Support HTTPS
It would be nice not to leak my contacts through URLs using in XHR, perhaps by POSTing using HTTPS, rather than GETing over HTTP.
Also, I access gmail through https://mail.google.com, in gmail my console log warns me that The page at https://mail.google.com/mail/?[...] ran insecure content from http://rapportive.com/api/v1/[...] - not the end of the world, but I'm a believer that all traffic should go over TLS :)
Daniel Wagner-Hall
shared this idea
Hi all,
It should now be the case that everything Rapportive does happens over HTTPS — please email supportive@rapportive.com if this isn’t happening for you.
If you have other suggestions, please re-invest your uservoice votes :).
Thanks
Conrad
-
AdminSam Stokes
(Admin, Rapportive)
commented
@Abraham, thanks for the tip - looks helpful! We'll check it out.
-
Abraham Williams
commented
Twitter supports HTTPS images through the AWS domain.
https://groups.google.com/group/twitter-development-talk/msg/01f022b4ae0f4219
-
AdminSam Stokes
(Admin, Rapportive)
commented
We do plan to fix this, but I'd just like to note that Rapportive *does not* compromise the security of your Gmail. Your email is still private and safe.
Your browser is displaying a warning about mixing secure and insecure content, because of the way our code is loaded into your browser and the way we display images. This warning is rather overprotective, and recent versions of Chrome display a frankly alarmist "skull and crossbones" icon for this. Again, it is something we need to fix, but your email is not at risk.
-
Daniel Wagner-Hall
commented
Thanks for your consideration :) I look forward to seeing it soon!
-
AdminSam Stokes
(Admin, Rapportive)
commented
If it was a "trivial switch-flick" we'd have already done it, but our hosting situation means it's not entirely trivial.
As I said, POST isn't technically feasible for now, but anyway it's a red herring. Using POST wouldn't hide anything: anyone sniffing net traffic can read the body of an intercepted POST request just as easily as they can read the URL of an intercepted GET request. Using HTTPS does, indeed, prevent both, and as I said above, we do plan to support HTTPS.
-
Daniel Wagner-Hall
commented
Using https GET is a trivial switch-flick at your end, and would mean that the actual social network data would be encrypted on the line, which is a nice and basically free improvement.
Using POST would also hide the email addresses in the requests, which goes to hide the social information, which in the face of the recent Buzz fiasco [1] and general social graph reconstruction engineering [2] still is quite a big win, especially if you're somewhere like China, where who knows who you contact *really* matters...
1: http://news.cnet.com/8301-31322_3-10451428-256.html
2: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4498373 -
AdminSam Stokes
(Admin, Rapportive)
commented
Unfortunately POST isn't going to happen any time soon. Because we're embedded in the GMail interface, all the requests we're doing are cross-domain, and cross-domain POST via XHR isn't well-supported in browsers at the moment. You don't really gain much security from using POST rather than GET, though.
-
Chris Maddern
commented
I assumed this was the case... I'm sorry I just stopped using it because of this. I force Gmail HTTPS for a reason!