We’re excited to announce that the Blesta v3 beta 1 has been released. If you didn’t receive the announcement email, you can view it online here.

If you are participating in the beta, we look forward to your feedback!

If you have a paid license and want to get started with the beta, go to https://account.blesta.com/order and enter your v2 license key. On step 2 click “Continue” not “Checkout”. Then, create a new account and follow the steps to complete checkout. Your beta license will be sent to you via email within a few minutes. Email support if you run into any trouble.

If you don’t have a paid license and want in on the beta, you can purchase Blesta v2.5 today for the promo price of $99, and then follow the directions above to request your beta key.

So far the response to the beta has been pretty huge, and we are very thankful for all of the support and words of encouragement! Together, we can make Blesta the best, most trusted billing software available!

Tags: beta | v3 | version 3

We are excited to announce that the beta for blesta version 3 is scheduled to start in less than three weeks, on Wednesday, May 15th.

The beta marks a major milestone in the development of version 3, and is the culmination of thousands of hours of planning, design, and development. The beta will be available to everyone with a paid license in good standing. We will be posting something here, and sending out an email on the 15th with more details on how to get a beta key. Sign up for our newsletter if you aren’t already.

Although the beta is about to start, we feel like this is just the beginning. There’s a lot on our roadmap, especially in terms of additional modules and gateways and we will be prioritizing continued development based on your feedback.

How about a contest?

Next Thursday I’ll be posting a video about a major new feature that is part of version 3. It’s actually one of the first features we built for version 3, and none of our competitors have it. Can you guess what it is? (No purchase necessary. Alpha developers do not qualify!)

We have a free owned license for the first person to guess correctly. Email your guess to sales. One guess per person. I’ll announce the winner (if someone guesses correctly) and what the feature is next Thursday.

Tags: beta | blesta | v3 | version 3

Financial advisory firm, Deloitte, recently published an article detailing the ever expanding need for two-factor authentication. They predict that, “a number of technology and telecommunication companies will likely implement some form of multifactor authentication with their services, software and/or devices in 2013.” I see this less as a prediction and more of an advanced report of the facts, since we had the same notion back in 2010 when we announced two-factor authentication for Blesta.

Deloitte’s predictions go even further, stating that passwords that were previously considered secure (8-characters of mixed case, numbers, letters, and symbols) are now vulnerable to hackers, primarily due to password reuse and the use of graphics cards (GPUs) to perform dictionary attacks. Personally, I’ve never found those types of passwords to be very secure. After all, we know that password security is derived from entropy (randomness) and entropy increases with length. So rather than trying to remember 8 to 10 character passwords with letters, numbers, and symbols that have no meaning, why not simply use a long natural password? Bonus points if your language of choice is not typical of the application’s audience. Extra bonus points if it’s a dead/non-existent language. Anata no o pasuwado wa nan desu ka?

Of course, what’s more secure than a secure password? How about a password that changes every time you use it? “How could I possibly keep track of that,” you might ask? That’s where two-factor authentication takes over.

Time-Based One-Time Passwords (TOTP) are generated using an algorithm that produces a pseudo-random value based on any given moment in time (remember, randomness = good). The benefit of using two-factor authentication is that you need not put all your trust into the security of your password. Random token generators (or apps for your smart phone) can produce a one-time password that’s used in combination with your standard password, and as the name suggests are used only once. That means that even an attacker that knows your password and knows the token you just used to login to your account still can’t use the information to login as you.

Tags: authentication | blesta 3 | password | security | TOTP | two-factor | v3 | version 3

Quick links are basically bookmarks. In the grand scheme of things, they may not be the most powerful of features, but don’t write them off so easily. Quick links are simple, unobtrusive, and very useful for getting back to where you need to be.

If there’s a client you frequently access, or a package, setting, or email template you aren’t quite happy with, just quick link it! Quick links appear on the dashboard and are staff member unique.. that means you are the only one that will see your quick links.

Add and remove quick links with a simple click directly from the page you’re on. Get back to where you need to be quickly and easily. Just another way you can customize your dashboard.

The video is below, as usual you can make the video full screen and be sure to turn on your sound.

Tags: bookmark | quick links | v3 | version 3

We like to do everything in house, and we work best together as a team. From idea, to design, to implementation we’re all involved to one degree or another in every part of development. Granted, we each have our strong points, but the unique ideas of every member of our team can be found in every stage of development.

I was feeling a little nostalgic and thought I’d share a bit of the evolution of the v3 design. The video below shows how the design for v3 came along, from the first hour as a static image in Photoshop to how it looks and works today.

It’s incredibly satisfying to create.. and to see something static come alive.

