We're acutely aware of this conversation, and know that we must prioritize the safety of our user base. All of the issues reported on the article are already being fixed, and we should have updates published in the next few weeks.
My initial reaction was that this was a Bad Idea security-wise, but reading into the FAQ at http://www.instabridge.com/security has settled my qualms a little.
Putting people's personal details on the open web, giving anyone access, including malicious hackers... This design used by LinkedIn, as well as Facebook, was a bad idea from the beginning. Don't think they are not aware of the risks. How much spam and other annoyances do people get as a result? These companies are killing privacy just to make a quick buck. Maybe they'll be sued.
Direct link to SHA1 file on mediafire (117MB) to avoid javascript, captchas, popups, etc.
How do you feel about the security of the products? 20 year old PHP versions and the company itself was scammed out of tens of millions of dollars. I see good reviews from bloggers on the hardware, but the company doesn't seem to have made security a priority.
Sigh. As someone who is making a company in the privacy space, I hate when privacy products make huge claims like this. Another big offender is proton mail.
They may not be able to track your stuff as it is today, but one single FISA order demanding they push a update out to just to a few specific IP addresses and it will be all the same.
All things you download and install to your device can screw you if they have any functional way to update or have any serverside includes. (like a analytics JS tracker that can be changed to a JS logger)
We run into this a bit with https://redact.dev , but for people who want to be sure the login information they provide is safe.
At the end of the day, you are always at the mercy of the courts AND the founders not doing evil things.
I really think we need to get them to make a more sensible definition of 'unauthorized access'. I've posted a few times before about how I think we should have defined it -
That makes for nice headlines, but anyone who actually understands this stuff knows that hacking the public-facing web server is not a big deal and not really related to obtaining private info like this.
Edit: I just remembered, there is (of course) a relevant xkcd for this: https://xkcd.com/932/
> Keep your links safe and accessible only to authorized users
Is the operator of this service also able to access the links?
If yes, then right away this claim is not true and merits caution: the random unknown owner of this service can now harvest links which were deemed sensitive enough to merit a password to access.
The link by itself doesn't come with a clear description of the security, privacy, legal, or licensing implications of its use, even accidental use, and could lead to unintended public data disclosure.
The simplysecure.org domain uses Google Analytics which isn't disclosed on their privacy page (as required by Google Analytics' TOS). There is also a mixed-content warning because someone hard-coded an http:// link to the balloons image in the blog post on their https site. I went to email them and first looked for PGP keys (us pro-privacy & security people all use PGP, right?) and found none for the domain on any key servers.
I point all this out because it perfectly illustrates their point. Here are a group of smart people launching a great initiative with a beautiful and modern website, and they made some mistakes just like the rest of us do.
I've offered to help and recommended they switch to Piwik (and fix the http link). I hope others here on HN who care about security and privacy will also offer to help out. Some of this stuff is easy to fix and I think it's a great initiative.
We're acutely aware of this conversation, and know that we must prioritize the safety of our user base. All of the issues reported on the article are already being fixed, and we should have updates published in the next few weeks.
Here's our blog post: https://bridgefy.me/bridgefys-commitment-to-privacy-and-secu...
As always, we're available to keep the conversation going; please refer to the email address included in the blog post.
Thanks!
reply