Security is a constantly evolving field in computing. Following Moore’s law, computational power essentially doubles every 18 months. Even brute forcing strong encryption algorithms can become, at least theoretically, feasible over the span of a decade.

With Blesta 3.0, we’re looking into the future. — way into the future. We’re designing security measures today that will easily keep data secure beyond 2030. Why? Because even if you never update your software, your data should continue to be secure long into the future.

So how do we do it? By using trusted, non-proprietary ciphers such as AES and RSA, with large keys, we’re able to protect data from brute force attacks. To encryption algorithms, the larger the key the more secure the encrypted data.

Why would you need to encrypt a credit card in such a way that it’s safe from attacks for 20+ years? The answer: You wouldn’t. Credit cards generally expire less than 10 years after issuance. But nevertheless, why take the chance?

Here’s how it works in Blesta 3.0:

Credit cards are encrypted using RSA, a public key cipher. This allows cards to be encrypted using one key (the public key), and only decrypted using a separate private key. This facilitates adding card numbers to the database without requiring admin approval or storing a private key on the system. Depending on your specific security requirements, you can choose to store the private key on your system (encrypted of course), to allow automatic payment processing, or you can choose to set a passphrase that must be entered whenever you wish a card to be decrypted.

Setting a passphrase for your private key is optional, but adds an additional layer of security. A passphrase can be added or removed at any time, without having to decrypt and re-encrypt credit cards. So your passphrase can be changed on a regular basis, which is always a good idea — especially for larger organizations.

Some merchant gateways are now allowing credit card numbers to be stored within their own secure systems. Invoking a charge is as simple as passing in a unique identifier, and the amount to be charged. We’re building support for this into version 3.0 as well..

In addition to credit cards, module data can also be encrypted

Blesta handles security in other areas well too, including XSS (Cross Site Scripting) and SQL Injection attacks and we’ll touch on these in a future article.

Blesta 3.0 is currently in active development.

Tags: AES | blesta 3.0 | encryption | RSA | security

Last week I discussed the new API design in Blesta 3.0.  This week I wanted to touch on the topic of two-factor authentication.

Two-factor authentication requires that a user wishing to sign into an account enter both something they know (a username and password) and something they have (a physical token).  There are many different methods of proving a user is who they say they are, but one of the best and easiest to use is one-time passwords.

Since most users reuse and tend to never update their passwords, if one system is compromised an attacker may have access to all systems the user has access to.  To solve this issue, OATH published the HMAC One-Time Password Algorithm (RFC 4226), and the TOTP addendum (a time based OTP algorithm).

TOTP requires that a user enter a 6 or 8 digit code that changes every 30 seconds, and once a code is used it can’t be used again.  All a user needs to do is share the secret key on their TOTP device with the server they want to authenticate with and they’re ready to go.

We were so excited to include TOTP, as well as Mobile-OTP, with Blesta 3.0, we had to port it over to 2.5.  And here at the office, we can’t imagine how we ever lived without it.

For the iPhone we recommend the following apps:

OATH Token – TOTP token
iOTP – Mobile OTP token

Tags: blesta 2.5 | blesta 3.0 | Mobile OTP | OTP | TOTP

This is the first article, in what will be a series for Blesta 3.0, our next major release.

When we sat down to discuss the primary goals of Blesta 3.0, one of the first topics to come up was API design.  The two major issues we discovered with the original API design (of 1.0) were that:

1. It was limited in its capabilities
2. It was difficult and cumbersome to update

By implementing Blesta on top of an MVC framework (minPHP) we were able to create an automatic API, which eliminated both of these issues entirely.  Within an MVC application the model contains all of the business logic, so the only thing required to complete the API is a controller to handle access to the various models.  Since models are objects, the API controller can instantiate and access all of the public methods within a requested model.  This facilitates requests on logical objects that may perform specific actions.

In addition, the API controller could now fulfill requests in any number of various formats (e.g. json, xml, etc.).  The syntax was simple: /api/model/method.format.

The only thing necessary to complete the RESTful design were HTTP status codes, and the API controller easily handled those.  The result is an automatic RESTful API system, that not only grants access to the Blesta core, but to the back end of any plugins installed within that copy of Blesta as well.

