Beeminder Forum

Security, Privacy, and Data Integrity in commits.to


#1

Currently by design anyone in the world can create, edit, or delete any of my commitments but I think this is unfortunately an undesirable feature. I love the idea of certain trusted friends and collegues being able to have full create and write access to my commitments, but ideally I’d want that strictly limited to only chosen people.

As soon as a bored troll finds the site, any or all of our commitments could be modified or removed, and we could be spammed with new ones, possibly offensive ones (think http://alice.commits.to/watch_youtube but worse…)

I’ve told my fellow Habitica moderators and some of the staff about commits.to but that’s about the limit of where I’m willing to share it for data integrity reasons. I’d love to post my commits.to links in wide spaces in Habitica and other places, but I’m certain that some of the people there cannot be trusted. I did consider doing it anyway as a test in case I’m being over-cautious but then realised that I’d be risking not just my own data, but every user’s.

Even if my fears never come true, they’re strong enough to limit my use of the site, and I suspect that they’d also limit the number of people willing to use the site at all.

When I shared my URLs in Habitica with two separate groups of people, in both cases someone said that they’re able to edit my commitments and they asked if that was intentional. It’s a feature that looks like a bug, sadly. One of them indicated that he’d be interested in using the tool when it’s out of private-ish beta and that hopefully this issue wouldn’t exist then.

There’s related information in the GitHub repo’s at https://github.com/commitsto/commits.to/wiki in the “For Later: Security and Privacy” section:

Alice’s friends can troll her by making up URLs like alice.commits.to/kick_a_puppy but that’s not a huge concern. Alice, when logged in, could have to approve promises to be public. So the prankster would see a page that says Alice promises to kick a puppy but no one else would.

In the MVP we can skip the approval UI and worry about abuse like that the first time it’s a problem, which I predict will be after commits.to is a million dollar company.

I totally agree that my friends won’t troll me, but other people not so much. :slight_smile:

“could have to approve promises to be public” - That would be an improvement but still not enough I feel. It would still take up my time to remove any spam commitments and if they were offensive, the exposure to them would be unpleasant.

My counter prediction is that this issue would prevent commits.to becoming a million dollar company. :slight_smile: I am sorry to say this because I know it would be lovely to trust everyone but SOME people…!

If logins were added, the site would need to be converted to https, but I’d suggest that that could actually be done first. It might seem a bit pointless now but it would prevent Chrome from marking the site as insecure and add a touch of authenticity (certificates have value in confirming who runs a site as well as encryptying data).


#2

+1! I have been also asked once already whether being able to edit is a bug. I wonder if it’s possible to generate a read only link and an edits allowed link, kind of like Google Docs.

Even well meaning people can mess things up through not understanding that the changes really will ‘take’.


#3

There’s a huge irony here because at this stage it is, in practice, totally fine to have it wide open like this. I’ve even pointed people to commits.to URLs in places like popular Hacker News threads. (Which did in fact result in a random person deleting one of my commitments, presumably just because they were curious if it would let them. Zero instances of offensive/trollish edits.) Anyway, but the irony is an only-thing-we-have-to-fear-is-fear-itself kind of thing, where we need to secure it because people are too weirded out that it isn’t.

Also I should mention that we log every change so in the (currently rare) case of vandalism we can undo it. I’m actually manually reviewing every promise creation and edit and deletion right now.

Which is not to disagree with any of your points, other than to say don’t hold back! We’ll scale things up as demand necessitates!