October 5, 2007
The wordpress.com login mechanism is not secure!
[Update, it has been addressed, pity there was no announcement, and no warning with details of how to login securly]
Even when you go to it via secure-http, at https://www.wordpress.com, the login is done insecurely.
Why ? Because the login information is still posting to a non-secure http:// location !
What does this mean ? Consider :
- your login name and password are sent in plain text, not encrypted.
- there is the potential that anybody on your lan, at the internet-cafe, at school, work, in the airport etc can get your password. They don’t even need to be a technical genius.
Closer analysis of the website @ https://www.wordpress.com reveals the form is set as follows :
<form name="loginform" id="loginform" action="http://wordpress.com/wp-login.php" method="post">
Shouldn’t the action be to https://wordpress.com/wp-login.php ??
Thankfully, firefox alerts me to this with a message, so at least with that browser I may be aware something is not quite right.
“Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.” is the message, as per the image below.

Image Link
I find this very suprising, don’t you ?
For instance, here [http://wordpress.com/blog/2006/03/08/secure-blogging/] is a blog entry touting the security of WordPressfrom 2006, yet today the login is very far from secure.
6 Comments |
Ramblings, TechIt | Tagged: security, wordpress |
Permalink
Posted by dmom
October 3, 2007
I just installed Ubuntu on my laptop, and again I am hit with a slow browsing experience on some networks.
For instance, if you are in Éire and get “broadband” from eircom, you may be having a slow browsing experience on your Linux machine.
From what I’ve been reading each time I hit such an issue, the problem is usually that the cheap router(s) supplied and/or on the ISP’s network are not responding to AAAA requests, so only after a timeout will a backward-compatible A request be sent.
All this, per request to the internet, has significant imapct on day to day browsing.
You can work around this kind of ISP issue by stopping your machine from sending the AAAA requests (which the cheap, non-standards-compliant router won’t respond to… ?).
To do this on ubuntu try :
- Disable these AAAA/IPV6 requests only for your browser. For firefox, go to
about:config
in the address bar, locate the line starting with
network.dns.disableIPv6
(the filter capability is your friend here) and change the value to
true
- Disable these AAAA/IPV6 requests at a system-wide level,
edit
/etc/modprobe.d/aliases
perhaps via
sudo vim /etc/modprobe.d/aliases
or
sudo gedit /etc/modprobe.d/aliases
and change the line
alias net-pf-10 ipv6
to
alias net-pf-10 off
Save the file and you should be motoring nicely again.
Leave a Comment » |
TechIt |
Permalink
Posted by dmom
October 3, 2007
Temporarily :
sudo modprobe -r pcspkr
Permanently (for the life of the OS)
append this
# disable pc speaker beeps
blacklist pcspkr
to
/etc/modprobe.d/blacklist
perhaps via
sudo vim /etc/modprobe.d/blacklist
or
gksudo gedit /etc/modprobe.d/blacklist
Leave a Comment » |
Open Source | Tagged: tips |
Permalink
Posted by dmom