Apex Code Development You need to sign in to do that
Don't have an account?
Round Question about Security Review Report
Hi,
We have just received the security review result from you. Our app (Comm100 Live Chat) doesn't pass because of an authorization vulnerability: communications can be made on chatserver5.comm100.com without encryption. I think there might be some misunderstanding here. chatserver5.comm100.com is for visitor-side chatting, which shares no login session with the control panel(hosted.comm100.com) where the Salesforce integration is configured. It will in no way put the API session Id in vulnerability, let alone the Salesforce data.
We are more than willing to do everything as required. But this case is truly special, as it will affect our users in a large degree. Visitor-side SSL encryption was once configurable in our system. Many users are using our chat software on their websites without encryption. If we make encryption required now, it means these users will have to reinstall the code to continue using our chat software, which will bring great inconveniences to their business.
Please kindly help checking it out and let us know if there is a workaround.
PS: I have logged a case and got a response that indicated me developer support was currently available only to premier customers and partners. I was directed to the developer discussion boards.
Thank you very much. Look forward to hearing from you soon.
Celina
We have just received the security review result from you. Our app (Comm100 Live Chat) doesn't pass because of an authorization vulnerability: communications can be made on chatserver5.comm100.com without encryption. I think there might be some misunderstanding here. chatserver5.comm100.com is for visitor-side chatting, which shares no login session with the control panel(hosted.comm100.com) where the Salesforce integration is configured. It will in no way put the API session Id in vulnerability, let alone the Salesforce data.
We are more than willing to do everything as required. But this case is truly special, as it will affect our users in a large degree. Visitor-side SSL encryption was once configurable in our system. Many users are using our chat software on their websites without encryption. If we make encryption required now, it means these users will have to reinstall the code to continue using our chat software, which will bring great inconveniences to their business.
Please kindly help checking it out and let us know if there is a workaround.
PS: I have logged a case and got a response that indicated me developer support was currently available only to premier customers and partners. I was directed to the developer discussion boards.
Thank you very much. Look forward to hearing from you soon.
Celina
aalbertYou can signup to discuss this with the Security Review team through office hours: http://security.force.com/security/contact/ohours