Comments for Dominic Sparks

Comment on Losing faith in the Web2.0 Software Community… by Paul T

Paul T — Tue, 13 Jan 2009 18:16:37 +0000

There was a similar item a few days (or was it a week) ago on Wired after the whole MD5 vulnerability story hit. The basic gist of it was: if basic SSL doesn’t quite cut it, how can we trust sites that aren’t even encrypted at all? Furthermore, a lot of socnets are cross-pollinating, and in some cases prompting users for private info (passwords from other websites) without utilizing the appropriate precautions. This, to me, is the harm. You might not think that sharing socnet passwords is all that big of a deal, but what if, for example, someone uses their gmail log-in for one of those sites? That could leak a LOT of personal data, including bank account #s.

A lot of people are bound to say that the most robust security options — EV SSL immediately springs to mind, since it can’t be replicated by phishers — are too expensive for a lot of socnet start-ups, but my guess is that very soon these companies will have to start operating like online mail providers and maybe even e-bill sites. All it takes is a few cracks for people to lose their faith. I like digg, but given the option between discussing news stories and keeping my info private…well, do I need to finish that? I am loathe to do any business on sites without green url bars in this age.

Comment on Losing faith in the Web2.0 Software Community… by domsparks

domsparks — Tue, 13 Jan 2009 10:06:26 +0000

Thanks for the comments, guys. Much appreciated.
The big problem I have is that I’m now beginning to distrust every site I encounter. Just 10 minutes ago I went to log into Digg. Guess what – no Padlock! Did the view-source trick and couldn’t see anything secure, so I sniffed it. Now, DIGG is a big site, very well trusted. I’d put it on par with facebook and all the other sites that people use. Yet, my login is there in plain text in the sniffed packets. This is not something you’d expect on such a site, and I think it proves my point about trust being given too easily. I’m now going to take my password strategy more seriously, because to be honest many of my passwords are similar, and often when logging in to a site I’ll try several of them before I get the right one, so all my passwords are being exposed! I think I’m pretty savvy when it comes to this stuff, but there’s probably one hell of a lot of people who are worse than me and who use the same password for digg as they do for facebook, amazon, amex, and whatever else.

Comment on Losing faith in the Web2.0 Software Community… by Nick Halstead

Nick Halstead — Tue, 13 Jan 2009 09:13:41 +0000

As Jake said the SSL certifcate is not expensive, but that is taking that you know where to look, if you went onto the verisign (and several of the other big brands) websites and found them charging £1200+ you would maybe stop looking, if you do some research and find a good reseller then paying £100 for a wildcard (allows sub-domains) is not unreasonable.

But then you have to look at the cost of the setup, and this is where the twitter/apps side of things starts looking unreasonable, why do people make these apps? because it is fun (as a programmer) – and it is quick and dirty to build something that has potential to grow quickly, when we built http://www.tweetmeme.com/ we did it in 2 days, if we had added SSL, we have a few things to factor in.

1) Web Server Setup (this would take probably 1/2 a day for a competent sysadmin)
2) Coding – The code does need to change to take account of SSL, and if you want to give the option of SSL / Non-SSL (some people dont use SSL because of proxies) – then that is further complexity.
3) Testing

So now from a 2 day project you are adding maybe 1-2 more days – now given 2 extra days, is the twitter app developer going to think about SSL – or are they going to add more features that they think will bring in more traffic/attention?

I agree that so many consumers now just trust web 2.0 sites, and indication of level of security is now seems to be forgotten, only banking sites etc seem to bother advertising certificates. So e.g. friendfeed / twitter using SSL but not making a song and dance about it, either this shows that we are all too blasé, or that we are happy to accept it.

And given that the shift in conversation has moved towards privacy online rather than security this issue does maybe need to be given greater coverage.

And lastly, and although I believe what you are saying, we also have to look at the where the villains are really getting user data, right now I can think of a big handful of entry points that are more vunerable, e.g. wifi security, keyboard loggers, and most importantly phishing attacks.

Comment on Losing faith in the Web2.0 Software Community… by jstride

jstride — Tue, 13 Jan 2009 07:58:01 +0000

I think there are several things to look at here.

