Everything.me makes plain HTTP requests to api.everything.me. I think this is problematic because the requests contain API keys, session IDs and unique device identifiers. It also allows an attacker to possibly redirect traffic to api.everything.me and modify the contents of the results that everything.me returns. This would allow an attacker to change URLs for the applications listed on everything.me.

I just checked this again and it seems the API is now accessed over HTTPS.

Stefan - For further confirmation: The Privacy team met with e.me various times in 2012 and they agreed to use HTTPS as one of their privacy implementations.

(In reply to Alina Hua from comment #2) > Stefan - For further confirmation: The Privacy team met with e.me various > times in 2012 and they agreed to use HTTPS as one of their privacy > implementations. Yeah I think what I saw was just for development builds. In the current code HTTPS is enabled. The only reason I have not closed this bug yet is because I want to confirm on a more official production build just to be sure.

Stefan, is this issue completely resolved? Does Gaia only make HTTPS requests to the API, and the API only accept HTTPS requests?

Checking with latest build.

Tom, 1) The latest version of the everything.me code in Gaia defaults to HTTPS. 2) Their API accepts both HTTP and HTTPS. I tracked down (1) to the following commit: https://github.com/mozilla-b2g/gaia/commit/ed087576ec3e931382a9313867350ac7ff2c0b9a#diff-4 Going to resolve this bug. If (2) is a problem then please file a separate bug.