The video is below, as usual you can make the video full screen. (No sound this time)

Tags: blesta v3 | design | photoshop | v3 | version 3

It’s incredible how quickly this year has gone by. It’s been productive, but I’m looking forward to what 2013 has in store. I think it’s going to be an amazing year for Blesta!

The v3 alpha is in its third release and is going great, the feedback we’re getting from developers is incredibly valuable and reassuring. We’re working towards the beta release now, resolving issues, and finishing up some critical features while pushing out regular alpha updates.

This week I wanted to show you custom client fields. Not an incredibly exciting feature, but it’s a really useful one.

1. Custom Client Fields are Client Group specific, create different fields for different groups.
2. Field labels can be language defines, so that they are available in many languages.
3. Text box, check box, drop down, and text area fields are supported.
4. Fields can be hidden from clients, or displayed as read-only to clients.
5. Fields can be required, and custom regular expressions can be used for validation.
6. Fields can optionally be encrypted in the database with 256-bit AES cipher.
7. And of course, custom client fields can be created and fetched through the API.

The video is below, as usual you can make the video full screen, and be sure to turn on your sound!

Tags: blesta v3 | clients | custom | custom client fields | fields | v3 | version 3

Whoa, it has been a busy week! If you didn’t hear, we released v3 alpha on Wednesday, which is a huge milestone. We’re excited and gearing up for the next phase, which I think will be a lot of fun.

Part of prepping for the alpha was building an installer and handling licensing. We opted to do a CLI installer for now, but you’ll have the option of installing via CLI or your browser at release. Once installed, the rest is handled in the browser — entering your license key and creating your first staff member.

The video is below, as usual you can make the video full screen, and be sure to turn on your sound!

Tags: alpha | cli | installer | license | licensing | v3 | version 3

Packages in v3 are very similar to packages in previous versions, with a lot of additional functionality. The goal in redesigning packages for v3 was to facilitate addons, allow for quantities, provide for better organization of packages, and support specific pricing in multiple currencies (Rather than relying on currency conversion, which Blesta can do too).

A few notable items..

1. Limited quantities supported! If you only have 100 of them, when they are sold they’re gone.. no more orders can be placed.
2. Package Groups are new, Standard and Addon. Addon groups can be assigned to Standard groups, making their packages available as addons to the packages within them.
3. Addon packages are just like normal packages and can be provisioning. An addon for an “extra 10GB disk”, could make an API call to add the disk space, without any staff involvement, assuming the module supports it, of course.
4. Prices can be specified in multiple currencies. Set a 1 month term to 10 USD, and a 1 month term to 8 EUR and the client will be invoiced the price in their preferred currency, whatever that is.
5. Package emails are no longer combined with the welcome email template that contains account registration details. A package welcome email is sent out separately when the service is created, allowing for more flexibility and control over service creation emails.
6. Cancellation fees have been added, which are assessed if a service is canceled early.

The video is below, as usual you can make the video full screen, and be sure to turn on your sound!

Tags: cpanel | module | packages | v3 | version 3

Blesta v3 was designed with a major emphasis on developers. We know that when others can easily write their own extensions on our platform and make powerful new features available to the market, it makes our product that much better.

We expect a lot of these 3rd party extensions will serve niche markets, and others will compete directly with or extend functionality we’ve built.

With all we’ve done to support developers, the issue becomes about getting their hard work in front of Blesta users. By no means have we created a closed system that forces a particular distribution channel. Our focus is the user experience, and what we’ve built is right up that alley. It’s much easier when users can find extensions quickly and easily, see ratings and feedback from others, and install with a click of the mouse.. all within the application.

So, we built The Marketplace.

The Marketplace is built right into Blesta and should be available at launch. Developers can list their extensions on The Marketplace if they like. It’s not a requirement and extensions can be installed manually but we think the exposure and ease of installation makes it the right place to be.

We’ll have a lot more on The Marketplace in the future, so stay tuned.

If all goes according to plan this next week, I may have another video for you on the client area!

Tags: marketplace | v3 | version 3

Back in May our largest competitor WHMCS was compromised, and I wrote a blog post titled “Thoughts on Security“. After my post, the hackers released a data dump and the personal information of their customers became public. Names, email addresses, credit card numbers and more. A nightmare scenario for any company, and worse for their customers.

I got a lot of email, and a few phone calls after that post. People are now, more than ever, concerned about security and they should be. It’s something that cannot be taken for granted, and can no longer be ignored. It requires diligence. There is no such thing as security through obscurity.

Most recently LinkedIn, Dropbox, and Blizzard were all compromised. These are big companies with big budgets and they are big targets, but it highlights the fact that nobody is immune.

Today’s post is sort of a follow up on that last post. I wanted to be more specific in terms of security measures we’ve taken within our software — specifically our next major release, version 3. It’s because we believe security doesn’t come from obscurity that we are so open about the steps we take to protect not just our customer data, but in as far as possible, our customers’ customers.

