

Show HN: breeziee.com - add a paywall to any link for free - interwho
http://breeziee.com

======
interwho
I first created Breeziee about 6 months ago, but it could only accept credit
cards, was costly to run (because I had to host the files), and it seemed like
no one wanted to use it. So rather than letting my work go to waste, I rebuilt
it to be cheap to run, and to act as a PayPal gateway and provide paywall
services for free - There are no fees or cuts taken by me.

Let me know what you guys think!

~~~
freeslave
Looks pretty cool. I have something I want to sell via paypal and this could
save me a lot of time. How will you make money?

~~~
interwho
I don't really know. I was thinking about either adding tons of extra features
and making a $10/year subscription to access them or offering paid "featured"
file promotion.

------
Xk
You have a very severe security vulnerability on your site. Please provide an
email address in your info I can contact you at. (The email field is hidden to
others.)

Edit: interwho has fixed the vulnerability. There was a CSRF allowing you to
take over someone else's account if they visited your site.

~~~
vnorby
The site is asking for an email which also happens to be a PayPal account
(Placeholder text is "Email (and PayPal) address..."), along with a password.
The user is not a known quantity and it's his/her first submission to HN, it's
very possible he/she is hoping that PayPal email addresses/passwords that you
put in match. There is no HTTPS, no seals or verification, no guarantees of
the security of any of your data and that your password is not being stored in
plaintext. There is a security vulnerability and the site was a purchased
template. It's quite possibly legit, but without more information I would
avoid.

~~~
interwho
I'm bcrypting the passwords.

Exact method: sha1(bcrypt(sha1(md5.'othersalt').'salt').'anothersalt') and a
few more salts + sha1s

~~~
LeafStorm
Which means nothing if it is possible to snipe the passwords from the HTTP
request. Firesheep, anyone?

~~~
interwho
You're right, I'll get a security cert + force ssl.

~~~
david_shaw
_> You're right, I'll get a security cert + force ssl._

As someone who has worked in security for years--in particular, application
security assessments--thank you for taking the sometimes hard-to-swallow
criticism well, and deciding to actually _fix things_ rather than just deflect
the issue. You probably have no idea how many (even reputable) organizations
decide to "accept the risk" and ignore security findings. (Edit: More so than
the SSL issue, I'm talking about fixing the CSRF)

 _> The user is not a known quantity and it's his/her first submission to HN,
it's very possible he/she is hoping that PayPal email addresses/passwords that
you put in match._

There is nothing wrong with the logic in this statement, but you also need to
be careful how far you take it. One could argue that _any_ of the small "Show
HN" posts around here are hoping to harvest credentials. In fact, I'm sure
that some of them do. When using software as a service--or indeed, any web
application--there is an inherent degree of trust behind it. Even if the user
had made many HN posts, or _not_ bought the pre-made site (which looks nice,
IMO), or purchased an HTTPS certificate... credential harvesting is still a
real threat.

Even bigger services that claim to encrypt password databases have often been
shown to in fact do nothing of the sort (eg, sending password reminder emails
etc).

This is why security guys worth their salt will always suggest using random
passwords for every service you sign up for and keeping them in an encrypted
file a la KeePass or a TrueCrypt container with a long, complicated "master
password" for the archive. Additionally, it's always a great idea to enable
2-factor authentication where ever possible (for example, Google accounts).

~~~
interwho
If I didn't take any criticism, how would I improve? :)

As to the fact that this is my first post here, I've been a lurker for a long
time, and finally had something good to post. I've been on reddit and a few
developer forums under this username (and interwhos) for much longer.

Thank you for writing this.

------
sontek
If you guys are interested in this you might also want to check out
<https://gumroad.com/> which seems to be in the same space but a little higher
quality

~~~
interwho
As I said earlier, the differences are: No fees, you don't need a credit card
to buy something, I have a file directory + search.

------
stevejalim
Relevant/similar in the UK: <https://gocardless.com/paylinks>

------
geuis
I'm glad I took a second look at this. By using the "paywall" terminology, I
thought inititally this was meant to annoy visitors by hiding content away
like the NYTimes.

Rather, I see the potential uses for selling ebooks, video lessons, access to
Minecraft servers, etc.

~~~
interwho
Exactly.

------
thfc06
Is this any better/different than Gumroad?

~~~
interwho
No fees, you don't need a credit card to buy something.

~~~
thfc06
So its basically the same though... Just pricing/paying policies differ

~~~
interwho
I also have a directory + file search. I haven't used Gumroad, so I'm not sure
what it's control panel looks like.

------
waxy
Did you take the design from <http://socialcroc.com/>?

~~~
interwho
Nope. It's built from a template.

~~~
waxy
Hehe, which template?

~~~
interwho
Beats me as to the name of it, it was found on a free landing page template
site.

~~~
waxy
:) Ok.

------
tk999
Let me know if you need an extra programmer hand to help out. I think it will
work.

~~~
interwho
Thanks! Please email me through the address here:
<http://breeziee.com/contact.php>

~~~
tk999
your contact.php page does not load for me. My email is in my profile.

~~~
interwho
I can't seem to find your email in your profile, but you can email me here:
justin [at] breeziee [d o t] com.

Thanks!

------
der8lub
looks quite cool actually - just didn't understand the part with the "file
link"

~~~
interwho
I'll try my best to explain this:

To sell something on Breeziee, you'd have to first upload the file to a web
server or hosting service (ie. imgur, Dreamhost, mediafire, etc...), put the
url of your file in the link field on Breeziee, and finally, share the link to
the paywall page that is created for you.

~~~
jonnymkramer
What happens if the hosting server, or web server drops the file? If someone
pays for a file and they find it is unreachable they will have a negative view
of your service.

~~~
interwho
I suppose you could file a case with PayPal.

~~~
brey
you could check the link immediately prior to accepting payment, and show a
'sorry, file is gone :-(' error page if not found.

~~~
interwho
Good idea, I'll look into it. Thanks!

------
kgen
Why don't you have an example on your site?

~~~
interwho
There's the directory at the bottom of the page:

<http://breeziee.com/directory.php>

Do you think I should put a demo link at the top of the page?

~~~
kgen
I think so - I wasn't sure what the paywall would look like and having to dig
through the directory seems unintuitive. It doesn't even have to actually have
any purchasing logic either.

~~~
interwho
Done. Thanks for the suggestion!

