new to meebo? join now! | sign on | privacy | blog

meebo account security

  • Meebo privacy
    The philosophy behind our privacy policy
  • Meebo security
    How we keep your information safe
  • Meebo Me privacy
    Privacy information specific to Meebo Me

password encryption and website security

What do we do?

At Meebo, we take security very seriously. We encrypt your login password in JavaScript using a 1024-bit RSA key and decrypt server-side using OpenSSL.

Some of you may ask, why don't we encrypt everything? Why only do passwords? Well, with AJAX, we can only make requests to the same server and protocol as the originating Web page—if you request from https, the server has to be https, and the same goes for http. For most people, SSL is not very responsive and a lot harder to scale, which means that the Meebo experience wouldn't be very useful, or fun. So, to keep true to the AJAX model of fast and lightweight webware and address security concerns, we've chosen the password encryption route.

How does it work?

The public key of our server is embedded in the JavaScript that gets loaded by your Web browser. When you type in your login credentials and hit the "Submit" button, the passwords are encrypted in the JavaScript using the RSA key and sent across the wire. Upon reaching the server, the CGI scripts use the corresponding private key stored only on the server to decrypt the password using OpenSSL. This way, your password is never sent across in the clear. For those of you who'd like to see this in action, check out your network traffic while using Meebo. We recommend HTTP Analyzer as a good starting place.

How did we do this? Thanks to ohdave and blackinkbottle for providing great resources and documentation.

Additional security

For those of you who are willing to make a few speed sacrifices for traditional website security, we've installed our Verisign digital certificate on https://www.meebo.com, which will encrypt your traffic at the socket level. Using SSL is going to be a lot harder on our servers, and may make Meebo less responsive. We also can't guarantee that we're going to be able to scale this long-term, so for now, please use sparingly.

For every security feature we add, I'll be sure to update this page, and explain how and why we made those decisions. Any and all suggestions are welcome in our forum, and as usual, we love hearing what you think!

Meebo

Rooms

About Us

Support

Copyright © 2005-2008 Meebo, Inc. All rights reserved. Terms of Use | Privacy Policy | Security