Setup: Document firmware install.

[My1]

the setup section currently shows as if the device already has firmware which is pretty for devices that have been used but reset but for out of box devices of this type, anything that deviates from the guides can induce doubt in whether the device might have been tampered with so the process of installing the firmware should be documented there as well.

[jstrnbrg]

Very good point! I've added it here as the first step: https://shiftcrypto.support/help/en-us/3/2

Thanks for raising the issue :)

[My1]

was there really the need for a new domain tho? I mean generally I would think everything that isnt on offical-domain.tld of whoever makes stuff is fake and close it without looking further.

Related: https://twitter.com/FlxMgdnz/status/1352330757600141314

[jstrnbrg]

We use different domains to separate services. .ch, .shop, .support

Our support desk is running on .support, therefore the knowledge base (part of the support desk) is at .support/help/

[My1]

while this might make sense I think subdomains are better since it's clear that they are official, like the fact that I get for example facebook emails from noreply@facebookmail.com is very vexing and having a guide that also includes handling your seed on SD and links to a tool not being on a clearly official domain is a bit fun to be honest.

like if someone told me to go to google.support for help with my google account I am discarding that stuff immediately, I think this is a clear antipattern as it heavily muddies the waters regarding seeing what domains are actually official

[jstrnbrg]

@x1ddos WDYT? Should we move the help desk to support.shiftcrypto.ch ? There is a setting to use a custom url but not sure if subdomains work.

[x1ddos]

@x1ddos WDYT? Should we move the help desk to support.shiftcrypto.ch?

No, we shouldn't. It is done to avoid potential issues in web apps and browsers such as XSS and possibly prevent one compromised web app like shop or helpdesk from aiding in compromising the others.

@My1 you can tell whether a domain is official because it's linked from the homepage on shiftcrypto.ch. What's the deal with "official" vs "unofficial". Who said what's official? :)

[x1ddos]

to avoid potential issues in web apps and browsers such as XSS

to clarify: using subdomains makes it inherently harder. I wouldn't want the shop to leak data if helpdesk app got owned somehow, and vice versa and same for all the other services we're running.

[x1ddos]

We already run referral program on affiliates.shiftcrypto.ch. Now, imagine it had a security issues which made it possible to jump to a support.shiftcrypto.ch and leak all data. Would you want that? Using separate TLDs makes it much harder.

A good starting point to read about this is public suffix list: https://en.wikipedia.org/wiki/Public_Suffix_List

[x1ddos]

Just wanted to note here we've published the list of domain names and other info here: https://shiftcrypto.support/help/en-us/25-contact/139-other-topics