July 22, 2016 at 20:54 #3796
Not having an https:// internet url seems out of place for an organisation providing encryption software. You go to the trouble of digitally signing the download files, but your website content is not encrypted between the viewers and your servers. Even for a security newbie like me, having SSL for your website would be the first thing I’d expect to see!July 22, 2016 at 21:03 #3798
While I won’t argue that the standard is moving towards SSL-everywhere, please understad that SSL (HTTPS) serves two purposes, but not always at the same time and this is not always apparent to a user.
The first purpose, which is always fulfilled is confidentiality. However, not all things are confidential. We don’t believe that our public web site, http://www.axcrypt.net, has anything confidential.
The other purpose, is authentication of the URL and organization behind it. I.e. that if you type ‘www.axcrypt.net’ you’re really talking to our servers and we represent a real legal entity, and not someone elses. This purpose used to depend on a list of trusted providers of root certificates, such as VeriSign, issuing them after a manual verification process. These cost money. Real money. And we’re still a rather small organization.
Recently, free certificates have been massively available via the Let’s Encrypt inititative. The problem is that these certificates really only fulfill the first purpose – encryption of the link. And, as mentioned, there’s nothing secret going on there.
If you’ll note, the account web site, https://account.axcrypt.net/ – where you sign in, *is* encrypted with a ‘real’ SSL certificate, where our corporate identity has been validated by the issuer. We’ve also ensured that we’re only using up-to-date algorithmns and key lenghts on that server.
So, yes, we’ll arrange for SSL for http://www.axcrypt.net/ as well, but since the *real* benefits are minimial to negligable and there’s a real cost associated with it it’s not been our top priority.
Thanks for the feedback!