Did you know that you are most likely sending your blog account username and password in clear text?  If you are using Windows Live Writer, and probably with other "thick-client" blog editors, the process of connection is made following the direction of the blog host.  And almost all of the major blog providers are not configured for secure connections. 

After my last post I decided to do a little more research into how many blog providers are configured to not require SSL for authentication via Windows Live Writer (WLW).  To perform the tests I used the latest version of Windows Live Writer and Fiddler 2.0.  Armed with these two tools I proceeded to try and add the various blogs to my WLW while watching the traffic that was leaving my workstation.  In all but one instance I was able to see the username and password travel from my workstation to the web server using HTTP; the output usually looked like the following:

Here are the results of my test:

Google's Blogger deserves a special award for their effort (actually lack of effort) for protecting the user's credentials.  When testing Blogger I noticed that my initial credentials went to Google using HTTPS but then immediately WLW sent my username and password to Blogger.com.  Have a look at what I'm talking about:

Initial credential going to Google via HTTPS:

Follow up credentials going to Blogger via HTTP:

So what does this actually mean?  Well it seems that a majority of the blog services don't require SSL to connect with Windows Live Writer, nor do they warn you that your credentials are in the clear.  In fact, how would someone use Windows Live Writer without sending the credentials in the clear?  Without a SSL connection it isn't possible today.  Check back for another post where I talk about how I protect my blog postings with Windows Live Writer by using SSL.