EOS 0.52 Alpha SSL Management.

[inetbiz]

Standards for profit.

The more you bark, the more it shows what I say is true. Locking threads only proves that you and David are following Sal Iozzia and CRE.

Articles & Blogs is where it is at, slick.

I did not ban you, nor did I mar your avatar as The Iozzia would do. I locked down the thread to cool you down. Resorting to name calling and misleading accusations that the cart will be heavily embedded with commercial links back to our commercial endeavors is wrong. There will be a market place ON the website that can include any host willing to submit and have customers post reviews. Other ecommerce service providers will be listed as well, but NOT within the cart code or database.

The Market Place will be an enhancement of the Manufacturer's link contribution of oscommerce with the review system. This will then in turn be fed to google base, yahoo and other sites. So Supreme Hosting Center will most definitely have the opportunity to participate in the market place ON the website. So hold our feet to the fire and wait for the Market Place to go live.

[David M. Graham]

I'm unlocking this thread.

While I don't appreciate the tone the discussion has taken (its wondered pretty far afield from management of SSL configuration by the Eos installer), we are touching on some issues of security philosophy and commercial participation in the project that need to be addressed.  As well, there is the question of just what IS acceptable or desirable in terms of how we communicate to and with each other in these forums.

I've been recovering slowly from a bricking of my primary work computer - and have client work which takes priority over these forums.  But I'll post a bit more of my thoughts on these issues later.

Suffice to say for now that the original issue here is that EOS Online Merchant 0.5x ALPHA is less than graceful in its management of SSL setup.   The key word in that sentence is ALPHA.  I've already said we'll be revisiting this issue and making adjustments before we BETA the code.  The point being that any accusations of non-performance here are as yet neither warranted or justified. 

I also clearly stated that while the implementation details remain open for discussion and suggestions are welcome, we will not generate an installation lacking SSL configuration without a positive action taken by the person performing the install.     The technical term for this is "safety lock-on" and this is a minimal acceptable standard. 

The four customers who mentioned this thread to me during the course of the last week certainly seemed to grasp this.  They had two questions for me that boiled down to: Who is this nut, and what put a bee under his bonnet.

Leaving aside the first question, the second one deserves an answer.  It appears that the current participants in the EOS project (mostly Denver, Tom and myself at present) are being accused of being running dogs of American Capitalism.  We are guilty of that, nor is it a secret.  So what?  As for whatever other agenda Michael wants to pursue - I suggest that it would be best pursued by opening a pertinent topic, or responding to the ones I'll be opening to address the underlying issues as I see them. 

I had enough of hidden agenda's and time wasted on marketplace politics  while working with CRE.  The time for plain speaking is always now.

This thread remains open for pertinent suggestions  as to how best implement positive action lock on control of SSL configuration in the EOS installer.   

[SupremeC]

Standards for profit.

The more you bark, the more it shows what I say is true. Locking threads only proves that you and David are following Sal Iozzia and CRE.

Articles & Blogs is where it is at, slick.

[inetbiz]

You sure do a lot of bloviating. Many far fetched accusations. EOS will never embed commercial links, affiliate code, adsense tracking. Before you make anymore propoganda out of this thread with unrelated telephone services, I'm locking the thread. You, sir, just don't get it and never will.

[SupremeC]

Do you have any ecommerce strategy certifications or anything in security from any certifying authority? Your examples speak loudly of your lack of understanding of best security practices in an ecommerce environment. The phone company, 411, phone books, et al are NOT taking my money. They are not storing my order history. When I buy anything from an ecommerce website, they BETTER protect my registration process. When I login to review my order history, change my billing account address, or any other sensitive data information, you better encrypt it or I walk.

You sir, are petty and behaving like a 5th grade bully because a project would not bend to misinformed views.

You don't pay for home phone or mobile phone services? Cable or satellite services? Internet service? Don't be ridiculous, you do pay for those things. In fact, if you have a home phone the phone company most likely puts out a phone book or pays a third party to do it for them. So, your information is out there whether you like it or not, slick. Those companies are in fact storing your information on computers, they are storing your order history and guess what... when you place that order for home or mobile phone service, cable or satellite service or internet service, they are not using SSL.

