SSL / data encryption??
jasonabc says:
Posted this in Ideas earlier but then saw this forum is read by RTM members so sincere apologies for the double post!
It seems very odd to me that the default protocol for the RTM service is http:// and not https://? Surely in tasks (and especially the notes area) where sensitive data such as login info, passwords, credit card information etc) is bound to reside, you *must* use SSL to encrypt data as it travels to and from the browser to your service?
RTM can run perfectly well under the secure protocol - I literally just stick an 's' in the address bar of the browser (and also edited my bookmarks) and it runs under https://rememberthemilk.com totally fine. But you can't rely on or expect users to do this manually surely? Maybe it's done elsewhere - although it's difficult to see how.
Can anyone clarify this?
Brilliant tool by the way - been using it for the last couple of days at home, work and on my iPhone. This is already becoming one of those "how did I ever live without it" apps!! I gladly dropped $25 for my Pro membership today. Congratulations - awesome work.
Jason
It seems very odd to me that the default protocol for the RTM service is http:// and not https://? Surely in tasks (and especially the notes area) where sensitive data such as login info, passwords, credit card information etc) is bound to reside, you *must* use SSL to encrypt data as it travels to and from the browser to your service?
RTM can run perfectly well under the secure protocol - I literally just stick an 's' in the address bar of the browser (and also edited my bookmarks) and it runs under https://rememberthemilk.com totally fine. But you can't rely on or expect users to do this manually surely? Maybe it's done elsewhere - although it's difficult to see how.
Can anyone clarify this?
Brilliant tool by the way - been using it for the last couple of days at home, work and on my iPhone. This is already becoming one of those "how did I ever live without it" apps!! I gladly dropped $25 for my Pro membership today. Congratulations - awesome work.
Jason
emily (Remember The Milk) says:
Logins to Remember The Milk itself are encrypted with SSL, but we allow the user to choose whether they would like the additional security of accessing the entire application via HTTPS (in much the same way that it's optional to access applications like Gmail with HTTPS).
One of the reasons for this is that HTTPS is significantly slower than HTTP -- in addition to the encryption that needs to take place to send the data to your browser, your browser will not cache images or JavaScript from HTTPS URLs (so you need to re-download everything the next time you access the application). Most sites don't default to HTTPS unless it's strictly necessary for the data being transferred (e.g. bank sites).
HTTPS is a good option if you're accessing the site from a public location (e.g., public WiFi in a cafe) or would just like the additional security of your data being encrypted between our servers and your browser.
I should probably mention that we do not recommend storing sensitive information such as logins or credit card details in Remember The Milk, or in any web app not designed for that purpose. If you're looked for a web app to store login details, there's at least one (Passpack) that's designed specifically for that purpose, so I would recommend checking something like that out.
Hope this helps -- glad you're enjoying RTM, and thanks for signing up for Pro! :)
One of the reasons for this is that HTTPS is significantly slower than HTTP -- in addition to the encryption that needs to take place to send the data to your browser, your browser will not cache images or JavaScript from HTTPS URLs (so you need to re-download everything the next time you access the application). Most sites don't default to HTTPS unless it's strictly necessary for the data being transferred (e.g. bank sites).
HTTPS is a good option if you're accessing the site from a public location (e.g., public WiFi in a cafe) or would just like the additional security of your data being encrypted between our servers and your browser.
I should probably mention that we do not recommend storing sensitive information such as logins or credit card details in Remember The Milk, or in any web app not designed for that purpose. If you're looked for a web app to store login details, there's at least one (Passpack) that's designed specifically for that purpose, so I would recommend checking something like that out.
Hope this helps -- glad you're enjoying RTM, and thanks for signing up for Pro! :)
jasonabc says:
Hi Emily - thanks for the response. I don't recall ever being given the choice to access RTM via HTTPS (I had to do it myself manually and that was only after the thought occured to me that data was not being encrypted from my browser to your service) but I admit I may have missed it. I'm not sure how far you can successfully argue reducing security in favour of performance - RTM is so lean and fast anyway performance time is not going to be affected much by transferring over https:// instead of http:// ?
I guess this is a choice the user will have to make because sensitive data like usernames and passwords (unless it's made very clear) *will* be stored and used on here as people use it more and more.
Maybe a prominent disclaimer like you get with in any IM window you open (Do not store passwords or sensitive information etc etc) would be helpful. Or adding an option in Settings? Right now there doesn't seem to be much in the way of this and (coming from the world of e-commerce as I do) most people I deal with on a day-to-day basis don't have a clue about SSL, https:// and data encryption.
I guess this is a choice the user will have to make because sensitive data like usernames and passwords (unless it's made very clear) *will* be stored and used on here as people use it more and more.
Maybe a prominent disclaimer like you get with in any IM window you open (Do not store passwords or sensitive information etc etc) would be helpful. Or adding an option in Settings? Right now there doesn't seem to be much in the way of this and (coming from the world of e-commerce as I do) most people I deal with on a day-to-day basis don't have a clue about SSL, https:// and data encryption.