[borski]

Don't know if we count as big yet, but we're doing very very well: https://www.tinfoilsecurity.com

[jayfk]

I really don't like the onboarding process so far.

- Typed in a URL to get a free scan

- Needed to create an account

- Needed to confirm my email

- Needed to verify my site ownership

- Got a mail that my site is "borderline insecure". When I click on the link, I'm redirected to the "create an account view"

- Created a new account that opened in a half cropped Iframe displaying some error message I can't read.

This is where I finally gave up.

[helb]

It says that "Your website is BORDERLINE UNSAFE" after a while even if you leave the account form blank and just keep the page opened in a background tab.

Better yet, it probably does that for any URL – see c8g's comment about Google, i've tried HN and a few of my own sites, all with the same results. Even tried to give it it's own address, but it "is not permitted".

So I thought that maybe it just displays that message after some timeout without doing any actual checks, bit like these sketchy fake antivirus sites. But nope – when i point it to a subdomain with access_log enabled, i see it actually makes a bunch of requests. So maybe they just have such high standards that the entire web is "borderline unsafe" from their point of view.

[borski]

The scan we run from the homepage is a rudimentary scan that only scans for client-side vulnerabilities, since we can't scan for server-side issues until you've verified ownership. As a result, we can't give you a clean bill of health until you've run a full scan, which is why you see that. If you verify ownership, you'll see any issues we found and be able to run a full scan which can give you a clean bill of health if it doesn't find anything.

[nickpsecurity]

I'm not using your app but I assume it's not as clear as your comment based on upthread posts. You might want to modify the app to show both client and server side results with server saying "unknown: must verify ownership first." That would eliminate the confusion.

[borski]

This is good feedback. Thanks.

[marcosdumay]

It's a company entirely focused on web security.

Even with no conflicts of interest at all, it's obvious that they would have higher security standards than anybody else out there.

[borski]

Sorry about the bad experience! It's definitely not typical or what we want.

You shouldn't have had to make a second account - that's the odd part. You do have to confirm your email, and we can't show you results until you've verified ownership, for legal reasons.

If you shoot me an email, I can definitely take a look at what happened with the account creation issues and fix it for you.

[chrift]

Just tried it on https://beetle.email and got spammed with new signup notifications.

You might want to put a warning on there saying that it will submit any forms it can find a LOT.

Also, on the waiting screen, while it's running tests, I filled in the form and it's had an iframe drama.

https://www.dropbox.com/s/7rofi17cjormgav/Screenshot%202016-...

[borski]

Thanks for the feedback. We will try to make that clearer - it does look for vulnerabilities anywhere it can.

And thanks for the info on the iFrame - I'll look into that as well.

[pbhjpbhj]

Haven't checked how you're doing responsive layout but it's not working on FF mobile on my device, just FYI.

[borski]

I've literally never tried FF on mobile, and never known anyone to use it, heh.

I'll definitely test that.

[c8g]

what is the meaning of "Your website is BORDERLINE UNSAFE" i used http://www.gogle.com [http://google.com is not allowed.]

[borski]

See above.

Also, please don't scan sites that aren't your own - you won't be able to see results anyway.

[jlgaddis]

Why bother scanning before ownership is verified then?

[borski]

So that you can get the process started, since scanning can take a significant amount of time, potentially.

[jlgaddis]

I think it's along the same lines of "Your browser is LEAKING your IP ADDRESS!!!1".