Hacker News new | past | comments | ask | show | jobs | submit login

The "http" calendar URLs (now?) actually redirect to "https" URLs, but this doesn't help retrospectively, since the only thing that needs to be kept secret is the URL, and that's redirected in plain text…

TripIt's web UI actually present the "private" calendar URL with a "webcal" scheme--is that typically secure? (You can replace "webcal" with "https" and things work just fine, though.)




FWIW, both Google Calendar and the subscribed calendar on iOS attempt to access webcal:// URIs over SSL on port 443. I'm not sure at what point they would fall back to http; if they do, I haven't seen it.


Is TripIt referencing these http urls? If yes, then you have the same problem (the eavedropper just has an extra step to follow the URL).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: