Ilya Volodarsky

Co-founder @ Segment.io

Socrates.io Now More Secure

Five days ago, Ian and I released a simple and clean markdown editor called Socrates.io. It was just a weekend project, so we didn’t expect much. But the responses have been incredible:

Woo Woo Woo

In just 5 days, 17,000+ people have created over 7,000 documents. They’ve performed over 100,000 saves. We saw a peak of 425 concurrent users, and 100+ are online right now.

We’ve heard from a person writing a draft of their book in Socrates. We’ve seen a TA writing up a computer science test in markdown. We’ve seen to-do lists, meeting notes, blog entries, and many many Github readme’s.

We’ve even seen documents in Chinese and Norwegian!

Biggest Critique

Socrates.io gives every new document a unique ID. Similar to services like Etherpad and Stypi, privacy is implied by simply not sharing your link with people who you don’t want editing your document.

Since it was just a weekend project, we didn’t get to fully securing the document list. That left open a way for people to get a list of all document ids (which they quickly did).

HN user saurik pointed this out in the comments, and posted this javascript snippet demonstrating this hole:

new Firebase(Socrates.firebaseUrl).once('value', function(snapshot) {
    var val = snapshot.val();
    for (var i in val.documents) {
        var doc = val.documents[i];
        console.log(doc.id + ': ' + doc.title);
    }
})

This weekend I had some time to look into the issue. And after talking to the awesome folks at Firebase, I added a single permissions rule to deny reading all documents.

Now, if you run the snippet on this page, it just says:

FIREBASE WARNING: on() or once() for / failed: permission_denied

Perfect! Now you can use Socrates.io without worrying about strangers stumbling onto your document.

Use Markdown

Markdown is now my preferred way to write almost anything. As more people start using markdown, more services will adopt it as their primary user-submitted text format.

I use markdown and Socrates.io to write my Github readmes, blog entries, and to-do lists. What do you use it for?