First, apologies that we didn't meet your expectations in regards to security on our service. Just to be clear, any password-related data or personal information you've sent in Droplr has been over HTTPS. But, we didn't go as far as we should have. We misjudged where usage was falling on the public-private spectrum, and we're ensuring we meet privacy expectations now.
We can see that it's a priority for people, and it's a priority for us. We've already deployed the fix, so ALL drop content should now be served over HTTPS.
We'll work on getting the pages themselves on the d.pr domain served over HTTPS as well and also look into a solution or better documentation for customers using their own custom domain.
Thanks for your patience with us and I hope you can forgive us and give us another shot.
> Just to be clear, any password-related data or personal information you've sent in Droplr has been over HTTPS.
Unless there was personal information in a file I shared using Droplr.
I'm not the person who raised this issue on your support site. I'd never even heard of Droplr until somebody shared this link with me for a laugh. While the title of my submission might not reflect it, I find the lack of comprehension and dismissive attitude of your customer service representative more off-putting than the original security flaw. He closed the ticket multiple times claiming that "the whole Droplr platform runs on HTTPS," when that clearly wasn't the case. Glyph was remarkably patient in re-opening and re-explaining the issue until the rep finally seemed to realize why he was wrong, whereupon the answer changed from "this isn't an issue, we already support the feature you're requesting" to "we're already aware of this issue but it's not a big deal," without even an acknowledgment that he'd so fundamentally misunderstood the request, let alone an apology for blowing him off repeatedly.
Thx for the response! I've always been a droplr fan and, even thought ssl should've been there, I'm glad it's fixed and I'll happily continue to use it :)
The combination of the wrongness expressed in that thread and how easy it is to fix made it excruciating to read. I'm embarrassed for them. You can't say on your homepage, "Everything you share is stored secure and safe in the cloud" then say that security isn't a high priority.
Why do they keep closing the request? It's obviously a problem. The fact that they seem so willfully ignorant makes me rather nervous about relying on droplr for anything.
Edit: Looks like they're fixing the problem after all. It's unfortunate that it took a Hacker News article to bring attention to the problem, but at least they're taking the appropriate steps.
I never used droplr and now i know i will never use it. Support staff was never able to understand how SSL works or what problem is. Yet he choose simply to ignore it.
>The reason why the content itself is not served under https is precisely to avoid the SSL warning.
That annoying warning is the hearth of the secure connection. It surprises me how people choose an easy way and doesn't care about "doing things right"
In a customer-service system, a ticket should only be closed when the customer has acknowledged that the problem is solved or can't be solved, or it can be aged out to closed after the customer has been non-responsive for a suitable period of time. If your metrics depend on closing tickets rapidly, you are measuring the wrong thing.
I don't know that this is supposed to be a customer-service system, though.
The default button in Tender (which is the support software they are using) is "Reply and Close". It's easier to do that and I think the support guy got used to it.
The default action on our support system (which we did not develop) is to "Reply and Close".
I believe Tender designed it this way because, at least in our experience, 99% of the time after we reply, we never hear from the OP again. So by always closing the discussion after we answer, it keeps our queue clean and lets us clearly see what discussions are still open awaiting our response.
Anyone can always re-open the discussion if they feel they have more to add. It's not meant in any way to try to discourage discussion. We could just delete it if that's what we had wanted to do. :)
As a user there is nothing that drives me to rage more than a company arbitrarily (from my POV) marking a ticket as closed.
Having read your post I can see the merits but if I were a user who does not know about your workflow it would make me very angry.
Why can you just not have the ticket auto-close after your reply and X days have passed, you can change your internal list to only show tickets that are open and last updated to by the customer?
The reason why the content itself is not served under https is precisely to avoid the SSL warning. As I've said before, this particular issue is not high priority right now, which doesn't mean we're not aware or aren't going to fix it.
Something about the tone of this response irks me.
This brings up the concept of taking the right tone with your customers. This is a perfect example of what not to do. "Don't worry, your concerns are invalid... Oh, you have a valid point? Doesn't matter, we don't care."
No content protection is a huge oversite. I hope they re-prioritize this one -- they should care that their customer's data isn't secure on public networks.
* Who uses a free file sending service for critical docs?
* The only mention of 'secure' on their homepage has (to my mind) more of an implication of "safe and secure eg your file won't be lost" rather than "secure from hackers"
I think it's forgivable, at least for the free version of the service. Maybe they should upgrade then tout the paid version as offering https as a benefit.
Not sure whether the site you run is localhostr.com (from your profile) or not, but just wanted to tell you that Malwarebytes blocked the site from loading on my PC since they consider the site a potential threat. Not sure what metric they used to determine that, but just wanted to let you know in case it's something you encounter with other users or potential users.
Thanks, I've been in contact with them about it, but they have been slow to respond. We run multiple virus scans against uploaded content, don't allow hotlinking of non-image content and actively remove any malware found.
Edit: Just received a response to a PM, we're no longer on their shitlist :)
They said: "The whole Droplr platform runs on HTTPS. That means when you upload a file, note or shorten a link via any of the apps (Windows, Mac or iPhone), it sends the file over HTTPS."
Yes, they said that. And if you continued reading, you'd see that the OP knew this was not the case. Eventually, they too understood, and apparently fixed it.
zwass, I'm not sure why you're using that tone to reply to me. It seems you're assuming that my reply was made AFTER they posted the fix. In fact I had read the thread until the end before I posted. The fix came after my comment.
Anyway, I still stand by it, in my reply to the previous comment that maybe the user had misunderstood what they meant by security, and I backed my argument with the words of the service provider's representative.
I agree to a point, but a satisfied customer is less likely to come back to close a ticket. I prefer a system the automatically closes a ticket after a period of inactivity.
Big red flag that they don't understand the distinction made by the requester over there. I'd be seriously concerned if I had sensitive data in their systems.
What's the point of even using HTTPS if the content in question (and worth protecting) is served via HTTP. The way the support person misunderstands repeatedly and then plays it off as "That's what I meant, duh, we don't care" is pretty tacky.
"Oh, I'm sorry, I misunderstood." changes the entire tone of the post. It's not like this is even hard to fix.
The person (Bruno) replying on behalf of Droplr is "in charge of the whole server-side circus — API server, system administration, web app backend —, the SDK libraries for third-party clients, the Windows app and the iOS app." http://biasedbit.com/about/
(I realize there is a risk of sending a mob by linking to his personal page, but I think there is evidence he is indeed "intelligent" and simply misunderstood this particular piece of the puzzle. He just need a bit more humility.)
First, apologies that we didn't meet your expectations in regards to security on our service. Just to be clear, any password-related data or personal information you've sent in Droplr has been over HTTPS. But, we didn't go as far as we should have. We misjudged where usage was falling on the public-private spectrum, and we're ensuring we meet privacy expectations now.
We can see that it's a priority for people, and it's a priority for us. We've already deployed the fix, so ALL drop content should now be served over HTTPS.
We'll work on getting the pages themselves on the d.pr domain served over HTTPS as well and also look into a solution or better documentation for customers using their own custom domain.
Thanks for your patience with us and I hope you can forgive us and give us another shot.
Cheers