

"The whole Droplr stack runs on HTTPS" ...except content - spwert
http://support.droplr.com/discussions/suggestions/153-https

======
tnycrmb
Hi, Josh Bryant, co-founder of Droplr.

First, apologies that we didn't meet your expectations in regards to security
on our service. Just to be clear, any password-related data or personal
information you've sent in Droplr has been over HTTPS. But, we didn't go as
far as we should have. We misjudged where usage was falling on the public-
private spectrum, and we're ensuring we meet privacy expectations now.

We can see that it's a priority for people, and it's a priority for us. We've
already deployed the fix, so ALL drop content should now be served over HTTPS.

We'll work on getting the pages themselves on the d.pr domain served over
HTTPS as well and also look into a solution or better documentation for
customers using their own custom domain.

Thanks for your patience with us and I hope you can forgive us and give us
another shot.

Cheers

~~~
spwert
> Just to be clear, any password-related data or personal information you've
> sent in Droplr has been over HTTPS.

Unless there was personal information in a file I shared using Droplr.

I'm not the person who raised this issue on your support site. I'd never even
heard of Droplr until somebody shared this link with me for a laugh. While the
title of my submission might not reflect it, I find the lack of comprehension
and dismissive attitude of your customer service representative more off-
putting than the original security flaw. He closed the ticket multiple times
claiming that "the whole Droplr platform runs on HTTPS," when that clearly
wasn't the case. Glyph was remarkably patient in re-opening and re-explaining
the issue until the rep finally seemed to realize why he was wrong, whereupon
the answer changed from "this isn't an issue, we already support the feature
you're requesting" to "we're already aware of this issue but it's not a big
deal," without even an acknowledgment that he'd so fundamentally misunderstood
the request, let alone an apology for blowing him off repeatedly.

------
ambirex
It really shouldn't be a major issue to fix, I've encountered this before.

Since they are using S3 (guessing by the second to last comment -
[http://support.droplr.com/discussions/suggestions/153-https#...](http://support.droplr.com/discussions/suggestions/153-https#comment_17210884))
they can use amazon's SSL url

so:
[http://files.droplr.com/files_production/acc_1927/xkcd?AWSAc...](http://files.droplr.com/files_production/acc_1927/xkcd?AWSAccessKeyId..).

would become:
[https://s3.amazonaws.com/files.droplr.com/files_production/a...](https://s3.amazonaws.com/files.droplr.com/files_production/acc_1927/xkcd?AWSAccessKeyId)

The only reason not to would be to hide the fact they are using S3, but the
AWSAccessKeyId tips their hand anyways.

~~~
natrius
The combination of the wrongness expressed in that thread and how easy it is
to fix made it excruciating to read. I'm embarrassed for them. You can't say
on your homepage, "Everything you share is stored secure and safe in the
cloud" then say that security isn't a high priority.

------
eridius
Why do they keep closing the request? It's obviously a problem. The fact that
they seem so willfully ignorant makes me rather nervous about relying on
droplr for anything.

 _Edit:_ Looks like they're fixing the problem after all. It's unfortunate
that it took a Hacker News article to bring attention to the problem, but at
least they're taking the appropriate steps.

~~~
dsr_
In a customer-service system, a ticket should only be closed when the customer
has acknowledged that the problem is solved or can't be solved, or it can be
aged out to closed after the customer has been non-responsive for a suitable
period of time. If your metrics depend on closing tickets rapidly, you are
measuring the wrong thing.

I don't know that this is supposed to be a customer-service system, though.

~~~
mitjak
Its public and customer facing so yes, it should.

------
therealarmen
_The reason why the content itself is not served under https is precisely to
avoid the SSL warning. As I've said before, this particular issue is not high
priority right now, which doesn't mean we're not aware or aren't going to fix
it._

Something about the tone of this response irks me.

~~~
wickedchicken
> Something about the tone of this response irks me.

Reminds me of someone doing it right:
[http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#f...](http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#faq-
hostkeys)

------
tnash
This brings up the concept of taking the right tone with your customers. This
is a perfect example of what not to do. "Don't worry, your concerns are
invalid... Oh, you have a valid point? Doesn't matter, we don't care."

------
peapicker
No content protection is a huge oversite. I hope they re-prioritize this one
-- they should care that their customer's data isn't secure on public
networks.

------
chubs
In their defence:

* Who uses a free file sending service for critical docs? * The only mention of 'secure' on their homepage has (to my mind) more of an implication of "safe and secure eg your file won't be lost" rather than "secure from hackers"

I think it's forgivable, at least for the free version of the service. Maybe
they should upgrade then tout the paid version as offering https as a benefit.

~~~
Kudos
I run a similar service, SSL is available to everyone right now, though it
defaults to plain HTTP.

Your suggestion is actually what I have in the works, SSL by default for
everything premium users touch (and the files they share).

~~~
uptown
Not sure whether the site you run is localhostr.com (from your profile) or
not, but just wanted to tell you that Malwarebytes blocked the site from
loading on my PC since they consider the site a potential threat. Not sure
what metric they used to determine that, but just wanted to let you know in
case it's something you encounter with other users or potential users.

~~~
Kudos
Thanks, I've been in contact with them about it, but they have been slow to
respond. We run multiple virus scans against uploaded content, don't allow
hotlinking of non-image content and actively remove any malware found.

Edit: Just received a response to a PM, we're no longer on their shitlist :)

------
shaggyfrog

        Bruno de Carvalho closed this discussion
        Glyph re-opened this discussion
        Repeat
    

This is the current formula for customer service (delivered electronically)
these days. Drives me up the flippin' wall.

CSRs: your customer's problem is not resolved when _you_ are satisfied.

~~~
ambirex
I agree to a point, but a satisfied customer is less likely to come back to
close a ticket. I prefer a system the automatically closes a ticket after a
period of inactivity.

------
zwass
Big red flag that they don't understand the distinction made by the requester
over there. I'd be seriously concerned if I had sensitive data in their
systems.

------
bobx11
They:

A. don't know their systems well enough to know how to make it ssl B. don't
know Glyph

WTF?

------
drivebyacct2
What's the point of even using HTTPS if the content in question (and worth
protecting) is served via HTTP. The way the support person misunderstands
repeatedly and then plays it off as "That's what I meant, duh, we don't care"
is pretty tacky.

"Oh, I'm sorry, I misunderstood." changes the entire tone of the post. It's
not like this is even hard to fix.

------
timaelliott
They really should have more intelligent individuals manning public-facing
support channels.

~~~
paulitex
The person (Bruno) replying on behalf of Droplr is "in charge of the whole
server-side circus — API server, system administration, web app backend —, the
SDK libraries for third-party clients, the Windows app and the iOS app."
<http://biasedbit.com/about/>

(I realize there is a risk of sending a mob by linking to his personal page,
but I think there is evidence he is indeed "intelligent" and simply
misunderstood this particular piece of the puzzle. He just need a bit more
humility.)

