Keith Bohanna is as far from a rant blogger as you'll find so when he lashes out at a company for ignoring a security flaw in one of their products for a year, particularly when that product is the blogging plaform you use yourself, you sit up and take notice -
"In May 2007 I noticed that despite the password protection on my personal blog the photographs that were contained within it were not protected - for some reason they must have been held in a separate and unsecured folder within the Typepad system."
I've been using a private Typepad blog as a family album too and never realized this. So I too am deeply dissatisfied that a year after Keith submitted his bug ticket "a change to correct this security issue has not been included in the significant changes to the Typepad platform which are currently being rolled out." Not good enough Six Apart, not good enough.
I responded in more depth on Keith's site, in his comments (see: http://bohanna.typepad.com/pureplay/2008/07/typepad-securit.html?cid=121440520#comment-121440520 ) but there are a few issues worth noting here:
* Keith (and you) can have *exactly* the security over his photos that he desires with TypePad right now. Uploading the photos directly to the password protected blog and then including them in a post will restrict their access to only people who have the correct password.
* The only way a user can access photos on his private blog without the password is if they have access to the exact web address (URL) at which those photos appear. This is true of other sites which store photos similarly, such as Flickr and Smugmug, and is exceedingly unlikely to be guessable by a random stranger.
* There is NO SECURITY FLAW with regard to account information, billing data, private information such as passwords, or other sensitive data. The photo upload feature, admittedly, does not work as Keith would prefer (and we're open to fixing it to meet his expectations), but it does not present a security flaw as most people understand the term.
Most importantly, we hear that this issue matters to you and to Keith, and the fundamental platform changes we're making to TypePad will make it easier in the future to consider the kinds of improvements you're suggesting. I personally apologize that the current default settings aren't what you'd prefer, and I hope you'll be satisfied with the fact that there's a way to get the behavior you prefer until such time as we're able to make it more automatic.
Please don't hesitate to get in touch if there's more we can do to meet your expectations.
Posted by: Anil | July 08, 2008 at 12:04 AM