interfasys
-
Posts
249 -
Joined
-
Last visited
-
Days Won
3
Posts posted by interfasys
-
-
-
Yep, and i have a great news for you (well maybe if you use InterWorx), currently we are working on an InterWorx version of that module:
Hehe, well unfortunately, I've never found anything as flexible and reliable as Directadmin, but I don't know if the market is large enough to justify developing a module for it. There are several other modules which are higher on the list in the feature request threads.
-
-
Although we're not using CPanel, this is really great to avoid customers having to remember where to do what.
-
As I mentioned earlier, it's not just one component and it's not just about software, but having minimal requirements help. There a reason a BlackBerry is the best option for regulated industries. You can't just patch Android and expect it to safeguard your data. Security doesn't work that way. And when you have breaches, you patch them, like everybody else. I'd rather do it twice a year than 12 times a year.
-
Yes they have a choice if they want to, but why should you FORCE them to do it? Why should anyone tell you that you have to do something? Why should Blesta be the law of how people want to run their own business? You have to have the latest PHP because hey you should be using the latest technology.. How many people do you think Blesta would loose if they did that?
For the same reasons there are rules like PCI-DSS, FIPS and many more for some regulated industries, but we haven't reached the point where collecting customer data is deemed a major responsibility. In the UK though, you get fined if you leak data, so better be safe than sorry. I've seen so many companies leak personal information, simply because they think the script they've found on an abandoned forum used on that cheap host is good enough to run their business. As always with security though, you have to look at the bog picture, and the environment is one of the components.
-
It sounds like everything you want done are things that the host should be doing mainly or are configurations that you can do to the server.
Yeah, but as we know, hosts don't care, some still run Blesta on PHP 5.2, so it's best to be proactive with these things and help them protect their customers' data.
I don't think HSTS should be enabled by default. It's great and I use it myself but it's not something you can just disable if you don't want it.
It could be made optional from the settings tab. There could be a new security section where you can enable all these things.
If i understand the OP correctly, this could be used.
ini_set( 'session.cookie_httponly', 1 );
But it can be done using htaccess too
<IfModule php5_module>
php_value session.cookie_httponly true
</IfModule>
more
http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php
Never do it via .htaccess in 2014! ini_set is the way to go.
-
Ah.
session.cookie_httponly = On session.hash_function = "sha256" session.cookie_secure=On
The last one only when SSL is enabled, just like you might want to send HSTS headers if you don't already.
-
The thing is not everyone wants to jump to the newest stuff. 5.4 yes, 5.5 no, 5.6 no. When 5.4 is getting near end of life sure, 5.5 but there's no point forcing everyone to be sheep and server stuff is not always secure. We've had HeartBleed, Bash exploits, what's next?
That's exactly PHP's problem (and Microsoft's too
) -
What exactly are you referring to?
I've just looked at a few settings from that page and although hosts can implement most of them on their own, Blesta could tighten the security of their session management using some of the tips found on that page unless you're not using PHP sessions.
-
Think this way:
1º- Who uses a sofisticated automated billing system Like Blesta?
Re: IT's Managers, Hosting Companies, DataCenters.
2º- Who the hell on point 1º dont want to use a stable, up to date PHP and/or MySQL Version, even if they dont use CloudLinux, Interworx or outher?
Re: No one, only none professional buisness or kidies that dont know how to really manage an Hosting buisness want that.
There is no reason that you can tell me to convice me to use an outdated PHP and/or MySQL version
We do professional buisness, dont you? 
Everithing is unsecure, I repeat, everithing, even latest PHP 5.6 or MySQL Latest, but if you use the
A person that buy Blesta, is a person consern with client data, so it has to use security to prevent future problems
Im not telling this to you to get me rong, just to make a point
Completely agree, that was my point earlier, but I understand Blesta wanting to reach a maximum number of potential of customers and at the end of the day, it's more about secure coding practices.
Right, and who uses Centos, Ubuntu etc and what happens... BASH Security... now was you using the latest one? I bet you was... now tell me everything is secure with the latest stuff.. not everyone wants to use the newest PHP or MySQL. Not everyone wants to jump head first in the deep end. Look at all the WHM** fans out there using inseucre software, and they are all webhosts and professionals too. And even some of them don't jump head first to the newest *Secure* version.
It's all about reducing your attack surface and indeed, upgrading to PHP 5.6 days after its release is non-sense. It requires more testing, debugging, etc.
Imagine that you have to write twice as much code or rely on twice the libraries because older versions have problems. It's a lot more code to audit.
-
Does anyone alredy tried the IOS APP on iPhone or iPad? If so, how does it feel ?
Only next week we will purchase an iPhone and iPad to test/debug
P.S - We are planning someting "big", never seen in any Biling System, for Blesta Owners for Mobile Devices (im also curious also how the naja7host mobile app will work with the Blesta API connection)
I have to wait for you to publish it officially on the Apple appstore, as we don't allow garbage apps (iTunes) on our desktop
-
Is there a thread specifically for discussing the upcoming domain manager?
Unfortunately, no. There are a few feature requests, but we're mostly left in the dark.
-
The Hotfix is for PHP 5.5+ afaik, no?
-
There are two problems with this approach
- The customer can't define his own tech contact at registration time (but it would work for the admin contact)
- This has to be done for every registrar and that's the reason I'm asking for this to be integrated in Blesta itself
And yes, we wouldn't disable it in the WHOIS tab. The idea is to get customers to fill everything correctly at registration time since most are not experts. If they want to change everything afterwards, so be it. I think it's actually useful to be able to change the admin contact if they want to transfer elsewhere per example.
I appreciate the feedback/tips btw
-
I've noticed that Blesta does not follow PHP's recommended security practices when it comes to session.
Maybe it should?
-
Looks a little like https://trello.com/
Yep, it's because Trello uses the Kanban system.
-
Using a Kanban board is one of the easiest way to manage issues. It gives you a clear overview of what's going on.
Try this demo to see it in action
http://demo.kanboard.net/?controller=user&action=login
demo / demo123
It wouldn't need to be as compex in Blesta, here is a very basic WP comopnent
-
Here is a good ready-made component which could be included fairly easily into Blesta. They operate in a dual-license mode, so you'll need the Pro version for things like Critical Path.
-
Hostbill importer will take a while. Domain Importer huh? and WHM** importer update is coming out shortly.
Domain importer, you know, you just ask every installed plugin to return a list of domains, linked registrant, price paid (if available) and you try to match the name with what's in Blesta, before offering a full list of domains, matched with customers, ready to be validated or modified.
-
I've been re-thinking this and only Registrant and tech contact should be offered at registration time. Admin and billing should always be us for as long as they're registered on our system.
Also, the tech contact should only be offered if the customer is using external nameservers.
It's different than offering an interface as a registrar. Customers are using our billing platform and our technical infrastructure and the contacts whould reflect this.
As admin contacts, we're responsible for sending the WHOIS and renewal emails.
As tech contacts, we should be the ones being contacted regarding the hosting of that domain.
-
Hmmm... No Hostbill or domain importer either
-
The money is in the support subscription. You sometimes set an upfront cost so that your product doesn't look cheap.
Let's say someone finally releases a registrar module which supports ccTLDs (for Netim per example), I wouldn't have a problem paying for a yearly subscription, knowing that all changes made in the API would be reflected in the module. Of course, I would prefer it if it was included in Blesta itself, but they can't support all modules. The other option is getting the extension to get written by the registrar itself, but they're just not interested in new platforms.
-
Damn..
Digitalocean Module
in The Marketplace
Posted
Hmmm....
https://github.com/toin0u/DigitalOceanV2