We don’t claim to know everything there is to know about security, but it’s an area we spend a considerable amount of time in discussion, research, and development. It takes priority over new features in our development cycle.

Passwords

Passwords in v3 are stored using bcrypt, computed from an HMAC-SHA-256 hash of the user password, if supported by the server. The advantage to using bcrypt is that it slows down the time it takes to compute the value. How could slowing it down possibly be good you might ask? Because, if an attacker happens to acquire your users’ hashed passwords, and also the key used to generate the HMAC-SHA-256 hashes, it would be impractical and time consuming to brute force them from a list of common passwords (known as a dictionary attack). Without the HMAC key, it becomes computationally infeasible to brute force (with 2^256 possible combinations of hashed passwords, and a 1/4 second to compute 1 bcrypt password, you would only be able to attempt 126,144,000 bcrypt passwords per year. So, statistically, it would take 4.5897 x10^68 years to crack a single user’s password).

Now, assuming the HMAC key is known, a 60,000 password dictionary file would take statistically 2.083 hours to crack 1 users password assuming the password is in the dictionary to begin with. This is fantastic because it gives you much needed time to reset every users password and notify them, making the leaked hashes virtually useless.

Additionally, a bcrypt password is never the same. If user A and user B both have a password of “hunter2″, the stored values will not be identical.

Two-Factor Authentication

Blesta supports two-factor authentication (in v2.5 and v3) for both TOTP (Time based One Time Password) and MOTP (Mobile One Time Password) for staff users. Both methods use a token, like OATH Token for the iPhone. Staff members log-in by entering their username and password, and are then prompted for their one time password. Once this token is entered, it can never be used again, so a man in the middle attack is not feasible.

I did a video on Staff Login a while back that shows two-factor authentication in action, if you haven’t seen it.

PHPIDS Plugin

Shipping with v3 is a plugin called PHPIDS, which is an intrusion detection system. The plugin is excellent at detecting, logging, and blocking various attacks and uses the PHPIDS library.

From the PHPIDS website:

Currently the PHPIDS detects all sorts of XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks. Through special conversion algorithms the PHPIDS is even able to detect heavily obfuscated attacks – this covers several charsets like UTF-7, entities of all forms – such as JavaScript Unicode, decimal- and hex-entities as well as comment obfuscation, obfuscation through concatenation, shell code and many other variants.

Furthermore the PHPIDS is able to detect yet unknown attack patterns with the PHPIDS Centrifuge component. This component does in depth string analysis and measurement and detects about 85% to 90% of all tested vectors given a minimum length of 25 characters.

The video is below, as usual you can make the video full screen, and be sure to turn on your sound.

ACL (Access Control List)

v3 introduces a fully featured ACL. Access to different areas and tasks is limited to the group a staff member is part of. For example, a support staff member may only need to have access to support features, and be kept far away from private customer details. You have fine-grained control over what they can and can’t access.

I did a video on this one too, appropriately named Full Featured ACL. It’s worth a watch, if you haven’t seen it.

Extensive Logging

v3 logs a lot of things, including credit card accesses. Anytime a staff member views a credit card number it’s logged. If card numbers are siphoned off, you’ll be able to tell exactly who took them.

Offsite Gateways and Batch Processing

In v3 we are introducing offsite storage of card details for gateways that support it, like Authorize.net’s CIM method. For those using local storage of card numbers they are still encrypted. Now with up to 3072-bit RSA cipher (depending on your system), and you can optionally set a passphrase on them. A passphrase is similar to a password, and is not stored on the server anywhere. Credit card numbers can be encrypted without the passphrase, but the passphrase would be required to decrypt them. When enabled, all payments made from stored card numbers must be batched manually with the passphrase. It’s an added layer of security that can be enabled or disabled anytime. (Just don’t forget the passphrase if you set one!)

minPHP and PDO

The open source PHP framework we wrote, minPHP, provides foundation level security for Blesta v3. minPHP supports, and v3 uses PDO which helps make queries safe and secure through parameter binding. Cody wrote more on this in his article title Eliminating SQL Injection.

Smarty’s not that Smart

Blesta has never used the Smarty template system, and v3 is no different. We rarely trust 3rd party libraries, especially bloated ones with very little benefit. The template system in minPHP is light weight and secure and it has many similarities to the template system we used in previous versions. We feel justified in our approach to keeping things simple and light weight, especially in light of recent security exploits with Smarty that affected at least two of our competitors.

Our strict requirements in terms of integration of 3rd party libraries, and our aversion to bloated code put Blesta on a higher playing field.

