Requests | Blesta

Requests

Encoding - Encrypting Blesta For More Security

Michael Lunness shared this idea 7 years ago
Declined

Hello,

I was going to move from WHMCS to Blesta but I just found out that the code is 99% open a un-encoded system for a Business where all the code is open to praying eyes. I would rather it was encoded so it has more security that is very bad to know that 99% of the code is open. This could be why people use WHMCS than in favor for Blesta. I am Requesting if this can be done?

Regards,

Michael

Comments (20)

photo
2

really i learn this request ?!!!

a lot of other soft is also open source , and the code is open or not is not the probleme for hackers, because even if the code is encoded it can be un-encoded by other soft and tools .

the real problem is the code "SAFE" or not, and even if WHMXX is coded it always has a exploit, you know why?

photo
1

It's 99.9% secure three experts have gone over it. Why would you like to encode software which doesn't need to be encoded the only bits are for licensing which already are encoded. If you want to see how Blesta does something you can. It helps people expand Blesta and tweak it for their needs.

photo
2

I think you're the only one to ever ask for more encoding. Encoding only ensures that those willing to spend the time to decode it will look at the source and find vulnerabilities. It's better that Blesta is open, and if anything, we'll go 100% open before we encode more. Security through obscurity never works. https://en.wikipedia.org/wiki/Security_through_obscurity

photo
1

You say three experts have gone over who are these experts? As I don't like the idea of all the code being open I think it's high-security risk

" I think you're the only one to ever ask for more encoding. Encoding only ensures that those willing to spend the time to decode it will look at the source and find vulnerabilities "

Why havent you invested in this?

photo
2

Invested in what? The open code base is intentional. I think you have a misunderstanding of what encoding is and how it relates to security.

photo
1

You said Encoding ensures that those willing to spend the time to decode it will look at the source and find vulnerabilities.?

photo
2

Encoding software ensures that only those who are willing to spend the time to decode it will look for vulnerabilities. These are the kinds of people you don't want decoding it and looking for vulnerabilities. When the code is well-written, as Blesta is, and a large community has access to the source, it makes it more likely that any vulnerabilities found will be reported to us in a responsible way. Malicious actors are going to look at the code either way, by encoding, you just ensure good actors don't look at the code.

photo
1

In plain english, people who want to look at the source will spend time decrypting it and if they find exploits either report it or leak it. Blesta's code has been looked over by 3 sets of eyes and only 1 found some small XSS issues. If that wasn't open they couldn't do it and again why do you use Wordpress which is open-source and riddled with security issues?

photo
1

You say 3 sets of eyes so how come not proofing this? in my other reply's. Wordpress is not taking money and saving peoples credit/bank cards information and personal information. It's not full of riddled with security issues. 85% of the internet is powered by Wordpress.

photo
2

I would even go as far as to say that WHMCS being encoded makes it less secure. But, it lets them hide things like data collection (they collect client counts, and ?? only the black hats know, as they've undoubtedly already decoded it).

photo
1

I'm not on about data collection I don't have issue with that what I have issue is all your code is open. And being open anyone can edit that code and do whatever there what and place bad code and then gain access to the Admin Area or even the server. That is why i request if Encrypting the files can be done. There is software out there what can replace Public viewing files without not even know the password to the server or FTP.

photo
2

The code being open does not mean anyone can edit it. If anyone has permissions to edit the files on your server, it doesn't matter if they are encoded or not. I think you're confusing server hardening/security with application security. Nobody has permissions to modify Blesta files unless you give it to them.

photo
1

I am not getting confusing by hardening/security. Is there way to have the code Obfuscation? or by using IonCube or Zend Guard.?

photo
1

Yes, you can ioncube encode the files yourself if you want to do that. We aren't going to do that to the distribution though, there's no purpose and the vast majority of people are glad that Blesta is so open.

photo
1

I am glad Paul you have the code open and Blesta is so open I couldn't make the very nice addons and stuff I have made for blesta if I couldn't read the code for myself to understand how to interface with the system.

photo
photo
1

http://www.webhostingtalk.com/showpost.php?p=8898652&postcount=14

http://www.webhostingtalk.com/showpost.php?p=8885045&postcount=183

And localhost.re who also released public exploits for a competitor also said it was secure but I've lost the screenshot of the email. But if you don't trust them don't trust open-source like Wordpress, etc.

photo
1

Michael. This is web hosting forum talking about WHMCS vs Blesta. This is not three experts that you claim to have gone over the code?

photo
1

Click the bloody links and read the posts for god sake.

photo
1

I have Michael. But this is Web hosting forum so no proof that the code has been looked at by 3 people. Web hosting forum is not security specialist.

photo
1

So Vlad and Patrick are lying... what do they benefit from it? They are trusted in this community and if it wasn't for them cPanel would be exploitable and the software you use now: https://blog.rack911.com I won't bother replying now suffer if you wish or move to a securer system proven by two well known trusted security experts. And if you google localhost.re you'll see the other guy. Can't argue with someone who doesn't want to be helped.

photo