|
First
of all I just wanted to thank you for taking the time to look at the service and spend some time with it. We are always looking for constructive feedback as we try, with everyone else in the industry (and the respect network), to push for more trust and security
online.
I'm
also sorry if I missed something but I wasn't aware that we were at odds? Maybe you could let me know why you felt it was necessary to name check those involved? I'm more than happy to send time with you can get your feedback personally.
I'm
also not sure what can be fixed for tomorrow or indeed what is broken. I'll catch up with Stuart and Jenna on Monday but I wanted at least to reply on the mailing list here first. There
are a few things I can quickly clarify for you. The
first is with regards to the short url. This was originally intended for the QR codes ( to keep the url short) and is currently restricted to a few characters. We have some unreleased functionality that we have been working on to support full url's for public
profiles but this isn't released yet. If the point of your post was to get a customised one then I'm happy to sort that out as a supporter of miiCard. Again however this functionality isn't released to our members yet. There are a few other 'non elite user'
that have these so again happy to sort this out for you but please remember it will change in the future and this was just really for the card image. The intended url would be the full card image such as
my.miicard.com/card/james.varga which as you can see is pretty friendly in itself.
In
regards to the BEAST attack I'll have to check but I believe this is a false negative reading as we are hosted on Azure with the latest Server 2008 Guest 2.14 where the Beast vulnerability was patched in MS12-006 in the 2.10 platform. We do go through regular
security audit and a penetration test so would be very surprised if this was undetected by Microsoft, ourselves or our security company. With
the password system there is always a balance between usability and security. This is something that I'll raise with the team this week. The
reason we support other authentication services such as yubikey's is to offer more options for our users. If you are worried about use of OTP over SMS then I suggest you configure your account to use this or Toopher. If you have any other suggestions on third
party auth services then we can put it on the list and look to integrate in future releases.
Finally
thank you again for taking the time to look at the service. I'm personally disappointed that you had to take such an aggressive stance on providing feedback as you seem like you were just trying to help. I'll get back to you about the password process early
in the week. Regards, James
From: T.Rob
Sent: 17 May 2013 19:44 To: James Varga; Stuart Fraser; 'ProjectVRM list' Subject: Duking it out with miicard - T.Rob style In my never-ending quest to make the world make sense, I have turned my attention to miicard.com once again. They are pretty good, use HTTPS where it counts, don’t email my stored password around, and I even let them verify bank accounts. But they are not without some issues. Some cosmetic, some functional and urgent. In the interest of cutting to the chase, I’ve emailed James Varga (CEO) & Stuart Fraser (CTO) links to this post. I expect these will all be fixed by tomorrow. :-)
Or if you don't like me tracking your clicks: https://ioptconsulting.com/duking-it-out-with-miicard/
Stuart, James, I can't imagine that you aren't' on this mailing list but if you are not and wish to reply on-list, you can sign up at: http://cyber.law.harvard.edu/projectvrm/Mailing_list
-- T.Rob |
Archive powered by MHonArc 2.6.19.