Home » Forums » Community

Log in

Your Name

March 25, 2008 - 7:14pm

Blog XMLRPC Security

How important is it to you?

When you use the Flock Blog feature, it connects to your server using those XML requests. If there is a protocol analyzer on your network, the captured packets have your user name and password for that blog, in plain text. I'm sure many of you already know of this though, and its very understandable. It's not like the browser is going to go out and use 3DES/DES or even plain IPSec for a little feature, it would slow it down to much, especially for a feature that not many people use. I'm creating my own blog based on my framework for my site, and I'm just trying to think of ways instead of entering a user name and password for credentials (My site will also have public blogs for the technical users). Any of you familiar with Linux, SSH in particular, then you might have some experience using Diffy Helman asymmetric keys for encrypting data. I'm thinking about creating keys for every IP the user wishes to use on their account, along with a pass code/pass phrase, which would create a private and public key. You would then be able to enter your User name, or another credential, not decided on yet, and your public key, which would authorize against the private key in the database. Now, this would run parallel to the users' account, and they would still have the generic username and password for site functions, but more secure forms for the XMLRPC communications.

Feedback?

Reistlehr-

March 25, 2008 - 7:15pm

I posted the above post. Didn't realize i wasnt logged in. :)

Manish Singh

March 28, 2008 - 4:43pm

If you're just looking for link layer security, this is already solved by SSL (HTTPS).

Reistlehr-

March 28, 2008 - 5:46pm

If you're browsing the internet, HTTPS is great, but the blogging plugin does not use HTTPS to create the socket/send the xml data to your blogging site. Even if you use a self-hosted blog, Flock returns an error if you append the https:// prefixed to the URI, when setting up a new account (Self Hosted). Also, you don't receive an option to add the account if you login with SSL to Livejournal, Wordpress, Blogger, and MetaWeblog (It automatically opens the non-secure link in the tab). There's basically no security for the Flock Blog plugin, browser-side. Here in my building, I tell my employees for now, to not use the plugin, as our network logs get audited every few months, and auditers have access to the plaindata username and password.

Manish Singh

March 28, 2008 - 6:37pm

Fixing the blog editor to be able to use HTTPS would be far simpler than handrolling some custom framework as you initially suggested.

I've filed a bug to that effect:
https://bugzilla.flock.com/show_bug.cgi?id=12846
Post a New Comment
 
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li>
  • Lines and paragraphs break automatically.

More information about formatting options

  
Search Forums
User Guides

Get the most out of your Flock experience. Choose a section or go to the Table of Contents.


People Share
Media Minibar Search & Favorite
Feed Reader Blog Editor
Personalize Add-Ons
WebMail    
User login
Spread Flock
If you love Flock, tell everyone about us!

Don't Keep Flock a Secret!

Shout it from the rooftops. Or from your email.

You can separate them with commas, spaces, or new lines

Look up emails from your AOL, Gmail, Hotmail or Yahoo addressbook (optional).
Or upload multiple addresses from Outlook or in some other text format into this email.

No HTML or web addresses allowed.

A little math every day helps us keep the spam bots away.

Get buttons and learn how to Spread Flock.
Flock Feedback

Have suggestions? Found bugs?
Like what you see?


Tell us via our Feedback page! We read every submission, and it all helps make Flock better.


Give Us Feedback