I don't need any certifications to know that SECURE SOCKET LAYER [SSL] protects the transmission of data between YOUR BROWSER and THE MERCHANTS SERVER. It DOES NOT PROTECT the server from malicious attack or hacking attempts. You can look at SSL as being the cure-all to all security concerns but again, you are sadly mistaken. You might want others to believe that there are millions of little evil data transmission weevils lurking around every ecommerce website stealing your data as it passes from your browser to the server - fact is, your wrong and the majority of the theft comes from someone compromising a server, thus stealing your data.

What about that data that is stored in your browsers cache? How safe is it when you spend your days hunting down all the porn you can handle while picking up keyloggers, trojans and other little goodies that are going to affect more harm than a website that does not use SSL to accept the same information that I can get off an envelope in your mailbox?

So, Inet, Who is is that clearly does not understand? How are you, sir, going to protect your end users data when they don't have enough understanding of the Apache server or MySQL server to protect that data while on the server? You obviously believe that SSL is protecting you from identity theft and these noobs are the kind of people you love giving your money to? You honestly feel safe giving your information on a website that has that little SSL lock while their servers back door is wide open to someone who is collecting it as soon as it has been stored? Who, sir, is misinformed? Who is blindly running off at the mouth touting SSL as the cure-all to identity theft? Your little forced standard for profit scheme has been foiled, slick. Trying to silence me by calling me a 5th grader or by attempting to diminish my knowledge or make me look as though I have no idea truly shows who you are. If I were David and Tom, I would politely ask you to take a long walk off a short pier.

So, slick, lets see your certifications so I can ask the issuer to take them back because you clearly did not earn them.

I think we have covered that the EOS project will always be free. Now, we will sell a stable release for a commercial price, free of new bugs once that free version has gone gold. There is value to stable software. The free version will always introduce new web 2.0 features and what the community, as a whole cries out for in the software, itself. Once those new features are stable and tested time after time, they are included in OUR commercial release just as any other company may take the source and do as they please.

Ah... finally, the truth emerges. Standards for profit.

So you as ONE individual requested that EOS never enforce SSL encryption in certain administrative links. Your feature request was denied. So here we sit, debating the issue and having to respond to negative attacks on your own blogs. Quite petty, in my mind. But, that is a matter of public opinion. May the consumer judge us both, fairly.

I never requested that forced SSL for profit be removed. In fact [read back through my posts] I specifically stated that you should leave it in as I can profit off the many, many users who will want it removed.

I cited a much more reputable sources than your OWN opinions. Please scroll down in my previous remarks.  So, we are not the only sources. As for opening up wallets, yes we sell certificates. You sell certificates, as well.  That doesn't mean links to our SSL certificates will be inserted into the source code. That Sir, would be unethical in open source. Again, you continue with your 5th grade bully tactics. One really wonders who is childish and petty, here?

What sources did you quote? The FTC's "Protecting Personal Information: A Guide for Business?" FTC does not make law and you have yet to cite the Federal statute that requires ALL online businesses that accept personal information to use SSL. Was it the PCI Standards that the payment card companies have yet to implement? You never addressed why a website that does not accept credit cards or check cards does not need to worry about SSL or PCI.

Come on, this little project was born out of the intention of making money. You will be advertising your SSL serts, hosting products and services - not mine. That's why this little standard you are trying to push makes what you do no less unethical than that which Sal Ioozia has done - or what David has done while one of Sal's little minions. Lets not forget, it was his [David's] idea to start selling CRE Loaded.

Hrmm, I have to BUY something from you in order to use your cart which you have no published tracker and download links. Who is herding whom to open up your wallet?

No, you don't have to buy anything. Again, I am not openly developing a cart. I am not selling a cart. I have it only because I was tired of using a cart [CRE] that was chuck-full-o-bugs. I don't advertise it other than on my website - and its mention is so small that most probably miss it. You didn't because you were looking ever so hard for something to bust my balls about. What I have said from the get go is 100% correct, if it weren't, you and David would not have stooped to making the comments that you have [about my website and/or blog], called me a 5th grader or tried to make me appear as unintelligent.

I am not the only person that feels that forcing it is wrong. In fact, I have asked several people who have hosting/design businesses - people who have hundreds of clients using CRE - and what they say is:

"hmmm, I don't think so. There are people who use PayPal, they don't need a cert; and there are check and COD orders which also don't need one."

"As far as I'm concerned (I've had this disagreement with anal programmers before), we don't need a law or to be forced to do the right thing."

