eCommerce Hosting Manager Denver Prophit Shares Inaccurate Information

February 9, 2010 in SSL Certificates by SupremeCenterHosting  |  2 Comments

In a recent post on his blog, Denver Prophit made some insinuations that I felt needed addressed. As many of those who are, or have been associated with CRE Loaded, Denver feels the lack of truth is the best way to profit off those who are Internet Illiterate.

Denver Prophit said; “If you request identity information such as billing address, name and telephone number, you need a secure encrypted channel to send it. You also need good P3P in place.

Fact is, CRE Loaded, osCommerce and 99% of all open source eCommerce applications never considered SSL important, that is until a couple years ago. Furthermore, an article on the InformationWeek website, [“Black Hat: Security Pro Shows How To Bypass SSL,”] suggests that MITM attacks are not impossible:

…Marlinspike explained that he obtained such data by placing proxy software he’d written, called ‘sslstrip,’ on a node of a Tor network, to conduct what’s known as a man-in-the-middle attack. The proxy software intercepts HTTPS traffic, generates and signs security certificates, and mediates data passing between the client and server, capturing everything in the process.

Martinspike captured 16 credit card numbers, seven PayPal logins, and 300 other miscellaneous secure login sessions in only 24 hours.

Marlinspike went on to say that:

Lots of times the security of HTTPS comes down to the security of HTTP, and HTTP is not secure…

Denver Prophit said; “The PCI standard requires Internet retailers to complete a 12-step security audit that must be certified annually and checked every three months.

That may be true IF you accept credit cards on your website. However, if you use a payment processor, such as Authorize.net, Google Checkout or PayPal for example, PCI compliance is not your responsibility.

I emailed PCI Security Standards and received this reply:

As described in PCI Data Security Standard Requirements and Security Assessment Procedures (available at https://www.pcisecuritystandards.org) the PCI Data Security Standard is intended to protect cardholder data and sensitive authentication data. As described on page 4 of that document cardholder data includes the primary account number, cardholder name, service code and expiration date, while sensitive authentication data includes full magnetic stripe data, CAV2/CVC2/CVV2/CID, and the PIN/PIN Block.”

You’ll notice that although cardholder name is mentioned, billing address and telephone number are not mentioned. Why? That is Not the information they [the card issuer] wants to protect. So, why would a small business owner need a “secure encrypted channel” if they are not accepting credit cards on their website?

Denver Prophit mentioned RSA in his post; “The point I stress, here, is * Encrypting transmission of cardholder data and sensitive information across public networks. your admin pages HAVE to be encrypted because it stores sensitive information and is required by federal law. See RSA.com 2005 A Corporate Minefield: FTC Demands “Reasonable & Appropriate” Measures to Protect Digital Assets (August 04) http://www.rsa.com/press_release.aspx?id=5991 (accessed January 14, 2009)

I am glad you mentioned RSA. Taking the time to read that press release, one would find that Art Coviello, president and CEO at RSA Security Inc. stated; “The question that many organizations are now asking is ‘what constitutes reasonable and appropriate action?’ In an increasingly complex regulatory environment, finding a comprehensive answer to that question can be a laborious task.

Who deceides what is “reasonable & appropriate?” One definition of reasonable is “Not excessive or extreme; fair.” The legal definition of reasonable is “Suitable; just; proper; ordinary; fair; usual. The term reasonable is a generic and relative one and applies to that which is appropriate for a particular situation.” (West’s Encyclopedia of American Law, edition 2. Copyright 2008 The Gale Group, Inc. All rights reserved.)

Based on Denver’s analysis, a small business owner, which would account for 90% of EOS Online Merchant’s user base, would be unable to do business on the Internet, if all that Denver claims is absolute. And, its is not.

What to look for in a hosting company

October 26, 2008 in Hosting by SupremeCenterHosting  |  No Comments

Type “hosting” at Google and you will find that there are currently 439,000,000 results for the search term … you should not have any trouble finding the perfect host for you and your website. However, its always best to start by asking friends or family who may already have a website who they recommend. A good review from someone you trust is far more valuable than reviews from people you don’t know. Visiting the countless hosting review sites can be a little daunting and the fact is, you will find that many of them “recommend” the same 5-10 hosting companies. The reason being is hosting companies pay for the reviews or for featured listings.

Before you decide on a host make sure that the host trustworthy and reliable, it is always worthwhile noting how long the company has been in business. Unfortunately anyone can set up a web hosting company, unless you ask the right questions you will not be able to judge the competence of any hosting company.

If you are new to websites and web hosting in general, it would be wise to host your sites with am established web hosting company. They are capable of dealing with less technically adept customers and are willing to go the extra mile. Due to their size, an established host is normally more flexible when it comes to upgrading your hosting plan, providing a payment plan of your choice and they have more servers available than the smaller hosting companies. It may also be wise to pick a host that may offer some support for the application that you may plan on using. Most hosts will not provide support for third party applications such as WordPress, Joomla or osCommerce, so you may not have them to rely on should something go wrong – Supreme Center Hosting is one of few hosting companies that provides limited support for many open source applications. Some hosts will even provide free professional installations of popular applications. Another suggestion would be to choose a host that may offer additional products and services such as SSL certificates, website programming or even managed services – you never know when you might need additional services and your host will normally give discounts to their customers for additional products or services they might need.

When looking for a host, first decide how much disk space and bandwidth you might need. Although this is not normally a deal breaker as you can always upgrade your plan should the need for more space or transfer arise. However, you do want to make sure that the host you plan to use and the plan you choose has the correct specs for the application you plan to use – you don’t want to choose a unix host when you plan on using an application that is coded in ASP.

If you are currently hosting a website and are planning on moving to a new hosting provider, it might be wise to look for a host that can help you with the transition. Many hosting companies, such as Supreme Center Hosting, provide free transfer services for customers who are using cPanel. This makes the transition that much easier and you will have less to do in order to get your site up and going with your new host.