First of all, purchasing an SSL certificate is not expensive, they can be bought for a few tens of pounds/dollars and are an easy way to put some initial security in place (in terms of a ‘padlock’ in the browser, and the obvious encryption).

At Tactile CRM we offer free SSL logins on all plans (even our free ones) unlike many of our competitors, but don’t enforce it as an option as not everybody wants to use it (silly I know).

Secondly, a lot of these sites (based around Twitter) are not run as true startup businesses and they are a passion for people that build them. This is not an excuse to ignore security, but it is a good reason be careful with your usename.

Thirdly, the people building the sites are not always the best programmers and build the sites as a hobby, hence best practice etc. is not something they think about.

I have stopped using the numerous Twitter sites that rate/grade/ask you to vote, and have restricted my use to a couple of the larger sites that I feel I can trust.

At the end of the day it’s down to user trust and what people feel comfortable with. I agree security is important and people should be aware of it (the issue of education is a thing in itself), Twitter is not helping the issue with its lack of OAuth (or such like), but as long as people are happy to hand out their details and feel the sites offer some value it’s difficult to make them see otherwise.

I’m currently looking at it from the other side of the fence (http://www.senokian.com/barking/2009/01/12/would-you-buy-from-these-people/) and looking at what does make people part with the credit card/make them sign up. It seems to be down to walking the walk and not a lot else.

Comment on It’s a question of trust… by Losing faith in the software startup community… « Dominic Sparks

Losing faith in the software startup community… « Dominic Sparks — Tue, 13 Jan 2009 01:38:01 +0000

[...] a comment » Further to my previous entry “It’s A Question Of Trust”, and comments thereon, I have done a little further research into the blatant disregard for [...]

Comment on It’s a question of trust… by domsparks

domsparks — Mon, 12 Jan 2009 01:45:52 +0000

Hi Nick, thanks for the response.
I guess that’s the reason those other sites only secure their login-post action. I suppose the only downside is the lack of a padlock, but if your site has a reputation as being trustworthy maybe it’s enough to simply say that it is secure, e.g. by having a button that says ‘Secure Login’, much like Amazon do on their login page…

In the mean time, I’m now going to concentrate my efforts on trying to improve my twitorfit rating. I can live with the security issues, but not so much with my inexplicably low score. Are you sure the Maths are correct on this site?

Cheers,
Dominic.

Comment on It’s a question of trust… by Nick Halstead

Nick Halstead — Mon, 12 Jan 2009 00:00:09 +0000

Hi Dominic,

Completely correct, for something like twitorfit (and thousands of others) it is a lot of extra work to put SSL behind it.

But fav.or.it *should* have been done ages ago, we have a SSL certificate, but like you I took it that so many sites were *not* using SSL due to the lack of the padlock. And given other priorities we never went back and sorted it, we only just moved to making ‘all’ authentication go through ‘my.fav.or.it’ which which will now make it very easy to implement.

The question of if the main login page should be SSL (the downside is that nothing can be cached on a SSL page, and therefore takes up 4-5x the processing) – or if we just use SSL for the post.

I appreciate the timely reminder and will make sure it is sorted this week,

Nick

Comment on Catch a leaf, make a wish… by domsparks

domsparks — Sun, 11 Jan 2009 10:00:30 +0000

Yes, I’m sure you can win. But all that effort to save a relatively small amount on a relatively inexpensive item… Personally I’d don’t think it’s worth the effort, and even if I could learn the strategies and end up bagging a new Mini for £7, I’m conscious of the fact that there’s a load of other mugs out there who are actually paying for it… I don’t really like the idea of getting such a bargain at other people’s expense.

Comment on Catch a leaf, make a wish… by Jordan Brighton

Jordan Brighton — Sun, 11 Jan 2009 01:30:20 +0000

Swoopo is definately something you want to research a little before you start. Most people burn through their first bidpack learning the ropes – then they either give up – or read the rules look on the internet for some advise on how to win.

I spent 100’s of hours researching, collecting and analysing the results, and testing every strategy. And i have put it all into a book to help others win at Swoopo too.

http://www.winswoopo.com – don’t give up. It is doable – it is about timing and strategy. My last win was a small one, I paid less than $3 and used only 2 bids for a MarioKart wii game.