- Merriam-Webster Dictionary
- Main Entry: in·se·cure
- Pronunciation: \ˌin-si-ˈkyu̇r\
not adequately guarded or sustained : unsafe <an insecure investment>
I use Windows Live Writer to write my blog entries and have been extremely happy with the functionality. Last week I started thinking about how exactly the connection is made from WLW to my web server to upload my blogs. After a little research and a few emails back and forth to the Windows Live Product Group I discovered what I feared the most: WLW sends over your credentials in the clear text.
So what happens when you fire up WLW? Here is what the communication looks like to the naked eye:
Yikes! You can clearly see that included in the XML content is a username and password, for all to see. And what's worse is that you don't even have to post anything as simply starting up WLW will send this information out in the clear! I cringe when I think about the blogging I may have done on a public wireless network.
Now it's not entirely fair to blame WLW for this lapse in security judgement. It turns out that WLW is using Really Simple Discovery to identify how best to connect with the web server hosting your blog. In fact, WLW is specifically looking for the rel="EditURI" tag to know where to connect. If the rel="EditURI" tag instructs WLW to connect using HTTP then that's how WLW connects. If the rel="EditURI" tag instructs WLW to connect using HTTPS then that's how WLW connects.
I believe the only thing WLW is doing wrong here is not properly warning people that user credentials might be going over the network in the clear depending on how the blog engine is configured.
So where does the RSD.XML file come from? Most blog services provide a link to this file in the header of the main web page. This feature helps applications (like WLW) locate the correct address to upload new blog entries. Have a quick look at the source of most blog pages and you will see the rel="EditURI" link. You may already know that BlogEngine is generating a fully standard and acceptable RSD.XML response whenever a connection is made to http://www.dscoduc.com/rsd.axd (have a look at mine if you would like to see if for yourself).
So for those who aren't hosting their own web server or those who don't want to configure a certificate on your server you are a little stuck. There isn't an easy fix for this issue. If you are able/interested in installing a SSL certificate on your web server then you will need to check out my next blog.
NOTE: One thing I was warned about by the WLW Product Group is that if you install a self-signed certificate (why not?! it's better than nothing!) then you will run into a problem with how WLW handles un-trusted certificates. You will need to use the command argument /allowunsafecertificates when launching WLW (ex. "C:\Program Files\Windows Live\Writer\WindowsLiveWriter.exe" /allowunsafecertificates)
In my next blog entry I will define how to temporarily disable the BlogEngine RSD.AXD handler that automatically generates the RSD.XML file and then create a static RSD.XML file that specifies using HTTPS. This is an ugly work around I know but I am going to start working on how BlogEngine could be configured to allow the user to choose SSL, or automatically determine if the web server supports SSL and change the link dynamically.
