Content should be served over HTTPS
Content should be served over HTTPS, especially since the website is at an HTTPS URL, convincing users that all their communication is encrypted.
In another discussion (http://support.droplr.com/discussions/suggestions/153-https), you say, "We take our user's privacy very seriously and do whatever we can to keep their data safe from prying eyes."
Serving the user's data over HTTP leaves the user's data completely open to prying eyes.
Comments are currently closed for this discussion. You can start a new one.
2 Posted by Josh Bryant on 10 Jul, 2012 11:29 PM
Hi David,
Thanks for raising this issue with us.
Can you please point to a Drop Link that's served over HTTPS, "convincing users that all their communication is encrypted?
Our marketing pages are the only pages we serve over HTTPS. We have never served public shared drops over HTTPS.
Whenever you share a link, we serve a notification including the link, e.g., "http://d.pr/1234 has been copied" making it pretty clear it's not an HTTPS link.
I don't see any downside to serving content over HTTPS, so we'll do it where we can.
It is however a but disingenuous to claim we're trying to convince users their "publicly shared links" are sent over HTTPS when we've never done anything of the sort.
We make it very clear in our knowledge base that even with Droplr's more privately obscured links, the content itself is still very public and we don't advocate people sharing sensitive information with Droplr.
3 Posted by davidomundo on 11 Jul, 2012 01:05 AM
Hi Josh,
Thanks for the response.
First of all, I never meant to say that you purposely try to convince users that their shared links are over HTTPS. I meant to say that having your site hosted on HTTPS happens to make users think your service does everything over HTTPS, even if the resulting shared link is not.
The more egregious offense is the upload, since the upload happens entirely on an HTTPS front-end. However, while the UI is all on HTTPS, the upload itself is not. If you upload a file from the HTTPS homepage (https://droplr.com/hello), the file is transferred to a non-HTTPS endpoint (http://api.droplr.com:8080/files.json). The same is true when you upload from the HTTPS web app. This would convince even technical savvy users that the upload is happening over HTTPS, and only with browser/traffic inspection can you tell that the upload is not encrypted.
You claim that "marketing pages are the only pages we serve over HTTPS". This is not true. Your landing page and your entire web app is served over HTTPS. This is a good thing, and I'm not sure why you're claiming otherwise.
Again, I'm not accusing you of intentionally tricking your users. I'm just saying the user experience conveys a sense of security that is not completely there.
URL obscurity is not enough to claim that you "do whatever we can to keep their data safe from prying eyes," especially when you acknowledge that you don't see "any downside to serving content over HTTPS."
Finally, I would like to highlight that I'm a fellow developer that wants to see good and secure web services. You provide a valuable tool, and I just wanted to help you and your users by highlighting some things that can be improved.
With Respect,
David
4 Posted by Josh Bryant on 11 Jul, 2012 01:21 AM
David, thanks for taking the time to reply.
When I said "marketing pages", I meant to refer to our "marketing and web app stack" which is a different stack than our public drop pages (on http://d.pr).
As for the upload, WOW, thanks for the heads up. We updated our whole stack to HTTPS quite awhile ago and somehow the web uploader slipped through. We sincerely appreciate you calling this out. We'll get this patched immediately.
And then we'll figure out how to fire our QA person (me) haha.
Thanks again, Josh
5 Posted by Josh Bryant on 11 Jul, 2012 02:30 AM
David, this should be all patched up and uploads should be happening over HTTPS.
Also, don't know if you saw in the other thread, but we've made sure that all content is serving over HTTPS now.
We'll work on getting the d.pr pages on HTTPS next.
Thanks again for your help and giving us the heads up.
Josh Bryant closed this discussion on 11 Jul, 2012 02:30 AM.
davidomundo re-opened this discussion on 11 Jul, 2012 09:07 PM
6 Posted by davidomundo on 11 Jul, 2012 09:07 PM
That's great to hear! I'm glad I could be of help.
Free life-time pro membership?? :)
7 Posted by Josh Bryant on 12 Jul, 2012 05:30 PM
Haha. How about for one year? I've gone ahead and applied it, let me know if that's sufficient.
But really, thank you again for the help, and feel free to reach out to us any time if you notice something that doesn't seem right!
Bruno de Carvalho closed this discussion on 26 Nov, 2012 08:21 AM.