In Conclusion

I’m not good at marketing, I’m really not. I tend to think of good marketers as a little dishonest and don’t always hold them in the highest esteem. Their job is to portray their product in the best possible light and at times make it seem better than the competition. I think the product should speak for itself and I am passionate about what we’re doing because I know we are building something great.

Part of what sets us apart from our competition is our desire to do things right, along with our expertise to follow through on that desire. No shortcuts. No compromise. After all, that’s what I would want in a billing system for myself, because, if the focus is right, everything else will fall into place. If not, it’s an exhausting game of cat and mouse and I have no interest in that.

Tags: ACL | bcrypt | intrusion detection | PDO | phpids | security | sql injection | two factor authentication | v3 | version 3

In the last developer commentary we took a look at creating a Merchant Gateway to process credit card payments in version 3. Today we’ll do the same for a Non-Merchant Gateway, which allows you to accept payments processed on the payment gateway processor’s own site (think PayPal).

Non-Merchant gateways are really quite basic. There are essentially two elements at play:

1. Creating an HTML form to handle the payment button (NonmerchantGateway::buildProcess() method)
2. Processing logic to handle the payment notification response from the gateway processor (NonmerchantGateway::validate() method)

The video is below, as usual you can make the video full screen, and be sure to turn on your sound.

Tags: gateways | nonmerchant | paypal | v3 | version 3

It’s been a busy week, which is pretty normal.. but extra busy because we’re a man down right now. Tyson does great work here, and the Superior Court of California thought he would do a great job as a juror too. I’m sure he will, and we hope to have him back from jury duty next week to hear all about it. (And also to get back to cranking on Blesta!)

I get a lot of email and phone calls about Blesta, and in talking with people, certain things start to stand out.. like the incredible need for a downloads section in the client area. I was happy to tell several people this week that it will be included in v3.

And then I realized that we haven’t really mentioned this before.

The download manager is a plugin, and here’s what it looks like installed in the staff interface..

Here’s the link it registers in the client interface where all the downloady-goodness appears..

Other plugins can register links here too. So there you have it! Downloads ship with v3.

Thanks for reading, I hope you have a wonderful weekend!

Tags: download manager | downloads | v3 | version 3

Cody did a developer commentary a couple weeks ago on Merchant Gateways, you might find it interesting if you’re a developer (Hey maybe even if you aren’t!).

If you’ve been following us for a while, you’ve already seen parts of the dashboard (For the 1st time in the Staff Calendar video). This time, I wanted to dig in a little deeper and show you how it works, and how flexible & customizable it really is.

If you stick with me, I have some new themes to show you toward the end too.

Some notable items..

1. The dashboard consists largely of widgets. Widgets are plugins which can be created by developers, dropped in and installed.
2. Widgets can be moved around, minimized and customized, unique to the staff account. Everything stays where you left it.
3. Since widgets are plugins, they can register and be included in the staff group ACL (Access Control List). This provides for better separation of staff roles.
4. GeoIP can be enabled in the settings, giving Blesta and all plugins access to geolocation data. The System Overview widget we’ll ship with makes use of it.
5. Drag and drop is awesome.
6. Themes are now extremely flexible, we’ve improved them more since the video we did on them. If you really want to get crazy you can (Warning, may induce vomiting).

The video is below, as usual you can make the video full screen, and be sure to turn on your sound.

Tags: dashboard | plugins | v3 | version 3 | widgets

In this developer commentary, I give a quick tutorial on creating a merchant gateway that supports credit card payments.

As you’ll see in the video, I’ve created a demo gateway to help streamline the process. This, and other payment gateway demos will be made available to developers at the launch of alpha, along with our detailed developer documentation.

We’re really excited about the payment gateway architecture, and after watching this tutorial I hope you will be too. If you’d like to learn more about why the gateway system is designed the way it is, read my post on Designing a Modular System.

Tags: behind the scenes | developer commentary | gateways | payment gateways | v3 | version 3

Last weeks post was titled Tangible Invoices. If you haven’t read it yet, you should check it out, we’re doing some exciting things.

We’ve been slammed lately, code sprinting toward alpha, but I wanted to take a break today and show you something new. So, this week a video on the client area, and some notable items.

1. All new, simple, unique, clean, and professional design built with usability in mind.
2. Staff can login as the client, and return to that client’s profile in the staff interface when done.
3. Fixed width interface, designed with customization in mind. (More on this in the future!)
4. Reminders to pay displayed prominently if any invoices are open. (You’re running a business, right? Get paid, your customer can worry about registering a new domain second. :D)
5. Helpful tooltips and notices displayed throughout.

This is a very basic overview of the core of the client area. Not shown are the ticket system, order system, or portal.. and some other things. (We’ll save those for later.)

The video is below, as usual you can make the video full screen, and be sure to turn on your sound.

Tags: client area | v3 | version 3