One change in 0.52 Alpha has already been noticed. A PM was sent to me as follows:
Hey David ~
Why is EOS forcing SSL? By default, SSL is set to true in the config files and setting it to false does no bit of good - it always wants to load the admin panel using HTTPS. I don't know, not many people are going to go out and buy an SSL cert to test an application.
My reply (with two minor changes in parentheses) is:
Security. Traffic on development and other frequently unsecured sites can give valuable clues to the structure of a live site. There is also the common practice of setting up a site before installing a certificate without changing all passwords at the time the site is taken live. Sucks to give your access codes away without even knowing it.
Any (ecommerce) host (or webmaster) should know how to generate a free cert usable for testing, and a test which does not include observation of correct behavior of the code and any templates applied under SSL conditions is not a valid test.
I think we all should be aware that PCI and other standards are going to have a heavy impact on the industry. This is one of them. While some planning needs to be done to deal with these issues yet, one thing we intend to do with EOS is to force SSL out of the box. It covers a frequently overlooked security hole to which no one should have to fall prey. Also, it offers an opportunity to TEACH - which is one of the more overlooked methods of providing support, and one which pays great dividends in terms of mutual respect and more powerful relationships between customers and vendors.
Other topics will be posted soon as we all need to discuss these security issues and how we can best manage them together - or indeed, whether we should!
David
Home
Help
Search
Login
Register
Print