Closed JensRantil closed 8 years ago
I have sent a support e-mail to MixPanel to verify this, but I'm pretty sure this is the case.
I'll make sure to post the MixPanel support response here as soon as it arrives.
Looks like the iOS SDK is only using https://api.mixpanel.com
(while the Android supports some kind of fallback to non-TLS). I therefor conclude that TLS can be used interchangably for the API.
I'll make sure to post the MixPanel support response here as soon as it arrives.
Got a response:
Hi Jens,
Maddy here, from Mixpanel Support.
We officially support both HTTP and HTTPS requests to the api.mixpanel.com endpoint. As a note, while we support TLS, we recently disabled SSLv3 to protect against POODLE attacks. I would be happy to further chat about this change if you are interested.
I apologize that this is not made more explicit in our HTTP spec. I have already gone ahead and synced with our knowledge share/docs team to improve documentation here. Thank you for the valuable feedback!
Please do let me know if there is anything else that I can help you with.
Best,
Maddy
In other words, I see no reason to not merge this pull request.
@yinfeiru mind taking a look at the PRs @JensRantil has been so kind to provide? there are a few around connection type, timeout, etc. -- thanks in advance!
Hey, how is it going with review of this? This a rather apparent security related issue. If you took privacy seriously, you should have merged and published a new Maven artifact within at least a week of submitting this. This has been laying dormant for the past 2 months. Shame on you.
paging @jbwyme
Two months have now gone by..... :clap: :clap: :clap: :laughing:
Thanks @JensRantil !
Thanks for merging! Next time, I think you should respond faster to security related pull requests like this. It's a bit embarrassing for you that it's taken this long...
Based [1] it looks like TLS can be used interchangably against unencrypted connections. I have sent a support e-mail to MixPanel to verify this, but I'm pretty sure this is the case.
This commit fixes #18.
[1] https://mixpanel.com/help/reference/http