<< Avatars
A Lego Teapot >>
MetaWeblog and security
Greg Abbas
 Sun Jun 25th 2006 in ,

I've been using MetaWeblog to allow me to write articles for this blog in Ecto, and it's still working very well. There's a security issue that's worth mentioning, though, which is that MetaWeblog sends authentication information (i.e., your password) over the network without encrypting it. It'd be really nice if it used an MD5 digest scheme or something instead of cleartext, but it doesn't. As I mentioned previously, unfortunately MetaWeblog has several deficiencies and this is one of them. As Jacob Kaplan-Moss points out, this means that unless you encrypt your connection with HTTPS, your password is vulnerable to snooping, so hooking up HTTPS is probably a good idea.

Now that I think about it, I suppose the same argument applies anywhere you might POST a password in Django, including the Admin app. So if you don't want the other folks in your internet cafe getting unauthorized access to your website, then I guess you should encrypt the Admin app too. Just because you're paranoid doesn't mean they're not out to get you. :-)

Technical articles by Greg Abbas from Santa Monica, California on , , , , , , , and .

Latest

RSS

1 response to "MetaWeblog and security"

  1. 789 fatgeekuk September 9, 2008 at 3:48 a.m.

    Surely, whether it is sent as an MD5 hash or plaintext, does not matter.

    The fact that a black hat would be able to intercept it somehow means that the plaintext or MD5 would be just as useful in faking out the webserver? right?

    What would be a counter to a MitM would be to use HTTPS, instead of plain HTTP.


Post a comment

Your name:

Email address:   (optional. used for gravatar but not displayed.)

Website:   (optional)

Comment:   (Limited HTML markup is allowed, including a, abbr, acronym, b, blockquote, br, em, i, li, ol, p, strong, sub, super, and ul.)
Feed for comments
on this post
Trackback