I will be contacting a slew of hosting companies and others who deal with clients who use carts and will posting their responses on an upcoming blog post.

[terierni]

OK Guys, I have decided to jump into this rink and ring the bell!

I have been reading this thread since back at Christmas and each new post is getting hotter and nastier (similar to the political mudslinging; yet I do not see any positive agreement coming in the distant future. And so, I have decided to interject from a site owner's/consumer's perspective.

As far back as I can remember (likely the later 90's), to me, a website that had a valid SSL meant that I was entering a 'safe' harbour. BUT, if I clicked on a site that indicated the SSL was not current, I exited without question. So let's fast-forward to 2009 and I ask you, "With the advancements in technology coupled with the ever-increasing threats of identity-theft and exposure to hackers who's sole purpose is to wreak havoc on any PC via malicious virus/spyware/malware, etc., I feel that we cannot afford to be without more and more security.

I am not well-versed in the average cost of an annual SSL, I paid $75 for one year. This breaks down to $6.75 per month and I have absolutely NO RESERVATIONS that this is money well-spent! I also believe that ANY customer who sees that current SSL is also provided the confidence to enter without hesitation.

As another comparison (and possibly much more of a reality check), I also operate a brick-n-mortar PC service store. We are continuously bombarded with the uneducated PC owner's who bring us their sick computers. In each instance, these persons think it is 'safe' to own a PC and surf the net without a current and decent Antivirus/Spyware program installed. Everyday when these PCs are placed on the bench, the system is so locked up because of 600 malware/spyware and 93 trojan viruses. AND then more recently making matters far worse, there are the newest creation to the plethora of PC infiltration crap out there...a new breed of Adware. These new programs are not spyware - they are executable programs that download to your system and embed in the registry. They come attached to a site and when they open, the screen appears to be a valid anti-virus program that warns you that you have many viruses and you must click yes to remove the illness. As soon as you say, YES, the executable downloads to your system and it is almost next to impossible to remove it. Even cleaing it from the registry in many cases does not remove it because it re-generates itself.

I realize that SSL and viruses are NOT one in the same, BUT...I repeat,.......BUT... I have used this analogy to point out that each day we go forward into the future, every second forward opens a multitude of new and disasterous exposures on this infinite highway that we drive on every day.

And so, in my opnion, IF we as site owners want to sell our wares and services on this internet freeway 'as safely as possible well into the future,' then we must PLAN on every increased and ongoing protection that is available to us. IF not, we are no better off than my uneducated customers who surf without the AV/AS necessary to keep their PCs working well.

In short...WE CAN NEVER BE TOO PROTECTED!

[inetbiz]

Blog away...

Questions I have been meaning to ask. You have suggested that the FTC requires online businesses to protect customer data... what about:

1. The telephone companies and other companies that publish telephone books? What is the requirement that they must follow? We all have at least one phone book and have access to them in physical form as well as on the Internet.

2. Let's not forget the countless websites where you can get a name and/or address, or the 411 services that mobile phone companies provide. How is that personal information protected?

3. Are telephone book publishers required to blur personal information in the white pages or use some kind of encrypted print?

4. It can't be that online services that have access to your name, address and phone number are required to use SSL - if that's the case, they don't. How is it that users of open source eCommerce applications are required to use SSL to protect customer information but other sites are not?

Do you have any ecommerce strategy certifications or anything in security from any certifying authority? Your examples speak loudly of your lack of understanding of best security practices in an ecommerce environment. The phone company, 411, phone books, et al are NOT taking my money. They are not storing my order history. When I buy anything from an ecommerce website, they BETTER protect my registration process. When I login to review my order history, change my billing account address, or any other sensitive data information, you better encrypt it or I walk.

I was being honest and professional. Pointing out how pettey you and David are merely because I won't agree with you is not unprofessional.

You sir, are petty and behaving like a 5th grade bully because a project would not bend to misinformed views.

Right. I don't promote the cart as a way of profiting from open source. I don't force anyone to use it or any other application we support.

You sure like to harp on that one line... another reason why you are petty. Not sure what it is your trying to get across by repeating it. If your suggesting that it means I should be supporting you, then you are sadly mistaken - a mistake that Sal made and we all know where that got him.

I think we have covered that the EOS project will always be free. Now, we will sell a stable release for a commercial price, free of new bugs once that free version has gone gold. There is value to stable software. The free version will always introduce new web 2.0 features and what the community, as a whole cries out for in the software, itself. Once those new features are stable and tested time after time, they are included in OUR commercial release just as any other company may take the source and do as they please.

