If they say they don't save the keys, the should not save the keys. Looks like security not being taken seriously there. No fud, just open source reviews...
If they say they don't save the keys, the should not save the keys. Looks like security not being taken seriously there. No fud, just open source reviews...
Please read to the bottom of me and inertia conversation. We don't save keys.
They do not believe it yet. And With time, they will believe.
Zappl just has to keep giving trust to users, that's all. And Never make mistakes.
They already did make mistakes, and since it is open source, their mistakes are public record.
If they still say that keys are safe they either have no clue at all or made a big mistake they try to talk down instead of fixing.
Well one there was no active keys being saved so even if it was closed the issue wasn't keys being saved. It was in the possibility of them being saved in an error for the transaction if said node was down.
Which wasn't discovered until today, this was not even listed in the ticket. There was no intentional attempt to lie.
Yes we should have replied saying no we don't save keys but me an inertia had these talks before. Its not till recently that we found they could be saved by mistake in log files.
There was no keys in the logged file because the error would be in certain circumstances that were even less likely with us load balancing.
Find out more here:
https://github.com/Zappl/Zappl/issues/5#issuecomment-365120779 And please feel free to go through me an inertia back and forth which is very public.
Yeah for me the issue is not in a log leak being found.
If you send the keys to the server, there is a possibility for them to be leaked. Even if no log leak was found, there could be your proxy server, cloudflare, the users router or someone else logging it. It also means that your ssl certificate is the only protection the user has between their keys and a potential man in the middle.
I am glad that you are working to resolve this, but I am a bit sad that this has not crossed your mind when you decided to send them to the server.
This is the exact reason we have steemconnect, so that developers don't need to know every bit of security there is and can use a ready made secure framework.
yes thank you for the imformation. blong keys. I am very grateful to you who gave us the information👍👍 @zappl
Seems you don't save keys, but if they so happen to be leaked in logs, the fix for that will take weeks?
I am not impressed by how you handled this and will advise everyone to change their keys if they used zappl.
Should you have the fix live at some point, please comment on the github issue.
No this fix shouldn't take weeks. Also the issues is the node crashes well we load balance so the chances are low. But just in case we will be adjusting what is logged in the failure of said transaction.
Zappl didn't try to hide anything, just not used to having to comment on bug reports. This is our first Open source project so we wasn't used to always given feed back. But as you stated it was unprofessional of us to just look over problem.
@thedegensloth and @inertia have talk about this issue before privately before. But till today it didn't reach the point of were we found the bug report saving issue which has never occurred.
We were being truthful when we said we didn't store keys, but there was a issue we didn't think about. Which is why zappl is open source. So we've been working on browserify methods which will be coming.
But the temp method will be modifying what shows up in the logs. We thank you for your concern and realize our fault and hope we can continue to earn everyone trust.
Thank you for this! Being open source means accepting that there will be bugs and reacting to them publicly. And I am glad that you are open about this issue.
Oke sir zappl thank you
Yup, there's no need for FUD. I just look at network activity.
That's highly debatable when there have been only small commits since November, 2017. My bug report was created by utopian, twice for some reason, then closed with no explanation and no related commits.
To me, it seems like the Zappl front-end was put on GitHub so it would qualify for utopian's rules. But it hasn't been maintained.
Maybe this is true, but it's beside the point. It's possible that Zappl signs in-browser, but it also sends the keys to the server. Since the keys are sent to the server, it's entirely possible that they're logging keys without knowing it.
This is where we get into a real problem. Certain parts of Zappl does ask for the active key and does send the active key to the server. My GitHub Issue shows this.
Exactly. Them trying to cover it just makes it worse...
I’m not convinced they’re trying to cover anything up.
What esle would be their plan here?
i like your posts .post is good. i want to be like you are a lot of fans. and i need your support in achieving my goal to become a good artist. i need support from you.
Um we didn't try to cover anything up.
Can you help me figure out how much zappl is taking from people's posts? I never read anywhere they would take a cut of my post's profits but it appears they took 3%.
They probably take a beneficiary like many other platforms, not sure how much
they take 15% of rewards (compared to dtube/dsound/dmania's 25% that's low I guess)