An Cuasán

The wordpress.com login mechanism is not secure!

[Update, it has been addressed, pity there was no announcement, and no warning with details of how to login securly]

Even when you go to it via secure-http, at https://www.wordpress.com, the login is done insecurely.

Why ? Because the login information is still posting to a non-secure http:// location !

What does this mean ? Consider :

1. your login name and password are sent in plain text, not encrypted.
2. there is the potential that anybody on your lan, at the internet-cafe, at school, work, in the airport etc can get your password. They don’t even need to be a technical genius.

Closer analysis of the website @ https://www.wordpress.com reveals the form is set as follows :

<form name="loginform" id="loginform" action="http://wordpress.com/wp-login.php” method=”post”>

Shouldn’t the action be to https://wordpress.com/wp-login.php ??

Thankfully, firefox alerts me to this with a message, so at least with that browser I may be aware something is not quite right.

“Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.” is the message, as per the image below.

Image Link

I find this very suprising, don’t you ?

For instance, here [http://wordpress.com/blog/2006/03/08/secure-blogging/] is a blog entry touting the security of WordPressfrom 2006, yet today the login is very far from secure.

I installed Ubuntu 6 on my Dell the other day, its out of date but I had the cd to hand.

Lastnight I upgraded to Ubuntu 7.04 and X (the graphics server) stopped working.

I logged in and ran the following to get it going again :

sudo aptitude install xorg-driver-fglrx

sudo aticonfig –initial

sudo modprobe fglrx

sudo /etc/init.d/gdm restart

This

1. installs the required graphics driver
2. updates the graphics config
3. loads the required driver
4. restarts the graphics server with the new settings

It’s a pity 7.04 couldn’t degrade nicely and use the same driver 6 was able to work with. The resolution was poor but at least it was usable in graphical mode until you managed to figure out a solution.

Not everybody has an alternative PC to search for help online, or is comfortable with web browsing from the command console.

I just installed Ubuntu on my laptop, and again I am hit with a slow browsing experience on some networks.

For instance, if you are in Éire and get “broadband” from eircom, you may be having a slow browsing experience on your Linux machine.

From what I’ve been reading each time I hit such an issue, the problem is usually that the cheap router(s) supplied and/or on the ISP’s network are not responding to AAAA requests, so only after a timeout will a backward-compatible A request be sent which will then be honoured.

All this, per request to the internet, has significant imapct on day to day browsing.

You can work around this kind of ISP issue by stopping your machine from sending the AAAA requests (which the cheap, non-standards-compliant router won’t respond to… ?).

To do this on ubuntu try :

1. Disable these AAAA/IPV6 requests only for your browser. For firefox, go to

about:config

in the address bar, locate the line starting with

network.dns.disableIPv6

(the filter capability is your friend here) and change the value to

true

2. Disable these AAAA/IPV6 requests at a system-wide level,

edit

/etc/modprobe.d/aliases

perhaps via

sudo vim /etc/modprobe.d/aliases

or

sudo gedit /etc/modprobe.d/aliases

and change the line

alias net-pf-10 ipv6

to

alias net-pf-10 off

Save the file and you should be motoring nicely again.

Temporarily :

sudo modprobe -r pcspkr

Permanently (for the life of the OS)

append this

# disable pc speaker beeps
blacklist pcspkr

to

/etc/modprobe.d/blacklist

perhaps via

sudo vim /etc/modprobe.d/blacklist

or

gksudo gedit /etc/modprobe.d/blacklist