Let Zappl Clerify some things. FUD Correction
Zappl is open source you can contribute to the Github or leave bug reports on utopian. No Zappl don't save keys, your keys are saved in your browser or mobile device not on our servers.
You can clearly see how Zappl handles your keys and transactions via your browser developer portal. Your also free to check the source code that is public on Github. https://github.com/Zappl/Zappl
Zappl has also been listed on utopian for bug reporting for a while now.
We know Some people just came to find out about zappl. But Zappl Has been open since October 2017, and we have been really open with the community. Yes some people want us to use steemconnect but in phase 1 we will not be utilizing steemconnect. Zappl isn't following the lead with the development of our platform.
Zappl only asks for private posting key on login to zappl, Some people are very unaware what this key can be used for and its limitations.
Private Public Uses:
- Voting
- Posting
- Commenting
- Resharing
- Down voting / flagging - This is voting just on certain sites handle it different.
Even if Zappl was capturing keys for the public key (Which were not because they're saved in your browser)were only limited to those uses above. This would not give us use over your wallet. Also all profile activity can be seen on https://steemd.com/@yourusername
Before listening to Fud please make sure to check the sources, Zappl is really open with the community and has really has nothing to hide. Zappl might be a private company but we do believe in transparency where it should be given when it involves our user base.
Feel free to contact us anytime on our discord, telegram or social media.
Vote for Zappl As Witness
The Zappl Team Our social media profiles and misc:
Twitter | Facebook | Discord | steemitchat | telegram
Follow, Upvote, Comment, ReSteem, Share
@thedegensloth, @steemitqa, and @zappl
Please clarify this then: https://github.com/Zappl/Zappl/issues/5
If they say they don't save the keys, the should not save the keys. Looks like security not being taken seriously there. No fud, just open source reviews...
Please read to the bottom of me and inertia conversation. We don't save keys.
They do not believe it yet. And With time, they will believe.
Zappl just has to keep giving trust to users, that's all. And Never make mistakes.
They already did make mistakes, and since it is open source, their mistakes are public record.
If they still say that keys are safe they either have no clue at all or made a big mistake they try to talk down instead of fixing.
Well one there was no active keys being saved so even if it was closed the issue wasn't keys being saved. It was in the possibility of them being saved in an error for the transaction if said node was down.
Which wasn't discovered until today, this was not even listed in the ticket. There was no intentional attempt to lie.
Yes we should have replied saying no we don't save keys but me an inertia had these talks before. Its not till recently that we found they could be saved by mistake in log files.
There was no keys in the logged file because the error would be in certain circumstances that were even less likely with us load balancing.
Find out more here:
https://github.com/Zappl/Zappl/issues/5#issuecomment-365120779 And please feel free to go through me an inertia back and forth which is very public.
Yeah for me the issue is not in a log leak being found.
If you send the keys to the server, there is a possibility for them to be leaked. Even if no log leak was found, there could be your proxy server, cloudflare, the users router or someone else logging it. It also means that your ssl certificate is the only protection the user has between their keys and a potential man in the middle.
I am glad that you are working to resolve this, but I am a bit sad that this has not crossed your mind when you decided to send them to the server.
This is the exact reason we have steemconnect, so that developers don't need to know every bit of security there is and can use a ready made secure framework.
yes thank you for the imformation. blong keys. I am very grateful to you who gave us the information👍👍 @zappl
Seems you don't save keys, but if they so happen to be leaked in logs, the fix for that will take weeks?
I am not impressed by how you handled this and will advise everyone to change their keys if they used zappl.
Should you have the fix live at some point, please comment on the github issue.
No this fix shouldn't take weeks. Also the issues is the node crashes well we load balance so the chances are low. But just in case we will be adjusting what is logged in the failure of said transaction.
Zappl didn't try to hide anything, just not used to having to comment on bug reports. This is our first Open source project so we wasn't used to always given feed back. But as you stated it was unprofessional of us to just look over problem.
@thedegensloth and @inertia have talk about this issue before privately before. But till today it didn't reach the point of were we found the bug report saving issue which has never occurred.
We were being truthful when we said we didn't store keys, but there was a issue we didn't think about. Which is why zappl is open source. So we've been working on browserify methods which will be coming.
But the temp method will be modifying what shows up in the logs. We thank you for your concern and realize our fault and hope we can continue to earn everyone trust.
Thank you for this! Being open source means accepting that there will be bugs and reacting to them publicly. And I am glad that you are open about this issue.
Oke sir zappl thank you
Yup, there's no need for FUD. I just look at network activity.
That's highly debatable when there have been only small commits since November, 2017. My bug report was created by utopian, twice for some reason, then closed with no explanation and no related commits.
To me, it seems like the Zappl front-end was put on GitHub so it would qualify for utopian's rules. But it hasn't been maintained.
Maybe this is true, but it's beside the point. It's possible that Zappl signs in-browser, but it also sends the keys to the server. Since the keys are sent to the server, it's entirely possible that they're logging keys without knowing it.
This is where we get into a real problem. Certain parts of Zappl does ask for the active key and does send the active key to the server. My GitHub Issue shows this.
Exactly. Them trying to cover it just makes it worse...
I’m not convinced they’re trying to cover anything up.
What esle would be their plan here?
i like your posts .post is good. i want to be like you are a lot of fans. and i need your support in achieving my goal to become a good artist. i need support from you.
Um we didn't try to cover anything up.
Can you help me figure out how much zappl is taking from people's posts? I never read anywhere they would take a cut of my post's profits but it appears they took 3%.
They probably take a beneficiary like many other platforms, not sure how much
they take 15% of rewards (compared to dtube/dsound/dmania's 25% that's low I guess)
Thank you zappl for providing this platform which serves as the right platform for bringing on short-form steemit posts.
The awareness you brought via this post is indeed timely as many new folks are joining the steemit train on daily basis.
Such updates may as well be necessary from time to time at Intervals.
Good to know that zappl is open source and that one can contribute to the project via utopian-io.
Keep up the good work.
Very good news who came late in @zappl. We hoping grow very fast but also keep @zappl place strongly.
it's nice to hear that we can contribute in zappl through utopian and i will sumbit my contributions soon, thanks for staying us updated regarding zappl.
That is a very good news
I last month once contributed in utopian about zappl @zappl
Well thanks fro the contribution.
I think zappl now is very good :)
As transparent as ever @zappl this is how corporations should be run. Don’t hear Pepsi correcting any FUD. Haha much love guys thanks for all the hard work!
We try to be as transparent as possible, the public's trust means a lot to us. I mean the style of site we are it only makes sense to make your self open to the community.
My friends that said zappl insecure, how with private key? they will take private key we. i first a bit in doubt with zappl. i continue monitor development zappl. i see there is opportunity in zappl.
Best Regards
Member Of Aceh Steemit Community
Sorry for My English
Wow I really like this.
I vote as a witness @zappl
share a sara for me or hint me how to post utopian like this @zappl.
Follow back @mardha