If you have been following my previous posts you would have noticed that a large majority of bloggers (aware or unaware) are sending their username and passwords out into the hostile Internet world for all to see. In fact, a little digging and you can see that the real problem lies in how MetaWeblogAPI evolved without any way to protect the authentication information. From my take the blogging community: (a) doesn't care about security in regards to blogging, (b) doesn't know their credentials are being sent in clear text, (c) believes there isn't an easy mitigation to this risk so everyone just keeps their head down.
This really irks me because I believe the majority of bloggers fall into the (b) category. My wife, for example, probably never thought about her password when she started her Blogger account. She noticed the SSL connection during her Google login but never really thought twice when she switched over to a offline client blogging tool. Now she understands the risk but only after I pointed it out to her.
So what is the answer for those out there who want to practice secure blogging? Unfortunately it seems that today we have to rely on SSL to protect our communication. For those who are hosting their own blog it's not that big of a deal to get a certificate configured for your blog. For those who are using a hosted blog provider then it's a little more difficult. In fact, I don't believe any of the major blog providers offer secure MetaWeblog API connections. So the only thing I would suggest for those using a hosted blog provider would be not use the same password that you use for anything else, and ensure that you trust the internet provider that you are connected to when you use an offline client blogging tool.
For those of you using BlogEngine.Net there are some changes to the BlogEngine.NET source code that can be configured which will add support for SSL based MetaWeblogAPI communication. I have posted the necessary changes in the Issue Tracker section of CodePlex/BlogEngine. As of BlogEngine.NET build 1.3 these changes haven't been implemented.
NOTE: These changes will only help you if you have configured your blog to support SSL. If you do not have a SSL associated with your blog then don't bother doing these steps, for without a SSL certificate it is impossible to connect to your blog using SSL.
Here are the links to the two Issues submitted:
One note worth mentioning. If you are using Windows Live Writer and have configured your website with a self-signed certificate then you will need to add the following startup argument when launching Windows Live Writer: /allowunsafecertificates
If, however, you are not feeling adventurous and would prefer to not make these changes yourself then you can download the updated version of the BlogEngine.dll file that I am using today.
BlogEngine_Core.zip (230.59 kb) | BlogEngine 1.3 Custom Source Code.zip (15.74 kb)
April 15th UPDATE: I have updated the BlogEngine.Core.DLL to include the patch for the Security Vulnerability discovered on April 13th. If you have previously downloaded this file then you should download it again to get the latest patch.
