avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • November 17, 2018, 05:13 AM
  • Proudly celebrating 13 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Insecure Blogging  (Read 2738 times)

Paul Keith

  • Member
  • Joined in 2008
  • **
  • Posts: 1,987
    • View Profile
    • Donate to Member
Insecure Blogging
« on: September 30, 2008, 07:01 AM »

I use Windows Live Writer to write my blog entries and have been extremely happy with the functionality.  Last week I started thinking about how exactly the connection is made from WLW to my web server to upload my blogs.  After a little research and a few emails back and forth to the Windows Live Product Group I discovered what I feared the most:  WLW sends over your credentials in the clear text.

So what happens when you fire up WLW?  Here is what the communication looks like to the naked eye:


Yikes!  You can clearly see that included in the XML content is a username and password, for all to see.  And what's worse is that you don't even have to post anything as simply starting up WLW will send this information out in the clear!  I cringe when I think about the blogging I may have done on a public wireless network.


  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,134
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Insecure Blogging
« Reply #1 on: September 30, 2008, 12:27 PM »
So, really not Microsoft's fault... except that they should warn when not connecting through HTTPS://...

Oh, and somebody beat up the guy who writes that blog until he makes links stand out from the rest of the text.

- carpe noctem


  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,757
    • View Profile
    • Donate to Member
Re: Insecure Blogging
« Reply #2 on: October 09, 2008, 07:26 AM »
At least this is fixable with a work around.

The other issue I discovered, I can't seem to find a way around it that will allow me to upload images to Blogger in WLW, without a privacy/security risk involved, that sits in my blogs for the entire world to see.

That issue relates to giving out your GMail address/Blogger username to the whole world, as part of the image url. (this one is Google's fault)

When selecting the option to upload your images to Blogger, WLW uploads them to it's own album in PicasaWeb (in your account) and embeds the image with the URL given by Picasa. The issue is that your email address, which is also the username you use to log in to Blogger, is in the URL. (my username is different than the name used to sign my posts, for security/privacy reasons)

The only ways around this is not to upload the images to Blogger with WLW, and either configure WLW to upload them to your own FTP server and hotlink them or using Blogger's web based post editor to insert the images, so they will get a better URL that doesn't give away this kind of info.

Not everybody can use the FTP option, though, and even those that can upload the images to their own server may have hotlinking issues if their hosting company blocks that. Plus if the server goes down, you end up with a blog full of broken images. This happened to me and affected 10 blogs for over a week, while the hosting company sorted out it's issues.