No hidden banner codes, no google analytics tracking from CRE's own account in violation of Google's Terms of Service and sell software with many bugs. EOS will never be like Salvatore Iozzia and the CRE Gang. They have their own vision and goals.

So you as ONE individual requested that EOS never enforce SSL encryption in certain administrative links. Your feature request was denied. So here we sit, debating the issue and having to respond to negative attacks on your own blogs. Quite petty, in my mind. But, that is a matter of public opinion. May the consumer judge us both, fairly.

I don't see any masses suggesting what you and David have. Although I am still looking, you and David are the only two I have ever seen suggesting that forcing the use of SSL certificates in an open source application makes sense. It is absurd considering the fact that the code can be removed thus making the "security practice" insignificant. Maybe that is the angle here... make the end user think that Eos has their customers security in mind so the end user opens up their wallet.

I cited a much more reputable sources than your OWN opinions. Please scroll down in my previous remarks.  So, we are not the only sources. As for opening up wallets, yes we sell certificates. You sell certificates, as well.  That doesn't mean links to our SSL certificates will be inserted into the source code. That Sir, would be unethical in open source. Again, you continue with your 5th grade bully tactics. One really wonders who is childish and petty, here?

Right. I don't promote the cart as a way of profiting from open source. I don't force anyone to use it or any other application we support.

Hrmm, I have to BUY something from you in order to use your cart which you have no published tracker and download links. Who is herding whom to open up your wallet?

[SupremeC]

Actually no we WILL NOT be herding the masses to purchase our SSL certificates. Every host will be offering their own services. EOS is not in the business to sell certificates, email certificates or anything of that sort.

That remains to be seen.

Calling us childish and petty is an insult. You are now back-tracking with your claim of honesty and friendliness. So you don't get your shopping cart unless you host with you? Hrmmmm "Supporting open source since 2003" I see how Supreme Hosting Center works, now.

I was being honest and professional. Pointing out how pettey you and David are merely because I won't agree with you is not unprofessional.

Right. I don't promote the cart as a way of profiting from open source. I don't force anyone to use it or any other application we support.

You sure like to harp on that one line... another reason why you are petty. Not sure what it is your trying to get across by repeating it. If your suggesting that it means I should be supporting you, then you are sadly mistaken - a mistake that Sal made and we all know where that got him. Perhaps you don't get the meaning of the word support? By "Supporting open source since 2003" we mean we don't tell our customers that we don't support third party applications. Our customers can at any time ask questions regarding any of the open source apps listed on our site and we will answer them - if they need help with a file or locating a line of code, we gladly provide that help. We also provide free professional installation as well as programming services. It does not mean we are activly developing an open source application or that we will bend over to those creating and forcing standards for profit.

Again, you speak with a mouse in your pocket. You sir, do not speak for the masses and have repeatedly forced your own views to neglect best security practices in software design. But isn't it great that you can do whatever you want with open source? Anyone in the world can submit a feature request. Just because it's requested doesn't mean it will fit into the overall roadmap.

I don't see any masses suggesting what you and David have. Although I am still looking, you and David are the only two I have ever seen suggesting that forcing the use of SSL certificates in an open source application makes sense. It is absurd considering the fact that the code can be removed thus making the "security practice" insignificant. Maybe that is the angle here... make the end user think that Eos has their customers security in mind so the end user opens up their wallet.

I haven't blogged about your post, yet. I'm milling over what to post in the security groups that I belong to online. And I'm sure best security practices will become apart of the published books we write. Thank you for your dissenting views. Others will form their own opinions.

Blog away...


Questions I have been meaning to ask. You have suggested that the FTC requires online businesses to protect customer data... what about:

1. The telephone companies and other companies that publish telephone books? What is the requirement that they must follow? We all have at least one phone book and have access to them in physical form as well as on the Internet.

2. Let's not forget the countless websites where you can get a name and/or address, or the 411 services that mobile phone companies provide. How is that personal information protected?

3. Are telephone book publishers required to blur personal information in the white pages or use some kind of encrypted print?

4. It can't be that online services that have access to your name, address and phone number are required to use SSL - if that's the case, they don't. How is it that users of open source eCommerce applications are required to use SSL to protect customer information but other sites are not?

