A keen observer noticed on the new WikiPack homepage that amongst the example usages were tracking fitness records and financial details like tax calculations etc. They also noticed that WikiPack does not (as of Feb 2012) currently use SSL encryption, so if you edit a page containing sensitive medical or financial data, it will currently be transmitted from your browser to the WikiPack servers in the clear.
Security vulnerability
What does that mean? Should someone with malicious intentions, and the appropriate technical expertise, wish to access your personal data, they could theoretically intercept it enroute.
SSL encryption
While WikiPack is in open beta, I have not yet purchased or deployed an SSL certificate, but will do so before going live. This will encrypt your data as it is transmitted between your browser and the WikiPack servers.
So, what’s stored on our servers?
You may have read recently of the debacle ensuing from the discovery that Path were uploading their user’s Address Book contents to their servers without their consent. They apologised and claim to have deleted the data, but some still feel it was disingenuous.
So I’d like to be forthright in explaining exactly what get’s stored on WikiPack servers:
- Your email address (used to activate your account)
- Subscription to the mailing list is opt-in
- I did take the liberty of adding some early adopters to the mailing list with clear instructions on how to opt-out, which so far only two people have followed, otherwise you will not receive unsolicited email from WikiPack
- Your user name
- No passwords are recorded in plaintext
- They are encrypted and cannot be recovered if forgotten
- No Dropbox user details are stored on WikiPack
- When you authorised your account with WikiPack, Dropbox provided a unique session ID which is recorded in the database
- This session ID is only used by WikiPack to access the contents of the folder you selected when setting up your account
- Page data:
- The system keeps a local cache, in the database, of the complete contents of each page in your wiki
- This database is protected by a secure Linux server
- When you view a page on WikiPack, it is loaded instantly from the database, rather than fetching it remotely from Dropbox. This makes it fast, and responsive.
- When you edit a page on WikiPack, it updates the database, and a background process picks it up later (a second or two) and uploads it securely in the background to Dropbox. Again, this ensures a fast, pleasant user experience.
- WikiPack scans your pages for wiki links, and builds a tree in the database of how they are linked together. It uses this tree for presenting navigation links in the user interface only.
To summarise, WikiPack keeps a copy of your wiki pages in a secure database which acts as a local cache for read & write operations to your Dropbox files. This makes the system fast, and responsive. Attempting to load the data remotely from Dropbox each time you view a page would be slow, and impractical.
Your page data within the database is unencrypted, which means that if the database was compromised, your data would be accessible. I do not believe that will ever happen, but a relationship of trust should be built on facts, and that’s the reality of the situation.
A matter of trust
So my advise to you when considering whether to trust your data to WikiPack or not, is do not put any sensitive information in your wiki that you wouldn’t trust to other online services like Google Docs or Gmail.
As a general rule of thumb, if you’d trust your information to a Google Docs document, you’d probably be happy to put it on a WikiPack page.
I personally have my accounting info and my health & fitness records in my wiki, because I built it and I trust it completely. But I understand that you don’t know me, and might not trust me at all. That’s why it’s important that I give you as much information as I can so that you can at least make an informed decision.
In closing, I’ll be putting up a privacy policy page soon, and I believe that your data is as at least as safe on WikiPack as it is on most other cloud services, much safer in fact than some. Take that as you will.
Regards,
Mark Beattie
Developer & Founder of WikiPack
No comments:
Post a Comment