config file[s] and set SSL to false and tried again. Doh. These guys are forcing SSL! Could not figure out why they would consider forcing SSL so, I headed to osC U and sent David a private message:

“Hey David ~

Why is Eos forcing SSL? By default, SSL is set to true in the config files and setting it to false does no bit of good – it always wants to load the admin panel using HTTPS. I don’t know, not many people are going to go out and buy an SSL cert to test an application.”

David’s response:

“Security. Traffic on development and other frequently unsecured sites can give valuable clues to the structure of a live site. There is also the common practice of setting up a site before installing a certificate without changing all passwords at the time the site is taken live. Sucks to give your access codes away without even knowing it.

Any (ecommerce) host (or webmaster) should know how to generate a free cert usable for testing, and a test which does not include observation of correct behavior of the code and any templates applied under SSL conditions is not a valid test”

Hmmm… okay. He then went on to say:

“I think we all should be aware that PCI and other standards are going to have a heavy impact on the industry. This is one of them. While some planning needs to be done to deal with these issues yet, one thing we intend to do with EOS is to force SSL out of the box. It covers a frequently overlooked security hole to which no one should have to fall prey.“

Wait a minute… shouldn’t the SSL part of the application be my choice and responsibility? And since when is SSL the Only way to secure a website? So, I asked that and others questions in the thread “ESO 0.52 Alpha SSL Management.” Both David and inetbiz harped on credit cards. My position is not all websites accept credit cards and many that do use a third party processor such as PayPal or 2Checkout making SSL unnecessary. Both kept pointing out standards such as those of the PCI Security Standards Council, or Federal Trade Commission guidelines [suggestions], none mind you are law and again, if you do not accept credit cards on your website, then those standards or guidelines will never apply to you.

I could not figure out why they believe SSL is necessary enough to:

A.) Force it on the end user and,
B.) Treat the end user as if they are not capable of making their own decisions.

Is it that they are trying to create a new standard hoping it will catch on like bell bottoms in the 70’s?

I don’t find the need to force SSL necessary and said so in the thread:

“I still think forcing SSL is a bad idea. Again, an unsuspecting user will not be a happy camper after taking the time to download and install the application only to find out they can’t use it without an SSL cert – like I did. SSL is not necessary on many sites using an application such as EOS, CRE or osC unless you plan on accepting CC’s directly on your site. Many are using other payment gateway’s and payment processors [e.g. PayPal] which already have SSL in place.

As far as security goes, there are other ways to secure a site without the need for an SSL cert. There are not too many cases of someone hijacking usernames and passwords during transmission – there is more to it than that. If that were the case, all sites would be using SSL. Anyone with good knowledge of .htaccess, or those willing to take the time to learn, can secure their sites without the cost of a cert. One of the biggest issues is failure to use the correct permissions on configuration files and not using or improperly using .htaccess – not theft of passwords from the zeros and ones.

I think it would be better to STRESS the use of SSL on an ecommerce site – not forcing its use.”

David said:

“I think you are right, there is more to security than securing the transmission stream. However, being a little insecure is like being a little bit pregnant.”

Then he went on about credit cards again…

Fact is, nearly all the reasons they gave for forcing SSL really hold little water. Sure, SSL is a good thing and SSL certificates should be used on ALL sites that accept and process credit cards. However, by David’s and inetbizs’ standards, even the lowly hobby html site needs SSL. What really stuck out was when inetbiz said:

“We sell and so do many others a very inexpensive $14.95 RapidSSL certificate good for one year.”

That sounds way too much like a sales pitch, doesn’t it? So, Eos was created to sell products and services? That’s CRE loaded, isn’t it?

So my conclusion is that you don’t need Eos Online Merchant. I don’t think it’s worth all the hassle. There are plenty of free alternatives around that won’t force your to purchase and install other products or services in order to use it. It may be an open source application but its obvious that its a closed community and the “developers” don’t take kindly to anything that questions their ideas – have a look at the thread, specifically page 2 and decide for yourself.

What to look for in a hosting company

October 26, 2008 in Hosting by SupremeCenterHosting  |  No Comments

Type “hosting” at Google and you will find that there are currently 439,000,000 results for the search term … you should not have any trouble finding the perfect host for you and your website. However, its always best to start by asking friends or family who may already have a website who they recommend. A good review from someone you trust is far more valuable than reviews from people you don’t know. Visiting the countless hosting review sites can be a little daunting and the fact is, you will find that many of them “recommend” the same 5-10 hosting companies. The reason being is hosting companies pay for the reviews or for featured listings.

Before you decide on a host make sure that the host trustworthy and reliable, it is always worthwhile noting how long the company has been in business. Unfortunately anyone can set up a web hosting company, unless you ask the right questions you will not be able to judge the competence of any hosting company.

If you are new to websites and web hosting in general, it would be wise to host your sites with am established web hosting company. They are capable of dealing with less technically adept customers and are willing to go the extra mile. Due to their size, an established host is normally more flexible when it comes to upgrading your hosting plan, providing a payment plan of your choice and they have more servers available than the smaller hosting companies. It may also be wise to pick a host that may offer some support for the application that you may plan on using. Most hosts will not provide support for third party applications such as WordPress, Joomla or osCommerce, so you may not have them to rely on should something go wrong – Supreme Center Hosting is one of few hosting companies that provides limited support for many open source applications. Some hosts will even provide free professional installations of popular applications. Another suggestion would be to choose a host that may offer additional products and services such as SSL certificates, website programming or even managed services – you never know when you might need additional services and your host will normally give discounts to their customers for additional products or services they might need.

