The wordpress.com login mechanism is not secure!
[Update, it has been addressed, pity there was no announcement, and no warning with details of how to login securely]
Even when you go to it via secure-http, at https://www.wordpress.com, the login is done insecurely.
Why ? Because the login information is still posting to a non-secure
What does this mean ?
- your login name and password are sent in plain text, not encrypted.
- there is the potential that anybody on your lan, at the internet-cafe, at school, work, in the airport etc can get your password. They don’t even need to be very technically savvy.
Closer analysis of the website @ https://www.wordpress.com reveals the form is set as follows :
<form name="loginform" id="loginform" action="http://wordpress.com/wp-login.php" method="post">
Shouldn’t the action be to https://wordpress.com/wp-login.php ??
Thankfully, firefox alerts me to this with a message, so at least with that browser I may be aware something is not quite right.
“Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.” is the message, as per the image below.
I found this suprising.
For instance, here [http://wordpress.com/blog/2006/03/08/secure-blogging/] is a blog entry touting the security of WordPressfrom 2006, yet today the login is very far from secure.