@Daniel Garcia  Just to elaborate on the SSL certificate issue. The reason why our websocket/pubsub server was using a self-signed certificate is that this server is never intended nor required to be accessed through the users browser, or by third-party applications or services. Enabling the full operating system default certificate store in many scenarios actually reduces security. It tends to be trivial for nosy network administrators, who want to monitor everything their users are doing, to install MITM friendly root certificates as a matter of network-wide policy. I personally don't consider it desirable to make this easy in non-Enterprise products. It is also fairly common for malicious or just plain-sloppy software to install root certificates in to the OS's certificate store. You can read about a particularly notorious example of this here  https://en.wikipedia.org/wiki/Superfish#Lenovo_security_incident The reason the subject name (which was previously our servers IP address) on the certificate was incorrect is that the server was upgraded, which resulted in an IP change, and the old certificate was simply reused. Not regenerating the certificate was an oversight. The API endpoint server, which is what you hit when you use our one-click login button, has always been signed by a trusted CA. We understand that it can be unnerving to see connections to our servers when using a partially closed-source product that captures your keystrokes, so I hope this puts your mind at ease