You're not logged on to that page, it's a blog. There's nothing to gain by serving it over https.
Does seem a bit ironic.
>It goes without saying that all pages shown to logged-in users should be served over HTTPS
* It's all well and good to serve the login page from HTTPS, but if you want to lock your site down to HTTPS, set HTTP Strict Transport Security to lock the site to HTTPS in the browser.
* It doesn't look like you set the Secure flag on your cookies, meaning that anyone who can spoof http://TIDY.IO can capture session cookies.
* If you're serious about protecting my data, how much can you really tell me about the security of KISSMetrics, of GetClicky, or of the Google Font API server? You delegated to each of those third parties control over your DOM and thus of my data.
Taking the assertions of the page a little further:
* I'm glad you see the light on not inventing your own crypto library... but if you're encrypting data, what library did you use? Did you use a library that can't easily be misused, or did you use something like OpenSSL?
* Can your administrators theoretically decrypt data on the server? Tarsnap's administrator can't --- but then Tarsnap isn't a web application.
* How is your site administered? Can admins SSH into production boxes over the public Internet? Do you have passwords anywhere? Have you deployed 2-factor authentication? Do you have an HTTP/HTTPS admin console application somewhere? How is it accessed?
* How is email handled at TINY.IO? Does all your TINY.IO-related business go through TINY.IO mail, at someplace like Google Apps? Or do you have admin accounts for your personal email addresses? Are your email addresses password protected or 2-factored protected?
* Where would I go to report a vulnerability in TINY.IO? Has anyone ever done that? Is there some list of people you've thanked for doing so?
I wish I could say these things were just pedantic, but they've all mattered, often quite a lot, in past incidents.
The elephant in the room question on all services like this is simple and hard to answer effectively: assume that there is a critical vulnerability in your application (very very very talented developers have managed to ship remote code execution before) --- what mechanisms are in place to ensure that the worst-case vulnerability doesn't provide an attacker with access to my Dropbox data? The answer can't be "CircleCI".
To answer your other questions:
* I used PyCrypto which certainly isn't as fool proof as I'd like but seems to be the best option available to me.
* Admins can decrypt the data by the nature of how the service works, Tarsnap requires you download and run an application yourself so is for very different types of users
* We use SSH certs and no admin is accessible to web users
* We do use Google Apps for email, and we do have two-factor set up
* tidy.io hasn't been up long enough to get vulnerability reports but if we do we will handle them responsibly and definitely give the finder thanks and credit. We do need a proper statement of this on the site though, I'll sort that out!
You've exposed SSH to the Internet? Your SSH endpoints have routable IP addresses? How many of them do you have? If you've deployed this on EC2, you'd be better off moving all your admin to a VPN connection, so that any server you'd SSH into has a 10-net address.
One feature I wish services like this had is an incredibly simple way to backup a large folder to Glacier/S3 and then retrieve it just as easily. I use Dropbox for things that change on a frequent basis, and I want to use Glacier to archive everything else. Would be happy if anyone knew of such a service, but for now, I'll be using tidy.io.