In case you missed it, this means that ALL public model methods will be accessible through the API. We’re really excited about the new API and how much support it lends to developers.

Blesta 3.0 is currently in active development. A release date has not yet been determined.

Tags: api | blesta 3.0 | minphp | MVC | REST

           _       _____  _    _ _____
          (_)     |  __ \| |  | |  __ \
 _ __ ___  _ _ __ | |__) | |__| | |__) |
| '_ ` _ \| | '_ \|  ___/|  __  |  ___/
| | | | | | | | | | |    | |  | | |
|_| |_| |_|_|_| |_|_|    |_|  |_|_|
framework

minPHP is an extremely lightweight, object oriented MVC PHP framework brought to you by the same people who developed Blesta. minPHP is free, open source software released under the MIT license.

Download it at minphp.org.

One of the most awesome things about minPHP, aside from the fact that it’s awesome in itself, is that it’s being used as the framework for Blesta 3.0. Blesta 3.0 is in active development, with a release expected in the early part of next year.

We’re excited to be able to offer something to the open source community, and if you’re a developer we hope you give minPHP a try. As an added benefit, if you’re familiar with minPHP you’ll be a Blesta 3.0 development rockstar right out of the box.

Ooh, my spider-sense is tingling.

Tags: blesta 3.0 | minphp | php framework

Suhosin is a (somewhat) commonly installed PHP module used by shared hosting providers to prevent (to some degree) malicious PHP code from compromising a shared environment.  Sounds great, but the problem is it spreads its tentacles into areas where, if unaware of its presence, can cause some very unexpected results.

This was the case in Blesta, until recently.

The issue experienced in Blesta was related to session handling.  Blesta uses a database to maintain session information, for added security and to permit load balancing.  Normally, a session ends when the user closes their browser, however it can be revive if a cookie is stored on the user’s machine and is then read when they revist the site.  But because Suhosin encrypts session data by default, our revival code had access to only encrypted data.  Essentially, the session couldn’t be revived.  The only way to decrypt the data is to have Suhosin do it.  So what we did was rename the session prior to starting it, which tricks PHP into thinking the session never ended, and so Suhosin takes over and decrypts the Session just in time.

The psuedo code looks something like this:

$session_id = $_COOKIE['session_id'];

session_name($session_id);

session_start();

For those familiar with C, PHP seems strikingly similar. From the syntax to the function calls. It’s almost as if you could replace a couple asterisks (*) with dollar signs ($) and add a PHP-tag or two, and you could run your C source raw. Continue »

Encoding and encryption are both routines performed on data, however the end results are quite different. In the case of encryption the purpose is to disguise the data such that it can’t be read, except by the intended recipient. On the other hand, encoding is used merely to work the data into a more suitable format. Continue »

As Paul recently announced on our forums, multi-currency support is coming in version 2.2. This is a major change and affects just about every aspect of Blesta. For this reason a few minor changes have been made to the way gateways are written to accommodate multi-currency support. Continue »

We’ve been hard at work on the next installment of Blesta (version 2.1) lately, which is looking to be our most feature rich update to date. One thing we’ve worked hard on is adding support for Windows machines. Continue »

Tags: Blesta 2.1 | Windows

In an effort to increase future compatability with both browsers and PHP environments we’ve introduced two new standards in the Blesta 2.0 release. Continue »

Tags: short tags | standards | xhtml

I recently received an email from GoDaddy.com that I thought was hilarious. Apparently users with mobile devices can only visit .mobi domain names? Continue »

While we crank away on version 1.4 (scheduled for release next month), I wanted to give a quick update on a couple of the big features we’ve gotten excited about. Continue »

Last week I introduced the Blesta import library, discussed why this is an important feature of Blesta and touched a little bit on how to work with the library. This week we get a little more technical and dive a bit deeper into the import library, but first a little history on the topic. Continue »

Tags: documentation | import documentation | importing

Switching from one application to another can be a painful experience, so we’ve attempted to make it as simple as possible. What we’ve done is develop a custom import library specifically for Blesta, to make writing import scripts fast and easy. Continue »

Tags: import | importing

Wouldn’t it be great to create portable graphic files on the fly, without the need for library extensions or any necessary computation on the part of the server machine? If you think so, I’ve got news for you: you already can. Continue »

Tags: CAPTCHA | SVG | XML