On Mon, Oct 14, 2002 at 05:01:46PM -0700, Tom McDonald wrote: > > This is a program which allows you to place the "Tucows Authorized > Reseller" logo on your site. Clicking the image (if placed on your > site) would bring up a validation that you are indeed a valid Tucows > reseller. You need to register each URL where you plan to place the > image if I understand things correctly. If you have none registered > so far you must initialize first with the option of adding more URLs > going forward.
The Seal program is a potentially useful marketing tool for some; Tucows gets a link on the reseller's site and the reseller gets an easy method to demonstrate his affiliation with a large, established and well-known company. But the technical stuff behind the seal still needs some work. Some bits appear to be unfinished. The management tool has a user interface inconsistent with the rest of the OpenSRS product line. And it's not behind SSL, which wouldn't be so bad except that the link from the RWI goes to a CGI that simply redirects you to an unencrypted URL that includes a static password in the GET. So your management access to this part of your RSP profile can be compromised by anybody running a URL sniffer. There are lots of ways this problem could be avoided -- one-time-only passwords, a check back to rr-n1-tor for the existence of a session, or getting a certificate for the host "referrals.tucows.com" (Tucows DOES do certificates, right?) but it appears the development didn't get that far before the product was launched. Others bits appear simply to be broken. The seal doesn't seem to work from within an SSL page. And if the host lookup fails (as is the case if you point to the seal from an SSL-encrypted page), the pop-up window is the wrong size, and shows up with scroll bars that could be avoided easily with just few lines of CSS. And I'm sure as heck not going to put up a seal like this with the existing technical errors in its output. They're calling things like "www.it.ca" a URL fer gosh sakes. Where's the service type? Where's the path? Did nobody at Tucows think it would be important to present *accurate* information when authenticating resellers? Did somebody forget what a URL is? Or if "www.it.ca" really IS the thing you're authenticating, why not just call it a hostname? I suspect further testing would have been in order prior to launch. And perhaps better communication with the beta testers, who I'm SURE would have communicated some of this stuff pretty early on. Not to mention that the server from which this product is being served seems to be running outdated (and possibly even vulnerable) versions of Apache and mod_php. Heck, rr-n1-tor.opensrs.net is even running old versions of Apache and OpenSSL with known buffer overflows. Let's get our house in order before we try to sell it, hmm? Somebody needs to be taking care of this stuff BEFORE pushing the launch of new security- and trust-related products, or Tucows just looks silly. -- Paul Chvostek <[EMAIL PROTECTED]> Operations / Abuse / Whatever +1 416 598-0000 it.canada - hosting and development http://www.it.ca/
