While this is mostly a maintenance release, I couldn’t keep myself from address a couple of feature requests from you guys. I’ll highlight the major changes below and you can find the entire release notes here.
Security
Sometimes we just have to talk about security. This is one of those times. WhatPulse takes security and privacy pretty seriously, ranging from backend security controls and monitoring to giving you complete control on whats counted and what’s public. In our 15th years (!!!) of existence, we haven’t had any issues.
This update addresses 2 security concerns that we discovered in the last couple of months.
1 — Passwords One is about your password. We don’t save your password, we save a hash of that password so we can compare hashes when you’re trying to login. We had a lot of portability concerns, because that hashing had to be the same on the website and the clients (Windows, MacOS & Linux). That meant the hashing method was held back by the lowest denominator and therefor wasn’t as accurate as we’d hoped. The result was that it only looked to the first 9 characters of the password. If you have a 10 character password, you’d be able to change the 10th character and still get in. Not that earth shattering, but still not what you’d expect.
So, we centralised the hashing and started using the securest modern hashing method we could find.
TL;DR: logins now looks to more then the first 9 characters of your password. Thanks to Caboose700 for the initial report.
2 — Client to website communication The second item on the agenda is the client to website communication. Meaning stats pulses, logins, account refreshes, stuff like that. This communication goes over HTTPS, so it is by default encrypted over the internet.
An awesome user (who rocks, but wishes to stay anonymous — you know who you are!) reported a way to see into the requests from the client to the website, depending you were in the same network as the clients computer and do some hacking magic. Basically they would be able to see what stats you were pulsing. While this is a corner case and pretty unlikely to happen, but as I said — we need to take security seriously.
This update makes sure someone else can’t look into your pulses (unless you make them public on the website) and enables end-to-end encryption.
TL;DR: The client talks more securely to the website.
Phew, security stuff out of the way. Here’s some more fun stuff.
Easier & Quicker Startup
There have been a couple of changes which make the client startup faster. But it’s also become easier. Why? For one, the client now saves your local settings to the website, so whenever you reinstall the client (or your entire computer) — the client will now ask you if you want to download your old settings. No more manual work. Also, if you’re installing on a brand new computer, the client will present a setup wizard (not Merlin) so that you can quickly set your preferred settings.
Setup wizard. Click headings to show more quick settings.
Other Mentionable’s
People with high resolutions on should be happy about this one: the text and images in the client don’t look HUMONGOUS anymore.
Also, sometimes in 2.8.1, the keyboard heat map wasn’t loading. We called its mother and it has promised to load each time now.
I’ll close with this other cool addition, which has had me kick myself on not doing this sooner. All the date picker widgets now have a “custom” option on it, where you can select a custom date range for the period you want to see.
I’ll leave it at that for this post, but if you’d like to see all changes — check out the release notes.
As always, you can use the “Check for Updates” button in your settings page to update your current client, or download the installer and update that way.