SimChris Posted June 7, 2013 Share Posted June 7, 2013 Hello all... I wanted to make a comment to all the CC developers (not Devellion), specifically those making add-ons, modules, plug-ins, themes/skins, etc. to "extend" the capabilities of CubeCart. First, as somebody who has been doing ecommerce since 1996 (!), including projects for Oprah Winfrey, large camera stores, No Fear clothing, etc. -- I've got a good background on how stores should and should not work. I've managed my own web server(s) since 1996, and ran a hosting company from 1996/7 to 2005. I've been using CC since 2010 and have been very happy. We worked with some great folks on plugins/extensions for CC4, and rarely had any problems. However, with CC5 I'm seeing a somewhat disturbing trend, and would like to comment publicly about it here. 1) I've noticed a number of plugin folks making elements which 'phone home' to verify a license 2) I've noticed folks putting in advertising links in their plugin (like the late captcha plugin) 3) I've noticed some themes/skins and whatnot making outbound calls to CDNs for .js files and such First, while it should be obvious that secure ecommerce systems should NEVER make outbound links to other sites for security purposes, it's also true many CC third party developers don't actually run any kind of ecommerce business themselves (one of my faves is always the CC plugin sellers who can't make their items downloadable when that's a built in function of CC!) and hence don't have to deal with the actual business of working with a wide range of clients - ever notice CC plugin/addon sellers whose store isn't even secure? Um... duh. No skin or plugin should contact an outside CDN or website, or the developer's own site, to download anything, check in or anything like that. This is a massive security threat and CDNs, developer sites, come and go like the wind. Your little .js you include as a connection in your HEAD might load malware when you decide to pack it up and get a real job, leaving us with an injection of malware and you could care less. I would like to make this issue more public as it's been creeping into a number of things lately. I just removed on from a popular commercial skin (hint mentioned in my footer), removed a captcha with links to an SEO service in the actual plugin, and refused to buy another add-on as it phoned home every time to verify it was "licensed." Really? So.... please be aware I will start "calling out" those folks who do this kind of "bad behavior" as it's NOT secure, not wanted, and bad practice. Feel free to join the conversation on this one, folks. Chris Link to comment Share on other sites More sharing options...
Dirty Butter Posted June 7, 2013 Share Posted June 7, 2013 I've been puzzled by developers who email their mods rather than allowing download from their site. I'd like to add my gripe about mods that are encrypted, so there's no way to tweak or chance to fix an issue without dealing with slow CS. And, MY first computer was a 25K Timex Sinclair!! (yes, feeling old) Link to comment Share on other sites More sharing options...
bsmither Posted June 7, 2013 Share Posted June 7, 2013 "making outbound calls to CDNs for .js files and such" And such... Google Analytics (although it's one way, I think, but who can really know???) Facebook Like This, AddThis, Pinterest, Google +1, Twitter, ad nauseum SSL Security Emblems (that now mostly ineffective) Google ReCaptcha Almost every included plugin that fetches shipping cost quotes (requested server-side). Almost every included plugin that sends your credit card number off for transacting (again, server-side). (And when matter replicators are invented (3D-Printers, eh?), then listen to the hue, cry, and gnashing of teeth over copyright infringement of their design - intellectual property.) Discussions, conversations, arguments, debates, editorials, and knee-jerk replies on this topic have been uttered many, many times, many, many places about many, many specific topics collectively gathered under intellectual property. I think nothing will change with regard to the state of IT management from any conversation in these CubeCart forums. I, for one, am all about giving away my opinion and knowledge at no cost -- but that's just me. I have other resources to buy my beer and pretzels. Link to comment Share on other sites More sharing options...
Robsta Posted June 8, 2013 Share Posted June 8, 2013 Please note. This is NOT the third-party forum, therefore this topic has no place here. SimChris, if you wish to address a letter to the third-party developers, I would at least publish it in the correct forum. You are welcome to post it over at cubecartforums.org, the home of third-party resources. Closing topic. Link to comment Share on other sites More sharing options...
Recommended Posts