(Formerly) Bad Idea


I think this is a very bad idea. Can we at the very least just change it to a normal link? Why embed a third party application? I can't even tell which version of rocket chat is running, so I can't even tell which exploits have been fixed.

Edit: The link has been changed to a normal link. Well done, Golos!

It's also a problem for novice users who don't realize that their password for rocket chat is different than golos.io. Password managers will automatically fill in their golos.io password because it's on the same domain. This is all very bad.


Comments 6


Yes. I had to look twice. My password manager automatically prompted me to fill in the fields with my Golos username and Golos key.

This is a security risk.

01.04.2017 16:53
0

Also notice that, when I first went into the chat.

01.04.2017 16:56
0

If users, at large, will ask to take it down. We happily will.

At launch time, we had a big number of users ask us to have a link on the main page to the rocket chat page.

EDIT if there are security issues that may arise, we will check it ASAP and take actions

EDIT 2 It looks like we will change this to a link rather than an embed, a post will follow shortly. Thanks for the "bell"

01.04.2017 17:09
0

I understand you might want to seek consensus. Should the security of a users Golos
keys be a consensus decision though?

This is a decision about providing a safe environment to invest money.

01.04.2017 17:17
0

Offtopic, and regardless to the issue - I really doubt that those who invest money, use in build password managers. If you do that, you should really think about stopping using your PM for webistes / applications etc that "store" (show / represent) money / tokens of any kind.

01.04.2017 21:37
0

So true! Who are these amateurs in charge of this website??
RocketChat Embed on a web-wallet like this is beyond crazy, it is irresponsible to say the least. Unacceptable!

01.04.2017 17:10
0

just free translate

Вольный перевод:

@inertia говорит о том, что приложение чата (rocket chat) расположено в клиенте как embed (Встроенный скрипт) от третьего лица. В теории - если хакнут рокет-чат, то могут получить пароли аккаунтов голоса, так как в логин-форму рокет чата автоматически вставляются ваши данные из хранилища браузера вязанного с доменом golos.io

А неопытный пользователь так вообще вбивает в рокет чат данные аккаунта с голоса, так как полагает, что это один и тот же сервис.

_

On the GOLOS and on the steemit are used powerfull Content Security Policy
https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy
csp.png

This solves many problems with potential injections, but there is no limit to perfection :)

Our most active developer is @serejandmyself

We also have GIP repo https://github.com/GolosChain/gip

You can create a issue with a description of the problem or with any suggestions for developing the platform

PS

How about colloboration with our @rusteemitblog for translating your content. This can make your posts heard by users in the correct way.

01.04.2017 17:10
0

I will look into @rusteemitblog. Thanks for the information.

02.04.2017 05:37
0

Thanks for pointing out the potential problem. We will be changing the icon to a link, following the fact that some users, may actually use, in build browser, password managers.

We strongly advice against using a password manager for your Golos password.

BR

/ru--golos/@golos/applikaciya-roket-chat-i-potencialnyi-risk-vzloma

01.04.2017 18:14
0

Fixed just like that. I am proud to be on Golos!

01.04.2017 22:32
0

good to hear that you handled it.

01.04.2017 22:58
0

I appreciate your efforts in addressing this issue.

I'm a little puzzled by your advice to not use a password manager. What alternatives are you suggesting?

Should I store it in a cleartext file on my desktop for all to see?

It is not a password that you can just memorize. It needs to be stored. It needs to be encrypted. It needs to be wiped from the clipboard after use. Ideally it can be all those things and easy to retrieve. Hence a password manager.

I'm curious what your own choice of password security is.

06.04.2017 13:47
0