← Back to context

Comment by aaln

7 days ago

I am not dismissing the concern, I was stating the tool solves an even larger concern. I'm doing everything I can to setup it up to be secure, private, and worthy of trust and addressing the feedback points.

If you have suggestions more than "don't trust this random internet tool even if it gives you free advice, regardless of the value it offers", please let me know [thanks emoji]

With all due respect, that is the fundamental problem here. Your tool may provide value to your users but uploading mortgage documents to random third parties is de facto dangerous and encouraging users to act irresponsibly.

A great analogy would be a website that asks users to provide their usernames and passwords for sites to see if it’s a strong password or if it’s been compromised. “Sorry, the credentials stouset / hunter2 were found in our database for Hacker News.”

Sure maybe you’re a saint and don’t store or misuse this data. But such a site would in the best case be training users to do a very wrong and dangerous thing. In the worst case you get breached by attackers who do use the collected data to do evil.

  • > A great analogy would be a website that asks users to provide their usernames and passwords for sites to see if it’s a strong password or if it’s been compromised. “Sorry, the credentials stouset / hunter2 were found in our database for Hacker News.”

    This is actually a really good analogy because it does illustrate that it's not a completely crazy ask—people do trust Troy Hunt to run such a site. But OP should be much more understanding of how dangerous the concept is and offer options to resolve concerns (Troy allows downloading the passwords list to check locally), especially while they're not Troy Hunt-level famous and still are trying to build up trust.

    • Troy's site isn't actually handling the user's real password to check, its doing a lookup of hashes to see if a similar hash is there. The password and final hash checks never leave the client side. Still a lot of trust involved in a site like that, and yeah he encourages you use the API to do the comparisons yourself.

      This is actually uploading all the information to the backend and storing it in a database. Like a page that is asking for a service URL, a username, a password, a TOTP secret, sending it all to the server, and having the server check if the credentials have been pwned and saving it all.

On a per individual basis, I think most individuals would prefer to overpay mortgage fees slightly rather than lose the entirety of the money they wire.