Is this secure?

It isn't a secure connection to Pownce or Gmail/Hotmail servers, but I don't think it's much to worry about for the general user. For those using public terminals, sure, maybe it would be good advice to avoid using this. But I'm at home on my own machine, on my own secured wireless network, and I don't think I'm an exciting enough of a person for a stranger to be sitting outside our town home, cracking my WPA2 password and sniffing every letter I send over the network.

It's also probably worth noting that this kind of "import your contacts from other services to see who's on this service" feature is popping up everywhere. I'm pretty sure it isn't a secure connection at all those other sites too.

I don't really think that's a useful reply. You said 'no', but then gave your opinion on the importance of security in your own single-use scenario. Are you suggesting that public terminals are uncommon, such as schools, stores, etc? Or anyone sharing a wireless connection? Cafes, apartments, businesses? Email security is a top priority, especially a major provider like Gmail. It's interesting that a tech hasn't answered this yet.

Try this instead:
https://pownce.com/add_friends/import...

Pownce has an SSL cert verified by GoDaddy. That'll keep your connection secure. I can only assume that Pownce's connection to these 3rd party services uses the 3rd parties' native login method - which should also be SSL-based.

To test this, download Wireshark (www.wireshark.org), capture packets while doing the import via HTTP, stop the capture and then "Find" your username in Wireshark. You will see it, along with your password. Repeat the test using the HTTPS protocol. You won't see your password as it's encrypted.

Sorry I haven't said anything yet. I really want to know what you all think about this issue.

The Flickr, Digg, and Twitter imports all use public data so no passwords are required. Facebook and Yahoo! mail have users authenticate on their own site and use tokens to exchange data instead of passing the username/password. Both of these methods are excellent.

The Gmail, Hotmail, and AOL importers are very common on other websites, but that doesn't mean that it's a good thing. There are currently no approved ways to export contact lists from those sites and the whole thing is a security/performance/usability mess.

I don't think it's really anything to freak-out over.

Ash, you may not have fully thought through or understood the situation. This is an important issue.

Because of the wide spread nature of this design anti-pattern growing a user’s network has become more important (to users and services) than instilling best practices for how to handle sensitive information on the web.

While the identify thieves aren't going to jump out and get you, submitting your gmail credentials to every social site on the web is not good practice... but a precedent is being set by users and services that it is perfectly fine to do this.

Think about what this design pattern says to people who might not be savvy enough to detect phishing? It says, "oh sure its fine to give out login credentials to all kinds of sites, no big deal, have at it." It is an issue of information literacy and leading by example. Pownce is between a rock and a hard place. Sign of the times and a sign for some change I suppose.