Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Cave-o-sapien]

Being willing to launch your product with a known security hole that is trivial to exploit is just irresponsible. 

This is the most relevant part to me. 

The number of issues raised by beta testers that weren't addressed prior to launch attempt No. 1 is alarming.

[monteslu]

Teams of people who have been working for a year launching a large scale commercial product - have less.  Being willing to launch your product with a known security hole that is trivial to exploit is just irresponsible.  Embedding javascript in your chat doesn't exactly require throwing a proxy in between the client and the server - which is what I'm assuming blueblimp did for his don't trust the client attack.  And since you can redirect someone to ANY website - if your browser has any holes (and they all do right?  those pwn2own competitions always have zero day exploits released) then you've got some risk of your computer being compromised.

It's as easy as using chrome dev tools.  You have a console and are able to monitor websocket traffic.  MiM is sometimes difficult with SSL (when its being used), but firebug and chrome dev tools make it all a one stop shop these days

[PenPen]

I'm wondering, if I should sign up for the beta? Are the security concerns still around?

I don't want to login to their beta or their final product until these are really addressed.

Also of note is that aside from the initial press release reporting from the mainstream press, the dud that happens afterwards is much less reported. Probably fewer than 10 (at least from Google search, there's 3 articles reporting the revert back to beta).