Comments on: MyStickies Goes Live

By: Robert

Robert — Fri, 09 Feb 2007 00:24:43 +0000

It would be so much cooler if you had titled and collapsible stickies (so that you only saw the title)!

By: S.

S. — Sat, 02 Dec 2006 01:28:23 +0000

I love the stickies. They’re awesome!

By: Software » MyStickies Goes Live

Software » MyStickies Goes Live — Sat, 02 Sep 2006 12:31:19 +0000

[...] Future features include sharing notes with friends and creating public notes.read more | digg story [...]

By: Yokhannan

Yokhannan — Mon, 20 Feb 2006 13:00:08 +0000

Might we suggest you double md5() account passwords.

At the moment you are sending user=username&password=md5(password) over a non-secure connection (http) – obviously no way around this, so you should really be doing something a bit more secure then a single md5() encryption technique.

You should also serious consider a bit of security on your end to defeat middle-man packet stream captures. A good start to this would be the detection of certain key variable names (sid, username, password, phpsession, etc, etc) from the http_referral. As it is, any (ignorant/newbiew) programmer who uses the _GET method to allow values to be passed through are seriously opening their systems up to even greater amount of middle-man spoof when their visitors are using myStickes. While I would agree this is not something that *should* fall on your shoulders, as a group that hopefully desires to keep a good reputation, it should be your goal to take the higher road. Stripping out very unnecessary values from the http_referral should be action you take. I say “very unnecessary” because these type of sites/pages are normally such that the end-user is *never* going to be able to revisit that *exact* page – due to the variance of session values. (which brings up the issue of saving stickes on pages where folks log in, and the web developer passes session id’s through the URI’s… this will make it impossible for them to ever revisit that exact page. Of course their sticky note will still be in their mySticky Dashboard.

Anyway, I am loving the service you provide. As an enterprise software developer, I just see a lot of things you should seriously consider to strengthen the overall security of your service – not because it is insecure if you do not, but because it’s the right thing to do.

To recap, I would suggest three things:

(1) Single md5 hashes have been known to be breakable (phpBB learned that on the hard way),

(2) Stripping unnecessary http_referrals can thwart middle-man packet-sniffers, and,

(3) Finding a way to deal with stickies on session-based pages is something to ponder on… I sure cannot think of a way to deal with that properly, unless you start assigning a GUID with each and every domain and based stickies on both the exact URL and GUID values. (ugghh, not pretty, but might actually prove to work)

Again, love the service!
Yokhannan

By: wick

wick — Mon, 23 Jan 2006 21:57:46 +0000

Nice implementation. Last year I created an AJAX web app with a similar theme, & ironically you used the exact same tagline as I did.

http://www.netscraps.com

My app doesn’t do cross-site notes though .. but on the other hand it’s compatible with most popular browsers including IE, FF & Safari.

-Wick

By: Andy

Andy — Mon, 23 Jan 2006 16:21:02 +0000

It’s just a good thing I know and trust you Jacob or I might have the same concerns. As it is I know that you already know my taste in visiting and bookmarking sites about Care Bears so I don’t mind the lack of privacy. But good work on the stickies. They rock!

By: John McClane

John McClane — Sat, 21 Jan 2006 01:11:04 +0000

I have the same privacy concerns that one of the posters above has. The plugin must be querying your site for every site the user visits to see if it holds a sticky, the way I understand it. If it could instead keep the sticky list local and sync it from your server once at startup and then update it when the user adds new stickies, that would be best. An all local sticky saving option would be even better.

By: Jack Cheng

Jack Cheng — Fri, 20 Jan 2006 20:25:31 +0000

Awesome, awesome service! The wheels in my head are turning already… One thing that would be very useful is stickies in the shapes of arrows- that way you could point out a specific object on the page.

By: Daniel Einspanjer

Daniel Einspanjer — Fri, 20 Jan 2006 19:05:09 +0000

Hi, it is an interesting idea and I wish you a lot of success with it, but I decided against trying it out because I don’t like having all the websites I visit recorded by a third party. If you ever enhance the extension such that it stored the information about stickies in a local file rather than in a database on your site, I would be happy to try it out. I wouldn’t mind even signing up with an account for the purpose of being able to “publish” stickies when you implement the ability to share them.

I’d also suggest that you put a little more info on the homepage for the app. You have sign up links, but you don’t mention the requirements or how you store your data or anything. I found this page from digg.

By: Paul

Paul — Fri, 20 Jan 2006 13:55:16 +0000

Great Idea, really inspiring and creative. Hope you guys go places and really make something of this concept. Keep up the good work.

Paul