Answer:

No requirement - No standard. Its all a matter of personal opinion. Its a gimmick to suggest that their are Federal requirements that compel the Eos dev team to insert code into their open source application forcing the use of SSL certificates or that compel the end user to purchase and use SSL certificates.

[inetbiz]

Actually no we WILL NOT be herding the masses to purchase our SSL certificates. Every host will be offering their own services. EOS is not in the business to sell certificates, email certificates or anything of that sort.

Calling us childish and petty is an insult. You are now back-tracking with your claim of honesty and friendliness. So you don't get your shopping cart unless you host with you? Hrmmmm "Supporting open source since 2003" I see how Supreme Hosting Center works, now.

Again, you speak with a mouse in your pocket. You sir, do not speak for the masses and have repeatedly forced your own views to neglect best security practices in software design. But isn't it great that you can do whatever you want with open source? Anyone in the world can submit a feature request. Just because it's requested doesn't mean it will fit into the overall roadmap.

I haven't blogged about your post, yet. I'm milling over what to post in the security groups that I belong to online. And I'm sure best security practices will become apart of the published books we write. Thank you for your dissenting views. Others will form their own opinions.

[SupremeC]

Scroll back up on that flame thread at CRE. I quoted Sal and called him out on the rug for labeling your avatar as a troll. I thought it was very wrong. And I thought it was VERY wrong for his staff's behavior. They did act like children. I referred to that forum thread and your blog to point out your behavior for calling us childish and petty as you continue to throw around insults in an immature way.

Insults, really?

Yes please do blog about blatant disregard for customer security and your rantings that software should never be written using best security practices. We'll be sure to review your shopping cart. As I'm sure you are only here to make yourself look better.

Nothing but truth in my blog posts... hence why I linked to this thread to show that I have nothing to hide. As far as my cart... how would you review what you don't have? I don't promote it other than on my website. I don't develop it as osCommerce continues to be and it only those that purchase hosting from my company can have it installed. Fact still remains, I would never force anyone to use it or force them to purchase an SSL cretificate.

You keep thinking that we are building in standards to profit from it. Have you yet to see any EOS commercialization of merchant accounts and SSL certificates?

Eos is still in the Alpha stage... it will happen. I am sure you and David are not going to refer end users to other hosting companies or SSL cert merchants.

Sure, a shopping cart could be used in a variety of methods. But, if you are going to take my information on a sign up, you better be darned sure to give me an encrypted channel to do so!.

Sure, you have never gave out your name and/or address on a site that does not use SSL. Not sure why I find that hard to believe.

It could be said the same of how you treat open source communities with your hostile intent and one sided opinions. That is a two way street. I have yet to call you a name or insult you. I have, however, turned the shoe around every time you insult me and compare your insult.

The posts here speak form themselves. It would be obvious to anyone that I have been nothing but open, honest, friendly and professional. If you and David are taking what is my opinion personally, there is not much I can do about that.

I'm just curious if you hold any CompTia Network Security certifications or are a member of any security group? You speak with such authority and always have a mouse in your pocket when you speak for the masses when I have yet to hear from anyone else but you about YOUR opinions of SSL as a tool to protect a customer against IDENTITY THEFT

I suppose your going to say you do hold certifications?

Again, Eos is in the Alpha stage and few people know anything about it. Look around the forum here... does not seem as though people are coming in droves. Its not as though Eos is as popular as osCommerce and I am here discussing SSL with a slew of people.

I would compare this to a host who chose to start forcing their customers to use SSL certificates regardless of what type of site they have and then, not offer free SSL certs. Shared SSL , IMHO. may be just as good but they are useless as Shared SSL lacks the insurance, which could be as much as $150K, that companies like Verisign, GeoTrust, etc offer with their paid certs.

Forcing SSL will not propel Eos into the limelight. In fact, I predict that more people will want to know how to remove the code forcing SSL from the cart than there will be people thinking your doing wonderful things on their behalf. This is where people like me will benefit from your mistakes. So, force SSL... please.

[inetbiz]

Scroll back up on that flame thread at CRE. I quoted Sal and called him out on the rug for labeling your avatar as a troll. I thought it was very wrong. And I thought it was VERY wrong for his staff's behavior. They did act like children. I referred to that forum thread and your blog to point out your behavior for calling us childish and petty as you continue to throw around insults in an immature way.

