Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I really don't like the onboarding process so far.

- Typed in a URL to get a free scan

- Needed to create an account

- Needed to confirm my email

- Needed to verify my site ownership

- Got a mail that my site is "borderline insecure". When I click on the link, I'm redirected to the "create an account view"

- Created a new account that opened in a half cropped Iframe displaying some error message I can't read.

This is where I finally gave up.



It says that "Your website is BORDERLINE UNSAFE" after a while even if you leave the account form blank and just keep the page opened in a background tab.

Better yet, it probably does that for any URL – see c8g's comment about Google, i've tried HN and a few of my own sites, all with the same results. Even tried to give it it's own address, but it "is not permitted".

So I thought that maybe it just displays that message after some timeout without doing any actual checks, bit like these sketchy fake antivirus sites. But nope – when i point it to a subdomain with access_log enabled, i see it actually makes a bunch of requests. So maybe they just have such high standards that the entire web is "borderline unsafe" from their point of view.


The scan we run from the homepage is a rudimentary scan that only scans for client-side vulnerabilities, since we can't scan for server-side issues until you've verified ownership. As a result, we can't give you a clean bill of health until you've run a full scan, which is why you see that. If you verify ownership, you'll see any issues we found and be able to run a full scan which can give you a clean bill of health if it doesn't find anything.


I'm not using your app but I assume it's not as clear as your comment based on upthread posts. You might want to modify the app to show both client and server side results with server saying "unknown: must verify ownership first." That would eliminate the confusion.


This is good feedback. Thanks.


It's a company entirely focused on web security.

Even with no conflicts of interest at all, it's obvious that they would have higher security standards than anybody else out there.


Sorry about the bad experience! It's definitely not typical or what we want.

You shouldn't have had to make a second account - that's the odd part. You do have to confirm your email, and we can't show you results until you've verified ownership, for legal reasons.

If you shoot me an email, I can definitely take a look at what happened with the account creation issues and fix it for you.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: