You are viewing a single comment's thread from:

RE: Let Zappl Clerify some things. FUD Correction

in #zappl7 years ago

They already did make mistakes, and since it is open source, their mistakes are public record.

If they still say that keys are safe they either have no clue at all or made a big mistake they try to talk down instead of fixing.

Sort:  

Well one there was no active keys being saved so even if it was closed the issue wasn't keys being saved. It was in the possibility of them being saved in an error for the transaction if said node was down.

Which wasn't discovered until today, this was not even listed in the ticket. There was no intentional attempt to lie.

Yes we should have replied saying no we don't save keys but me an inertia had these talks before. Its not till recently that we found they could be saved by mistake in log files.

There was no keys in the logged file because the error would be in certain circumstances that were even less likely with us load balancing.

Find out more here:
https://github.com/Zappl/Zappl/issues/5#issuecomment-365120779 And please feel free to go through me an inertia back and forth which is very public.

Yeah for me the issue is not in a log leak being found.

If you send the keys to the server, there is a possibility for them to be leaked. Even if no log leak was found, there could be your proxy server, cloudflare, the users router or someone else logging it. It also means that your ssl certificate is the only protection the user has between their keys and a potential man in the middle.

I am glad that you are working to resolve this, but I am a bit sad that this has not crossed your mind when you decided to send them to the server.

This is the exact reason we have steemconnect, so that developers don't need to know every bit of security there is and can use a ready made secure framework.

yes thank you for the imformation. blong keys. I am very grateful to you who gave us the information👍👍 @zappl