"The whole Droplr stack runs on HTTPS" ...except content

"The whole Droplr stack runs on HTTPS" ...except content(support.droplr.com)

117 points by spwert 13 years ago | 32 comments

tnycrmb 13 years ago |

Hi, Josh Bryant, co-founder of Droplr.

First, apologies that we didn't meet your expectations in regards to security on our service. Just to be clear, any password-related data or personal information you've sent in Droplr has been over HTTPS. But, we didn't go as far as we should have. We misjudged where usage was falling on the public-private spectrum, and we're ensuring we meet privacy expectations now.

We can see that it's a priority for people, and it's a priority for us. We've already deployed the fix, so ALL drop content should now be served over HTTPS.

We'll work on getting the pages themselves on the d.pr domain served over HTTPS as well and also look into a solution or better documentation for customers using their own custom domain.

Thanks for your patience with us and I hope you can forgive us and give us another shot.

Cheers

spwert 13 years ago | |

> Just to be clear, any password-related data or personal information you've sent in Droplr has been over HTTPS.

Unless there was personal information in a file I shared using Droplr.

I'm not the person who raised this issue on your support site. I'd never even heard of Droplr until somebody shared this link with me for a laugh. While the title of my submission might not reflect it, I find the lack of comprehension and dismissive attitude of your customer service representative more off-putting than the original security flaw. He closed the ticket multiple times claiming that "the whole Droplr platform runs on HTTPS," when that clearly wasn't the case. Glyph was remarkably patient in re-opening and re-explaining the issue until the rep finally seemed to realize why he was wrong, whereupon the answer changed from "this isn't an issue, we already support the feature you're requesting" to "we're already aware of this issue but it's not a big deal," without even an acknowledgment that he'd so fundamentally misunderstood the request, let alone an apology for blowing him off repeatedly.

robertocr 13 years ago | |

Thx for the response! I've always been a droplr fan and, even thought ssl should've been there, I'm glad it's fixed and I'll happily continue to use it :)

dunstenmoss 13 years ago | |

Why didn't your support guy understand what the problem was?

ambirex 13 years ago |

It really shouldn't be a major issue to fix, I've encountered this before.

Since they are using S3 (guessing by the second to last comment - http://support.droplr.com/discussions/suggestions/153-https#...) they can use amazon's SSL url

so: http://files.droplr.com/files_production/acc_1927/xkcd?AWSAc....

would become: https://s3.amazonaws.com/files.droplr.com/files_production/a...

The only reason not to would be to hide the fact they are using S3, but the AWSAccessKeyId tips their hand anyways.

natrius 13 years ago | |

The combination of the wrongness expressed in that thread and how easy it is to fix made it excruciating to read. I'm embarrassed for them. You can't say on your homepage, "Everything you share is stored secure and safe in the cloud" then say that security isn't a high priority.

eridius 13 years ago |

Why do they keep closing the request? It's obviously a problem. The fact that they seem so willfully ignorant makes me rather nervous about relying on droplr for anything.

Edit: Looks like they're fixing the problem after all. It's unfortunate that it took a Hacker News article to bring attention to the problem, but at least they're taking the appropriate steps.

devmach 13 years ago | |

I never used droplr and now i know i will never use it. Support staff was never able to understand how SSL works or what problem is. Yet he choose simply to ignore it.

>The reason why the content itself is not served under https is precisely to avoid the SSL warning.

That annoying warning is the hearth of the secure connection. It surprises me how people choose an easy way and doesn't care about "doing things right"

dsr_ 13 years ago | |

In a customer-service system, a ticket should only be closed when the customer has acknowledged that the problem is solved or can't be solved, or it can be aged out to closed after the customer has been non-responsive for a suitable period of time. If your metrics depend on closing tickets rapidly, you are measuring the wrong thing.

I don't know that this is supposed to be a customer-service system, though.

mitjak 13 years ago | | |

Its public and customer facing so yes, it should.

zhoutong 13 years ago | |

The default button in Tender (which is the support software they are using) is "Reply and Close". It's easier to do that and I think the support guy got used to it.

therealarmen 13 years ago |

The reason why the content itself is not served under https is precisely to avoid the SSL warning. As I've said before, this particular issue is not high priority right now, which doesn't mean we're not aware or aren't going to fix it.

Something about the tone of this response irks me.

wickedchicken 13 years ago | |

> Something about the tone of this response irks me.

Reminds me of someone doing it right: http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#f...

tnash 13 years ago |

This brings up the concept of taking the right tone with your customers. This is a perfect example of what not to do. "Don't worry, your concerns are invalid... Oh, you have a valid point? Doesn't matter, we don't care."

peapicker 13 years ago |

No content protection is a huge oversite. I hope they re-prioritize this one -- they should care that their customer's data isn't secure on public networks.

chubs 13 years ago |

In their defence:

* Who uses a free file sending service for critical docs? * The only mention of 'secure' on their homepage has (to my mind) more of an implication of "safe and secure eg your file won't be lost" rather than "secure from hackers"

I think it's forgivable, at least for the free version of the service. Maybe they should upgrade then tout the paid version as offering https as a benefit.

Kudos 13 years ago | |

I run a similar service, SSL is available to everyone right now, though it defaults to plain HTTP.

Your suggestion is actually what I have in the works, SSL by default for everything premium users touch (and the files they share).

uptown 13 years ago | | |

Not sure whether the site you run is localhostr.com (from your profile) or not, but just wanted to tell you that Malwarebytes blocked the site from loading on my PC since they consider the site a potential threat. Not sure what metric they used to determine that, but just wanted to let you know in case it's something you encounter with other users or potential users.

facorreia 13 years ago | |

They said: "The whole Droplr platform runs on HTTPS. That means when you upload a file, note or shorten a link via any of the apps (Windows, Mac or iPhone), it sends the file over HTTPS."

zwass 13 years ago | | |

Yes, they said that. And if you continued reading, you'd see that the OP knew this was not the case. Eventually, they too understood, and apparently fixed it.

shaggyfrog 13 years ago |

    Bruno de Carvalho closed this discussion
    Glyph re-opened this discussion
    Repeat

This is the current formula for customer service (delivered electronically) these days. Drives me up the flippin' wall.

CSRs: your customer's problem is not resolved when you are satisfied.

ambirex 13 years ago | |

I agree to a point, but a satisfied customer is less likely to come back to close a ticket. I prefer a system the automatically closes a ticket after a period of inactivity.

zwass 13 years ago |

Big red flag that they don't understand the distinction made by the requester over there. I'd be seriously concerned if I had sensitive data in their systems.

bobx11 13 years ago |

They:

A. don't know their systems well enough to know how to make it ssl B. don't know Glyph

WTF?

drivebyacct2 13 years ago |

What's the point of even using HTTPS if the content in question (and worth protecting) is served via HTTP. The way the support person misunderstands repeatedly and then plays it off as "That's what I meant, duh, we don't care" is pretty tacky.

"Oh, I'm sorry, I misunderstood." changes the entire tone of the post. It's not like this is even hard to fix.

timaelliott 13 years ago |

They really should have more intelligent individuals manning public-facing support channels.

paulitex 13 years ago | |

The person (Bruno) replying on behalf of Droplr is "in charge of the whole server-side circus — API server, system administration, web app backend —, the SDK libraries for third-party clients, the Windows app and the iOS app." http://biasedbit.com/about/

(I realize there is a risk of sending a mob by linking to his personal page, but I think there is evidence he is indeed "intelligent" and simply misunderstood this particular piece of the puzzle. He just need a bit more humility.)