meebo account security

What do we do?

At Meebo, we take security very seriously. We never send your login credentials in the clear and ensure that whenever we do send that data across the internet, it's always encrypted.

We achieve this security standard in two ways.

If your browser supports SSL, some IFrame magic occurs! When you first load up the Meebo homepage (http://www.meebo.com), the content served to your browser is insecure, which is okay. :) What we've done is embed another mini-webpage with an empty form in a hidden IFrame on the page. When you enter your name(s) and password(s), the hidden IFrame fills out that information into its form fields and submits it to an SSL-version of Meebo (https://www.meebo.com). Because the submission occurs over HTTPS, all the data is encrypted and protected. Success or failure is messaged back to your browser, and if you've entered your credentials correctly, the event loop is initiated and your Meebo session begins.

If your browser does not support SSL, we fall back to our original method of encrypting your login information. The public key of our server is embedded in the JavaScript that gets loaded by your Web browser. When you type in your login credentials and hit the "Sign On" button, the passwords are encrypted in the JavaScript using the RSA key and sent across the wire. Upon reaching the server, the CGI scripts use the corresponding private key stored only on the server to decrypt the password using OpenSSL. This way, your password is never sent across in the clear.

Some of you may ask, why don't we encrypt everything? Why only do passwords? Well, with AJAX, we can only make requests to the same server and protocol as the originating Web page—if you request from https, the server has to be https, and the same goes for http. For most people, SSL is not very responsive and a lot harder to scale, which means that the Meebo experience wouldn't be very useful, or fun. So, to keep true to the AJAX model of fast and lightweight webware and address security concerns, we've chosen the password encryption route.

Additional security

For those of you who are willing to make a few speed sacrifices and want all of your IMs to be encrypted, you can log in at https://www.meebo.com to encrypt your traffic at the socket level. This may make Meebo less responsive, but if you feel like you need more security than the standard encryption measures we have in place, you are welcome to use this more secure version of Meebo.

For every security feature we add, I'll be sure to update this page, and explain how and why we made those decisions. Any and all suggestions are welcome in our forum, and as usual, we love hearing what you think!