Everyone else is you. You seem to think you are right. I doubt you read the citation about the FTC. The referral was about a company they fined, heavily for not following due diligence after they were hacked. SSL is not a requirement it is a TOOL. Do I advocate the use of SSL? Yes I do. Have I ever posted links to sell SSL? No I did not and nor will the code base slip in any such gimmick as CRE likes to do.

Yes please do blog about blatant disregard for customer security and your rantings that software should never be written using best security practices. We'll be sure to review your shopping cart. As I'm sure you are only here to make yourself look better.

You keep thinking that we are building in standards to profit from it. Have you yet to see any EOS commercialization of merchant accounts and SSL certificates?

Sure, a shopping cart could be used in a variety of methods. But, if you are going to take my information on a sign up, you better be darned sure to give me an encrypted channel to do so!

It could be said the same of how you treat open source communities with your hostile intent and one sided opinions. That is a two way street. I have yet to call you a name or insult you. I have, however, turned the shoe around every time you insult me and compare your insult.

I'm just curious if you hold any CompTia Network Security certifications or are a member of any security group? You speak with such authority and always have a mouse in your pocket when you speak for the masses when I have yet to hear from anyone else but you about YOUR opinions of SSL as a tool to protect a customer against IDENTITY THEFT

[SupremeC]

Just as childish of you to expect a single person, such as yourself, could decide the direction of an open source project. I don't recall calling you a childish or petty? Is this Supreme Hosting Center's way of saying go f#%@k yourself as CRE did to you? I"m sorry you feel that way.

That's mature... and by the way, CRE did not tell me to get F****d, that was one of the CRE boneheads, who I might add reminds me of you, telling another CRE community member to get F****d. If you took the time to actually read the blog post instead of looking for something to bust my balls about, with you would have known that - but you know that because you were posting in that thread at CRE too, weren't you? Also, you might have forgot that David blogged positively about my blog post in his blog.

You most certainly can take the code and change it to suite your needs. The EOS project will have emphasis on best security practices to protect customer data and not just their credit cards. This is what the FTC alludes to using due dilligence to protect customer information. It simply is NOT enough to require an administrator to login. A clear text, unencrypted http protocol channel allows ANY hacker to sniff your packets.

Did I say I had any intention of using it? Its apparent you and David feel that your right and everyone else is wrong. Citing FTC "Guidelines" or PCI requirements does not make you an authority. Neither [the FTC Guidelines or PCI requirements] are law - you might also note that the FTC does not make law, they only enforce it. So, as I asked previously, what Federal law REQUIRES me to add an SSL cert to my site to protect customer data? Forgoing any law, it is just your opinion. We all know what is said about opinions...

So with that said, I wish you well supporting open source since 2003 without regard to any protection of customer data. I certainly wouldn't buy from ANY shopping cart requesting my name, address, telephone number, zip code, email account that does not encrypt my connection to gather this information.

Your a real piece of work. What does the statement on my website have to do with the fact the Eos is attempting to create standards for profit? I guess what you are saying is all open source apps that don't force SSL don't give a damn about their end users? Now, that's something to blog about.

Now I see you post a blog at http://www.supremecenterhosting.com/supremeblog/eos-online-merchant/ INCLUDING your own Sales gimmick for SSL certificates. Look who's blatantly making a sales pitch?

Yes. Its my HOSTING blog. I sell SSL certificates. Adding a link from my blog to a page on my main site is a horse of a different color. I am not trying to create new standards in order to profit from them - I am not FORCING anyone to read it - so its Not a sales gimmick but good business.

Furthermore, there will be plenty more of that type of post to come, such as EnterUrls claim to submit to "over 300,000" search engines and directories when in fact its just over 65,000.

I also read on your blog that you seem to think SSL is not necessary for the "Hobby" site. Who in the heck is going to be selling ecommerce for a hobby? Ok a hobby. Not doing it to make money, I suppose, but, only because they love running a shopping cart?

There are many uses for a shopping cart such as CRE or Eos - take the blinders off.

Maybe you are just upset because our open source project won't bend to your will. I hope the customers of your site understand you have a complete disregard of privacy and security including hypocrisy.

I could care less what you do with Eos, I never said I wanted to use it. This little exchange goes to show that Eos will be no different than osCommerce or CRE - being open source tyrants does little for the open source community.

