[mike-cardwell]

It bothers me that there is no https version for frid.ge. Even when you log in your credentials are sent unencrypted.

Compare to Facebook. On Facebook you can get a complete https experience by visiting https://www.facebook.com/ but even if you don't, the login still goes over https.

I'd take frid.ge more seriously with regards to privacy and security of my data if they simply forced all traffic over https and installed an EV SSL cert. Non SSL shouldn't even be an option. Otherwise my friends looking at my data are leaking my data. With an EV SSL cert and forced https, they could even use it as a marketing gimmick. Something along the lines of, "Frid.ge. We take the security of your personal data as seriously as your bank does"

[Locke1689]

Someone should double check me on this because I actually couldn't get the account to correctly activate but I think there's a POST CSRF vulnerability on the "new group" button in the profile page.

[mike-cardwell]

And I think the release of Firesheep today only adds weight to this argument.