Seriously. You shouldn't have to pay to expect a reasonable amount of security as a user.

So, as a user, you have a right to a free product on your terms and conditions?

That's an overreaching interpretation of parent's post. Besides, the "rights" issue is a red herring. Making an analogy - and yes, I know it's not accurate, it's an analogy -, people don't have a the "right" to a free car, but if I am going to offer free cars, surely we can agree they should have breaks.

The idea that because it's free it's above all criticism is simply unreasonable.

Personally, I don't think requiring payment for SSL is wrong, though.

> The idea that because it's free it's above all criticism is simply unreasonable.

Solution: shut down the free version. Addressing complaints from free users who demand things captures absolutely zero value when you're a struggling startup with too much else to do and limited resources still trying to make a viable business. Freemium doesn't work unless you're swimming in VC money and only care about user growth, not MRR growth.

Shut down the free service and no one will get hooked to your product, and choose a another free service to start with, and maybe even pay for it later.

Providing both free and payed tier is the way to go, especially in the commodity market segment like RSS readers, unless you are in a niche without too much competition.

I disagree. RSS readers have a significant long tail expense per user. I worked at Bloglines. Pretty much every one of those free users have extra little RSS feeds that nobody else subscribes to that you have to crawl, handle invalid rss/xml for, update and keep unread status on. At scale, that is the most expensive part of operating an RSS reader, and it's not worth it.

I agree with your point that keeping RSS user is not free. But, from the users perspective, RSS readers are a commodity. You can't sell them subscription unless you provide them a free ride to actually check and hook up to your service. The only reason that OP is successful is having a business model working is that he already has a large userbase which was acquired largely because it was free.

Security? Where do you see security issues outside of login data (which is already over HTTPS)?

This seems like a privacy feature (something not necessarily everyone cares about when it comes to their feedreading), not security.

How do you think the authenticated session is maintained?

Any site viewed over plain HTTP is susceptible to content injection by ISPs, public wifi providers, employers, etc, basically anyone between you and the server. At best it's annoying, at worst it's a security hazard.

And as someone else mentioned, the session cookie is still transmitted in plaintext, which effectively compromises your Feedly account.

Not to be too glib about it, but for God's sake, who cares? It's my Feedly account. It holds my read/unread status for my daily newsfeeds. What's the big hacker target here? Spoofing that I've already read Hacker News today? Subscribing me to feeds I don't want? I encourage Feedly not to waste time securing that on my behalf.

Don't want the NSA reading my I can haz cheezburger feed

They've got the certificates so they'll see your lolcats either way.

For the functionality Feedly provides, plain HTTP is a reasonable amount of security. I also, up until fairly recently, received news via a bundle of paper left on my doorstep. Shocking, I know.

Looks like they are just decorating the "Pro" plan with "features".

> Will extend it to everyone when we have a way to fund it.

Is it really that expensive for them to run? Last time I heard it was a a minuscule amount per request, and peanuts for the certificate itself.

That depends whether they are using a CDN. CDN's charge a lot more for HTTPS

Does $5/month sound a lot for a product/service from a real business? How much do you charge for your product/service?

As a user, I know that a lot of "just $5 a month" services add up quite quickly, especially if they're not tools you use every day or as part of a workflow.

Of course not, but pro will be funding their infrastructure as a whole

Have a look at kouio, it's only accessible over HTTPS: https://kouio.com

Also worth mentioning, with kouio, paying customers will never be competing with freeloaders for resources :-)

Probably what annoys me most about this is that HTTPS was already there (I've been using it for a good month or two). This would imply that the costs were already spent, the infrastructure was in place and it was working just fine.