Picture of sandy

Like we’ve mentioned in our privacy principles, we are committed to security, and to ensure that, we now encrypt your login password in JavaScript using a 1024-bit RSA key, and decrypt server-side using OpenSSL.

Some of you may ask, why don’t we encrypt everything? Why only do passwords? Well, with AJAX, we can only make requests to the same server and protocol as the originating webpage — so, if you request from https, the server has to be https, and the same goes for http. For most people, SSL is not very responsive and a lot harder to scale, which means that the meebo experience wouldn’t be very useful, or fun. So, to keep true to the AJAX model of fast and lightweight webware and address security concerns, we’ve chosen the password encryption route.

How does it work? The public key of our server is embedded in the JavaScript that gets loaded by your web browser. When you type in your login credentials, and hit the “Submit” button, the passwords are encrypted in the JavaScript using the RSA key and sent across the wire. Upon reaching the server, the CGI scripts use the corresponding private key stored only on the server to decrypt the password using OpenSSL. This way, your password is never sent across in the clear. For those of you who’d like to see this in action, check out your network traffic while using meebo. I recommend HTTP Analyzer as a good starting place.

How did we do this? Thanks to ohdave and blackinkbottle for providing great resources and documentation.

For those of you who are willing to make a few speed sacrifices for traditional website security, we’ve installed our Verisign digital certificate on https://www.meebo.com, which will encrypt your traffic at the socket level. Using SSL is going to be a lot harder on our servers, and may make meebo less responsive. We also can’t guarantee that we’re going to be able to scale this long-term, so for now, please use sparingly.

For every security feature we add, I’ll be sure to update this page, and explain how and why we made those decisions. Any and all suggestions are welcome in our forum, and as usual, we love hearing what you think!

sandy

11 Responses to “security”

  1. Emin Says:

    Hi!

    Do you share the javascript RSA encoder and (I think) php decoder sources?

  2. vpn security Says:

    Good writing. Do you have an RSS feed where can I suscribe? I tried using bloglines but couldn’t.

  3. digital electronic scales Says:

    Very true. You always seem to get your facts right.

    Avax

  4. Cylindrical magnetic proximity sensors Says:

    Hi and congratulations, I so like your blog. In fact, my wife and I are running a new project about cylindrical magnetic proximity sensors and I found your site while searching for information in this field. Your writing skills are good and we think that you would be perfect to work with us. If you are interested, you can contact us by email. Keep up your work, it’s excellent!

  5. intrusion detection software Says:

    Great blog. Found your blog while searching for more information at yahoo about intrusion detection software . Your blog has quite a lot of interesting thoughts. Keep up the good work!!

  6. thj Says:

    it seems that emoticons are not working over https, the image source is being generated as:

    https://www33.meebo.com/skin/default/img/https://www33.meebo.com//skin/default/img/emoticons/pirate.gif

    instead of:

    https://www33.meebo.com/skin/default/img/emoticons/pirate.gif

  7. free traffic Says:

    Unique Traffic generator takes online Advertising to a new Level! Put your ad right to the screens of millions in 15 minutes! Your Sites would receive Quality Traffics in minutes
    Unique Traffic generator automatically diverts 1000s of fresh new visitors in Quality Traffic daily to your web site from google, yahoo, msn and others!
    Go here now : http://www.dejibiz.net/traffic

  8. web site traffic Says:

    Unique Traffic sysytem takes online Advertising to a new Level! Put your ad right to the screens of millions in 15 minutes! Your Sites would receive Quality Traffics in minutes. it automatically diverts 1000s of fresh new visitors in Quality Traffic daily to your web site from google, yahoo, msn and others
    Go here now:http://www.dejibiz.net/traffic

  9. website traffic|free traffic Says:

    Hello
    This is great system of driving free targeted traffic from the search engine to my site.
    You can duplicate my way of driving free web traffic to your site.
    Go here now: http://websitetraffic-freetraffic-webtraffic.blogspot.com

  10. Sachin Lature Says:

    Hi
    How secure is my password in the firewall?
    Our office uses firewall so is it possible to our senior to catch my password?

    Regards,
    Sachin

  11. cafee Says:

    Hi Sachin,

    Your seniors will not be able to read your passwords, as your passwords are being encrypted starting from your browser using the public key. Thats the whole point of having the encryption done in java script. Be rest assured that just by having a firewall in between would not make a difference as long as you can reach meebo.com

Leave a Reply