Hey, are you operating an app or a Web site? If so, are you among the (large number of) people (for example, Instagram) who connect via “http:” instead of “https:”? Here’s some advice.

Set up a meeting with someone on the Legal side, and get them to sign off. Explain to them like this:

We’re offering our service in what’s called “plain-text mode”, which means that someone with a WiFi sniffer, or employees of our ISP, or overseas hackers, or the NSA, or the local cops near where our servers are, or where our customers’ PCs and phones are, can see what our users are sending us and what we’re sending them.

That includes our tracking and analytics data.

We could offer the service in authenticated and encrypted mode, but that’d require a little money and configuration work.

I just wanted sign-off from Legal that what we’re doing is OK. OK?



Contributions

Comment feed for ongoing:Comments feed

From: Dogen (Aug 15 2014, at 12:09)

Related to your OAuth work, what are your thoughts about:

https://www.lightbluetouchpaper.org/2014/08/13/pico-part-i-russian-hackers-stole-a-billion-passwords-true-or-not-with-pico-you-wouldnt-worry-about-it/

My own thought is that this looks a lot more promising than anything else I’ve seen.

Thank you. (I’m not associated with those folks, or any security/id project/company.)

[link]

author · Dad · software · colophon · rights
picture of the day
August 05, 2014
· Technology (77 fragments)
· · Security (33 more)

By .

I am an employee
of Amazon.com, but
the opinions expressed here
are my own, and no other party
necessarily agrees with them.

A full disclosure of my
professional interests is
on the author page.