Its funny how David can blog about how osCommerce and its developers treat community members [http://www.oscommerceuniversity.com/blog/?p=113] and than have the temerity to do the same:

I can easily sympathize with Rhea's obvious disappointment at the disdain directed towards community members who claimed to be or were described as believers.  Having been among those who were disparaged by groups of "osCommerce beleivers"  because my own beliefs differed from their own, I also understand the disparagement.

Pot calling the kettle black?

Again, do what you want but that does not mean I have to go with the flow. I think forcing SSL on end users is WRONG and I intend to keep blogging about and and posting about it anywhere I need to.

[inetbiz]

Wow... you guys are really childish and petty. Don't know you from Adam, inet, but I actually expected more from David.

Just as childish of you to expect a single person, such as yourself, could decide the direction of an open source project. I don't recall calling you a childish or petty? Is this Supreme Hosting Center's way of saying go f#%@k yourself as CRE did to you? I"m sorry you feel that way.

You most certainly can take the code and change it to suite your needs. The EOS project will have emphasis on best security practices to protect customer data and not just their credit cards. This is what the FTC alludes to using due dilligence to protect customer information. It simply is NOT enough to require an administrator to login. A clear text, unencrypted http protocol channel allows ANY hacker to sniff your packets.

So with that said, I wish you well supporting open source since 2003 without regard to any protection of customer data. I certainly wouldn't buy from ANY shopping cart requesting my name, address, telephone number, zip code, email account that does not encrypt my connection to gather this information.

Now I see you post a blog at http://www.supremecenterhosting.com/supremeblog/eos-online-merchant/ INCLUDING your own Sales gimmick for SSL certificates. Look who's blatantly making a sales pitch?

I also read on your blog that you seem to think SSL is not necessary for the "Hobby" site. Who in the heck is going to be selling ecommerce for a hobby? Ok a hobby. Not doing it to make money, I suppose, but, only because they love running a shopping cart?

Maybe you are just upset because our open source project won't bend to your will. I hope the customers of your site understand you have a complete disregard of privacy and security including hypocrisy.

[SupremeC]

Wow... you guys are really childish and petty. Don't know you from Adam, inet, but I actually expected more from David.

Again, I like debate. SupremeC, can you agree with me, that we as hosting providers and software developers should push cart owners to create self signed certificates at minimum to operate in the store admin panel and at least purchase a quick authorization certificate with no insurance in the below $20 category to start up on a shoe-string budget?

While the cart install will prompt for a SSL URL it should NOT be circumvented with http protocol. We can teach and blog quite a bit how to generate a self signed certificate in cpanel and plesk. Anyone who can fill out a form about where they live can create a self-signed certificate.

Perhaps you would assist creating a moodle course section on creating a self signed cert and using it to secure store administration with credit going back to your company as a hosting provider supporting open source since 2003?

I tried to post a positive comment at http://www.supremecenterhosting.com/supremeblog/cre-loaded-just-got-worse/#respond because I too was embarrassed and insulted while supporting you and telling Sal it was wrong to mock your avatar. I could not because the image verification was a broken image.

[SupremeC]

When it comes to securing a website, a good argument can be made for failure in due diligence whenever a simple measure like an SSL cert is not in place.

You use the term Due Diligence loosely...

Due diligence
Definition - Noun
1. such diligence as a reasonable person under the same circumstances would use; use of reasonable but not necessarily exhaustive efforts. Due diligence is used most often in connection with the performance of a professional or fiduciary duty, or with regard to proceeding with a court action. Due care is used more often in connection with general tort actions.

2a. the care that a prudent person might be expected to exercise in the examination and evaluation of risks affecting a business transaction

I suppose we could argue whether or not using SSL would be considered a necessarily exhaustive effort.

I don't know.  Do you do this for your "Supreme Cart"  users?   If we went to your forums and asked you to remove the Admin Access with Levels, because we thought it was over kill to be able to control access to that extent in the average online shop would YOU do it on the basis of one person requesting the change? 

Or are there any supreme cart forums?   Google doesn't find any in the first 4 pages on a search for Supreme Cart.  So, just who is more open here?

Really? I get the feeling you are taking this personally. There is no comparison to the Admin Access with levels and SSL. Furthermore, forced SSL was never part of osCommerce or CRE Loaded. And what does lack of a forum have to do with anything? Is that now the only accepted method for contacting people?

Now this really is starting to come off as an osCommerce/CRE Loaded project...