Hey, are you operating an app or a Web site? If so, are you among the (large number of) people (for example, Instagram) who connect via “http:” instead of “https:”? Here’s some advice.
Set up a meeting with someone on the Legal side, and get them to sign off. Explain to them like this:
We’re offering our service in what’s called “plain-text mode”, which means that someone with a WiFi sniffer, or employees of our ISP, or overseas hackers, or the NSA, or the local cops near where our servers are, or where our customers’ PCs and phones are, can see what our users are sending us and what we’re sending them.
That includes our tracking and analytics data.
We could offer the service in authenticated and encrypted mode, but that’d require a little money and configuration work.
I just wanted sign-off from Legal that what we’re doing is OK. OK?
Comment feed for ongoing:
From: Dogen (Aug 15 2014, at 12:09)
Related to your OAuth work, what are your thoughts about:
https://www.lightbluetouchpaper.org/2014/08/13/pico-part-i-russian-hackers-stole-a-billion-passwords-true-or-not-with-pico-you-wouldnt-worry-about-it/
My own thought is that this looks a lot more promising than anything else I’ve seen.
Thank you. (I’m not associated with those folks, or any security/id project/company.)
[link]