We just completed the security upgrade our team has been working on for the past several weeks. Everything is behind the scenes, so there’s not much to notice until you look under the hood, but these changes will definitely improve the security of the site. It took us a couple of tries to get it right, but it’s now in production. Thanks everyone for your patience and now you should clear your cache, reload the home page and then go change your password. It’s now a lot more secure.
First, we upgraded the protection for CSRF (Cross Site Request Forgery). Here’s what wiki says about that:
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.
In layman’s terms that’s where someone tries to login and the site returns a session ID. Someone else grabs that session ID and then masquerades as that person, successfully logging in to the site as them. We’ve now repaired and patched that issue. We haven’t heard of any user who was negatively affected by this issue.
The other major change is the way we use SSL for login on the site. We’ve now added one other major security feature to our SSL login. We kept the cute padlock and SSL channel, but now we have secured your password with NTRU security for this vitally important function. Here’s what your password now looks like with this NTRU encryption:
I won’t tell you my password, but you can rest assured it’s a lot shorter than the one a hacker will now see in the SSL data stream. There’s no way I could remember more than about 16 characters. This should provide pretty good security for your password.
We’ve added this level of authentication across all Unseen applications; Win, Mac, Ubuntu and Android. We’ll be adding download links from the front page and distributing the desktop clients tonight. Android is still being tested and will be available hopefully March 15. That depends on the progress for SIP signaling on the web site…once that’s finished, the Android app will ship. Vinh and I have been using the Android app and we think everyone will be very happy — it’s got all the secure text chatting and audio and video calling, which is really cool, especially if you’ve got a big battery.
Finally, we want to invite friendly hackers to test the security at our site. Please be gentle, we’re still bolting down a few things, but we do appreciate your feedback. These two security fixes just mentioned were a result of a very good discussion with one of our users, who is a security expert. Responsible people like this are helping us make Unseen a safe place to communicate.
Thanks go to “The Opera Star” for his help and one other friend of ours. We will make every effort to immediately fix any security problems pointed out by the members of our community and we’re grateful for the time you’ve spent testing things. If you find a security problem we need to address that we don’t know about, we’ll reward you with premium accounts and even some bitcoin for something that helps the site. In the future, once things get a bit more stable, we’ll be making parts of our source code available for review, too, and make parts of it available for developers. If you have any things you think need to be addressed from a security point of view, please send an email to support at unseen dot is.