When looking for a host, first decide how much disk space and bandwidth you might need. Although this is not normally a deal breaker as you can always upgrade your plan should the need for more space or transfer arise. However, you do want to make sure that the host you plan to use and the plan you choose has the correct specs for the application you plan to use – you don’t want to choose a unix host when you plan on using an application that is coded in ASP.

If you are currently hosting a website and are planning on moving to a new hosting provider, it might be wise to look for a host that can help you with the transition. Many hosting companies, such as Supreme Center Hosting, provide free transfer services for customers who are using cPanel. This makes the transition that much easier and you will have less to do in order to get your site up and going with your new host.

CRE Loaded just got worse

October 20, 2008 in CRE Loaded by SupremeCenterHosting  |  No Comments

I could all out flame CRE Loaded and Salvatore Iozzia here today but what good would it do? I doubt very highly that it would make any real difference to the current CRE Loaded open source model. Fact is, I had plenty to say in the “Sal’s Message to the Community” thread at the CRE Loaded forums regarding past and current issues, and it seems Sal is oblivious to the opinion’s that were offered. He somehow managed to muster up enough backbone to to create the post, while flip flopping on the entire issue. The entire post looks like it was pulled out of a page from the past with many of the more well-known forum members taking a whack at Sal’s pride.

By know it is probably obvious that I am not new to CRE Loaded. I started using it back in 2003-2004 when it was still in [bug filled] version v6.15. I even did work for Sal [installations, contribution additions] while I was upstarting my hosting business. That was until he screwed me out of $500 for worked I performed and about the time that David Graham, of the osCommerce University, suggested that Sal start selling CRE Loaded. I remember having a chat conversation with David regarding sale of the open source application but was never aware that he suggested it [or I am getting too old to remember]. I gently poked David in the aforementioned thread by saying “If your suggesting that you persuaded Sal to sell CRE then, Shame on you! It was you sir who created the Ugly Monster!” His response clearly showed that he was as pissed as I… “Yeah, well, I never intended anyone to mislead the public about the GPL and its implications either. Which is why EOS itself is free and will remain so.” What? is it possible that Salvatore Iozzia could mislead the end user? Sure it is. I read posts by Sal, and his now world famous moderator Gerald, regarding the GPL license. It was clear to me that what they were trying to do was mislead the lesser informed end user that they really were not permitted to do anything with CRE… but pay for it.

Now this brings up a new question… what exactly was the end user paying for? That ultimately is a very good question. At this point, I have no idea. David Graham recently blogged about this in his post “CRE Launches New Open Source Model” and stated that “My original concept when proposing CRE Loaded commercialization was to charge a standard fee per copy distributed with a 30 to 90 day support window, following which support could be obtained on a contract basis.” Okay, so the end user was paying for support? Hmmm… having had conversations with owners of other companies that were using, or had clients using CRE Loaded, this was clearly not the case. Apparently, support was one thing that was missing from the $200 price tag for Pro and $300 price tag for B2B.

Okay, so what do I think about all of this? What was missing from the launch of the new model and CRE 6.2 was Value-Added Services. By definition, it would be the term for non-core services… services that add value to a standard service offering. This could be any number of things. Using CRE as an example, the value-added services could be Support, plugins, templates, etc. As an active supporter of Open Source applications since 2003, we offer web site hosting and hosting services for a variety of open source applications and provide value-added services such as free professional installation and free support for a variety of issues that a customer my experience while using the application. We also provide web site programming services for these applications at a nominal [and below industry standard] fee.

So my question is… why is it that Sal thought it a good idea to sell CRE when he could have offered additional value-added services at reasonable rates? These services could have been any or all of those mentioned above. Support/Maintenance contracts could have been offered to those who either do not have the experience necessary to modify code or just did not want to. Plugins, that could not be found for free at osCommerce.com, could have been developed in-house and sold in the CRE store. Same goes for custom templates. Any service or a combination of services could have been offered to the CRE end user, whom I might add would have been more than happy to pay for. However, the “Evil Greedy Overlord” could not help himself. He not only put unreasonable price tags on the open source application, he charged 2 arms and a leg for additional services that really should have been part of the “support” the end user was supposed to get.

So what have we learned from all this? Never, and I mean never pay for open source applications. The whole idea behind open source is that the source code should be free. This does not mean that everything should be free [contributions, support, templates, hosting, etc], but that the application itself should be free. Granted, the GPL license states that you can sell the code. That is correct, sir. Let’s use Linux as an example. Linus Torvalds wrote and released Linux as open source and it can be found everywhere for $0. Why is it that Red Hat is selling it then? Well, they are not selling the Linux source code. What they are selling is value-added services in the forum of features that can not be found in the original source, support and improved & robust versions.

Finally, we have also learned that you can’t trust anyone who calls themselves the “Evil Overlord.”

  • Authorize.Net Reseller

    Authorize.Net Logo
Stop censorship