All sorts of cloud services want to get their hands on all sorts of private data these days.
Case in point today, Funambol — looks like a nice combination of cross-platform synchronization software, a bunch of open source software to build applications on top, and a probably useful web service. Now, do I trust this service with my address book?
Conveniently, the fail begins early enough that I don’t even get to the point where I look at the privacy policy: Not just are password choices that I can make when signing up constrained in all the wrong ways — all the interaction with the web portal is, of course, through plain HTTP.
Why, exactly, dear Funambol, do you think that I’d trust you with others’ home addresses and private phone numbers when you don’t even bother to take the elementary steps to keep my password and those data out of the hands of the attacker who’s probably sniffing the wireless network I’m using at the airport?
Come back when you’ve built a secure site. Right now, you’re not even getting past the smell test.
No Such Weblog 
This is disgraceful. What’s more, they don’t have SSL configured correctly. When you force SSL (https://www.funambol.com/) their webserver identifies itself as "plesk", while their SSL cert is for http://www.funambol.com, which means that Chrome complains bitterly about the name mismatch. Once you get past the warning page, it turns out that their SSL cert not only does not match the URL, it has also expired. Good job!
Well, plesk is an admin interface. This suggests that the server they use is carrying around some cruft of whatever it came preinstalled with.
Guys, we hear you :)Syncs can be already performed in https, and as stated a few months ago (http://bit.ly/fx8L55) we’re working to add https support on the portal as well.
Sorry to keep beating you up — but it’s taking you a few *months* to add HTTPS support? Seriously?
Hi Thomas,let me add some more details around the issue (I have been with Funambol since the beginning).First of all, you are absolutely right. We should have HTTPS turned on by default, both for syncing and the cloud web access. Currently, we only have it for syncing (from your PC, Mac, Android, iPhone, Symbian, …) but not for the cloud web access. That is, you sync securely if you want to, but when you check your data with a browser, the data is not securely transmitted.The reason for the slow move to support HTTPS also on the web cloud access is linked to our business model and the priorities it brings. As you might know, we are not a B2C company (like Dropbox). We do not focus on consumers directly. We give our product to mobile operators and device manufacturers, and they offer it to their consumers (rebranded). In all these cases, you can bet the security is turned on. The product supports multiple levels of it.Our myFUNAMBOL site has always been a demo site. One where our potential customer can try out the product, and a give-back to our open source community. Also, it is very useful for us to test features before we give them to customers. However, it always comes after our customers when it comes to priorities… A demo site is a demo site, and if a mobile operator is about to go live, our resources are focused on that. myFUNAMBOL comes second. Therefore, we postponed to add HTTPS to the web cloud access for a few months… There was always more important popping up, and the demo site came after.However, since you posted this comment, the priority of this task has been lifted (thanks!), therefore it will happen very soon.We’ll keep you posted. Thanks for pushing us to improve. fabrizio
Good news:we enabled HTTPS on myFUNAMBOL :)Happy Secure Syncing!