←back to thread

536 points helloguillecl | 4 comments | | HN request time: 0.903s | source
1. a85 ◴[] No.45652555[source]
Hello all,

Postman founder here. I did not time this with an AWS outage of this magnitude but I posted about filesystem, git, and offline support coming to Postman last week: https://x.com/a85/status/1978979495836356819?s=46

Postman has a lot of capabilities now that require the cloud but there is still an offline client built in just for requests.

Building sign-in and cloud features were not due to a VC-led conspiracy. A large number of companies depend on APIs (like AWS) and have thousands of services and APIs. Customers need to manage them and wanted us to build it.

replies(1): >>45652825 #
2. victop ◴[] No.45652825[source]
Please can you address the claim that Postman is silently leaking customer secrets to your servers as part of telemetry?

https://anonymousdata.medium.com/postman-is-logging-all-your...

replies(1): >>45652890 #
3. a85 ◴[] No.45652890[source]
Yes. The post is misleading and we have more detail on what we do here.

https://blog.postman.com/engineering/postman-free-is-secure-...

Postman allows for turning off history, keeping variables local, setting up a local vault all in the free product and in more advanced plans, there are secret scanning capabilities for IT and security teams.

https://blog.postman.com/choose-the-right-postman-plan-for-y...

These issues are not unique to Postman and apply to all cloud products like GitHub as an instance. Products that are “offline” just shift the burden to the user.

replies(1): >>45653551 #
4. victop ◴[] No.45653551{3}[source]
All good security measures, for sure, but the blog post you linked doesn’t mention anything about telemetry (ie request data sent to those *.gw.postman.com endpoints). As a user, it would be great to know exactly what data is sent to Postman servers (eg we send resolved query strings, we don’t send headers, etc), as well as to have an easy way to opt out of telemetry altogether.