interfasys

Hmmm.... https://github.com/toin0u/DigitalOceanV2

\o/

Hehe, well unfortunately, I've never found anything as flexible and reliable as Directadmin, but I don't know if the market is large enough to justify developing a module for it. There are several other modules which are higher on the list in the feature request threads.

https://www.modulesbakery.com/docs/ is 404 btw.

Although we're not using CPanel, this is really great to avoid customers having to remember where to do what.

As I mentioned earlier, it's not just one component and it's not just about software, but having minimal requirements help. There a reason a BlackBerry is the best option for regulated industries. You can't just patch Android and expect it to safeguard your data. Security doesn't work that way. And when you have breaches, you patch them, like everybody else. I'd rather do it twice a year than 12 times a year.

For the same reasons there are rules like PCI-DSS, FIPS and many more for some regulated industries, but we haven't reached the point where collecting customer data is deemed a major responsibility. In the UK though, you get fined if you leak data, so better be safe than sorry. I've seen so many companies leak personal information, simply because they think the script they've found on an abandoned forum used on that cheap host is good enough to run their business. As always with security though, you have to look at the bog picture, and the environment is one of the components.

Yeah, but as we know, hosts don't care, some still run Blesta on PHP 5.2, so it's best to be proactive with these things and help them protect their customers' data. It could be made optional from the settings tab. There could be a new security section where you can enable all these things. Never do it via .htaccess in 2014! ini_set is the way to go.

Ah. session.cookie_httponly = On session.hash_function = "sha256" session.cookie_secure=On The last one only when SSL is enabled, just like you might want to send HSTS headers if you don't already.

That's exactly PHP's problem (and Microsoft's too )

I've just looked at a few settings from that page and although hosts can implement most of them on their own, Blesta could tighten the security of their session management using some of the tips found on that page unless you're not using PHP sessions.

Completely agree, that was my point earlier, but I understand Blesta wanting to reach a maximum number of potential of customers and at the end of the day, it's more about secure coding practices. It's all about reducing your attack surface and indeed, upgrading to PHP 5.6 days after its release is non-sense. It requires more testing, debugging, etc. Imagine that you have to write twice as much code or rely on twice the libraries because older versions have problems. It's a lot more code to audit.

I have to wait for you to publish it officially on the Apple appstore, as we don't allow garbage apps (iTunes) on our desktop

Unfortunately, no. There are a few feature requests, but we're mostly left in the dark.

The Hotfix is for PHP 5.5+ afaik, no?

There are two problems with this approach The customer can't define his own tech contact at registration time (but it would work for the admin contact) This has to be done for every registrar and that's the reason I'm asking for this to be integrated in Blesta itself And yes, we wouldn't disable it in the WHOIS tab. The idea is to get customers to fill everything correctly at registration time since most are not experts. If they want to change everything afterwards, so be it. I think it's actually useful to be able to change the admin contact if they want to transfer elsewhere per example. I appreciate the feedback/tips btw

I've noticed that Blesta does not follow PHP's recommended security practices when it comes to session. Maybe it should?

Yep, it's because Trello uses the Kanban system.

Using a Kanban board is one of the easiest way to manage issues. It gives you a clear overview of what's going on. Try this demo to see it in action http://demo.kanboard.net/?controller=user&action=login demo / demo123 It wouldn't need to be as compex in Blesta, here is a very basic WP comopnent http://wedevs.com/plugin/wp-project-manager/kanban-board/

Here is a good ready-made component which could be included fairly easily into Blesta. They operate in a dual-license mode, so you'll need the Pro version for things like Critical Path. http://dhtmlx.com/docs/products/dhtmlxGantt/

Domain importer, you know, you just ask every installed plugin to return a list of domains, linked registrant, price paid (if available) and you try to match the name with what's in Blesta, before offering a full list of domains, matched with customers, ready to be validated or modified.

I've been re-thinking this and only Registrant and tech contact should be offered at registration time. Admin and billing should always be us for as long as they're registered on our system. Also, the tech contact should only be offered if the customer is using external nameservers. It's different than offering an interface as a registrar. Customers are using our billing platform and our technical infrastructure and the contacts whould reflect this. As admin contacts, we're responsible for sending the WHOIS and renewal emails. As tech contacts, we should be the ones being contacted regarding the hosting of that domain.

Hmmm... No Hostbill or domain importer either

The money is in the support subscription. You sometimes set an upfront cost so that your product doesn't look cheap. Let's say someone finally releases a registrar module which supports ccTLDs (for Netim per example), I wouldn't have a problem paying for a yearly subscription, knowing that all changes made in the API would be reflected in the module. Of course, I would prefer it if it was included in Blesta itself, but they can't support all modules. The other option is getting the extension to get written by the registrar itself, but they're just not interested in new platforms.

Damn..