The F-Secure Problem
A month ago at the Re:publica conference in Berlin, Mikko Hypponen and David Hasselhoff took the stage and talked about Digital Freedom. But some of what they said there was a bit problematic. Here I'm just going to talk about one specific issue - the lack of HTTPS.
So what was all of this about? Well, F-Secure in cooperation with The Hoff are working on a new VPN solution called Freedome. I first suspected that this was what they would talk about at Re:publica. However, instead they talked in general terms about digital freedom and related subjects. Finally they announced that they are working on a manifesto for digital freedom, and wanted the help of everyone to write it. They put up a link to the website where we were supposed to go to submit our thoughts on the matter.
At that point I noticed that the link was using HTTP, not HTTPS. Later, we verified that actually there was an HTTPS website set up - but it redirected back to the HTTP version. I asked Mikko during the presentation about this, and he promised it would be up and working the day after. So the day after I checked and in the morning it still didn't work. I pinged Mikko on Twitter and then in the afternoon I checked again. At that point the HTTPS connection was actually possible - however it was using an invalid certificate. Finally I checked back ten days later and it still had an invalid certificate. I pinged Mikko and found out that they put up the manifesto on a different URL, and finally I could connect over HTTPS (but the default is still HTTP, and even over HTTPS HSTS is not turned on.)
And why does this matter? Am I being nitpicky about HTTPS? Maybe - but the point is this. If you talk about digital freedom and you want people to contribute, we need to know that you take the subject seriously. HTTPS is not a panacea and it has a ton of problems. But it's better than nothing, and the more of the web that is encrypted, the better it is for everyone. So not having thought about HTTPS for something like this sends the message to me that F-Secure doesn't really care that much about digital freedom. And more than that, in these days, in some countries, it can be a dangerous act to be associated with efforts around digital freedom. This site would be a one-stop place to get a list of digital dissidents. If you really want the input from everyone without them holding back, you need to protect the digital freedom of the person visiting your site. And a small way of doing that is through HTTPS and HSTS.