GoPrism Security

I realize that GoPrism can use up to 256 Bit encryption, but can someone explain how secure this in layman's terms as best as possible? Same software banks use? Government? Etc. something to set a client's mind at ease.

I think that you are on track with attempting to put security in layman's terms — because in general the size an encryption key is more marketing speak than anything; to the average user it is simply a number such that bigger-is-better in their mind whereas to a more knowledgable IT person it actually means very little without knowing what algorithm is being employed to do the encryption.

But to stay in layman's & marketing terms for your clients, the SSL/TLS certificates issued today by the major CA's usually support keys up to 256-bit in length; meaning that the connection is using the same security as most other e-commerce and banking sites.

Obviously it is a LOT more complicated than this and I can go into more detail if interested, but in general you should be safe saying that they are getting the same level of security as their bank provides.

Adam

Adam - This is what I was looking for. At some point I'd like to get more versed in all of the technical details so I can speak intelligently about it when asked, but I think something as simple as "This is the same method as online banks use" should suffice. Jay and Matt... feel free to chime in if that sounds like some sort of slippery slope statement.

One thing to be careful... talking here only about the available protection of the stream of data between the client and the server - there are a LOT more factors that go into the security of a site than just this one little piece. So this is not saying that overall it is just as safe as using a bank or Amazon.

Therefore, you probably don't want to make overly broad statements such as "this is as safe as using your bank's site" which would not necessarily be the case and might get you into trouble. However, saying that the "data going over the internet is encrypted in the same manner that is used when you use your bank or Amazon" would be pretty safe.

One other thought, you might be able to avoid any concrete statement at all by simply showing them an example of the service... All modern browsers identify when the site that you are on is secured by SSL/TLS -- and a surprising number of people have been groomed to look for that on, especially, e-commerce sites. You might be able to point that out and simply state that it is a secured connection similar to using a bank or Amazon.

[matt (support)]

You might be able to point that out and simply state that it is a secured connection similar to using a bank or Amazon.

That is what I would recommend as well. The most important thing is to remember to set a good/strong password.

That is what I would recommend as well. The most important thing is to remember to set a good/strong password.

Yep... I went with something pretty bland. So, does go prism encrypt the data or does indigo? Can I make the same statement if I use a direct connection and forgo the reflector?

[matt (support)]

The reflector encrypts the traffic from the Mac to the hosted GoPrism.com server, then it is the browser's (and/or Indigo Touch's) HTTPS connection that encrypts the data to the hosted server (net result is all traffic is encrypted).

If you directly connect, then the traffic is not encrypted. We have a feature request list to add native HTTPS support to Indigo. Note that the authentication process does NOT send the password in the clear though. So although someone could potentially snoop in on the traffic of a direct connection they wouldn't be able to sniff/capture the password.