BlogHarbor Home Page
FAQFAQ  SearchSearch  MemberlistMemberlist  UsergroupsUsergroups  UsergroupsRSS   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
Cleartext passwords
 
Post new topic   Reply to topic    BlogHarbor Community Forum Index -> General Discussion
View previous topic :: View next topic  
Author Message
JamieJamison



Joined: 22 Mar 2004
Posts: 10
Location: Philadelphia, PA

PostPosted: Wed Mar 24, 2004 4:59 pm    Post subject: Cleartext passwords Reply with quote

I noticed that the blogharbor username and password are sent in cleartext when logging in. I suspect that this is a function of Blogware more so than Blogharbor, but I would like to recommend that passwords at a minimum be encoded and preferrably that the login page be changed to an SSL-encrypted page, that way when people are using public wireless hotspots or a wireless network in their home to blog, they won't be susceptible to having their credentials sniffed.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
john
Site Admin


Joined: 16 Mar 2004
Posts: 3434

PostPosted: Thu Mar 25, 2004 12:21 am    Post subject: Reply with quote

Your username and password are protected by SSL encryption when logging in via our Login page, though the login box on your weblog itself does not have SSL encryption at this time. Improvements are planned for SSL support, this area is one that will refined and improved as we move forward.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
JamieJamison



Joined: 22 Mar 2004
Posts: 10
Location: Philadelphia, PA

PostPosted: Thu Mar 25, 2004 5:55 am    Post subject: Reply with quote

I see that the actual login page is encrypted, but when the password is being submitted to login.blogharbor.com, the packets are not SSL encrypted. I was running a sniffer on my own wireless connection, and I was able to view my username and password in clear text. I also wonder if the SSL is something that was added recently on the login page? I had memorized my password before, but today it doesn't remember, which usually indicates a new login page. I am also timing out this morning when trying to connect to login.blogharbor.com.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
JamieJamison



Joined: 22 Mar 2004
Posts: 10
Location: Philadelphia, PA

PostPosted: Thu Mar 25, 2004 5:58 am    Post subject: Reply with quote

It looks like that connection problem is blogware as a whole. I can't display my test blog, nor can I display www.blogware.com, the blogharbor demo blog or login through blogharbor. I hope this isn't indicative of reliability - Typepad has experienced some reliability issues after their exponential growth that is what started me looking into other blog hosting alternatives.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
john
Site Admin


Joined: 16 Mar 2004
Posts: 3434

PostPosted: Thu Mar 25, 2004 8:46 am    Post subject: Reply with quote

JamieJamison wrote:
I see that the actual login page is encrypted, but when the password is being submitted to login.blogharbor.com, the packets are not SSL encrypted. I was running a sniffer on my own wireless connection, and I was able to view my username and password in clear text. I also wonder if the SSL is something that was added recently on the login page? I had memorized my password before, but today it doesn't remember, which usually indicates a new login page. I am also timing out this morning when trying to connect to login.blogharbor.com.


Until yesterday, the login page itself was shown in a standard http connection, but posted results to an SSL host. In order to make it more clear that users were actually sending protected and encrypted data, I set the Login page to display in an https connection. Although it does not matter if the login page itself is displayed in a https page as long as the form posts to the SSL enabled port, I thought it would make users more comfortable to start with a page in a secure connection.

Can you check your sniffer again? I can not see any scenario where your login would be sent it clear text if you are sending it through our Login page...
Back to top
View user's profile Send private message Send e-mail Visit poster's website
john
Site Admin


Joined: 16 Mar 2004
Posts: 3434

PostPosted: Thu Mar 25, 2004 8:55 am    Post subject: Reply with quote

It does appear there was an unplanned outage this morning, we will have more details later today. I will post a summary when there is more information.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
abacquer



Joined: 22 Mar 2004
Posts: 193

PostPosted: Thu Mar 25, 2004 11:41 am    Post subject: Reply with quote

john wrote:
It does appear there was an unplanned outage this morning, we will have more details later today. I will post a summary when there is more information.


Is this why there are no webstats for 3-24?
_________________
-- Abacquer, A.K.A. Chuck Seggelin
Back to top
View user's profile Send private message Send e-mail Visit poster's website
JamieJamison



Joined: 22 Mar 2004
Posts: 10
Location: Philadelphia, PA

PostPosted: Thu Mar 25, 2004 8:04 pm    Post subject: Reply with quote

Hi John,

Two things - I see that the login pages and the posting has changed. It is now SSL encrypted, and I get a message that says the SSL certificate was issued to Blogware, which is different than the login page's address. You should be aware that your clients will get a prompt about this every time they attempt to login to the Blogware server.

Secondly, any progress on what happened with the unplanned down time today? Thanks.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Guest






PostPosted: Fri Mar 26, 2004 1:31 am    Post subject: Reply with quote

abacquer wrote:
Is this why there are no webstats for 3-24?


Yes, this is why there were no webstats for 3/24. Webstats are generated daily, so they should appear tomorrow. Or, now it is already tomorrow so I should say today...
Back to top
Guest






PostPosted: Fri Mar 26, 2004 1:36 am    Post subject: Reply with quote

JamieJamison wrote:
Two things - I see that the login pages and the posting has changed. It is now SSL encrypted, and I get a message that says the SSL certificate was issued to Blogware, which is different than the login page's address. You should be aware that your clients will get a prompt about this every time they attempt to login to the Blogware server.


Funny, you must have been reading my mind... I changed the Login page to post to the Blogware URL so that people won't get any errors about certificate mismatches.

As for the server outage, I did post a notice here but I do not currently have additional information as to the cause. But we do know that there was no data loss, and I will update that page when I have additional information.
Back to top
john
Site Admin


Joined: 16 Mar 2004
Posts: 3434

PostPosted: Fri Mar 26, 2004 1:39 am    Post subject: Reply with quote

That was me posting those last 2 notes, forgot to login... Embarassed
Back to top
View user's profile Send private message Send e-mail Visit poster's website
john
Site Admin


Joined: 16 Mar 2004
Posts: 3434

PostPosted: Wed Mar 31, 2004 10:33 am    Post subject: Followup on system outage of 3/25 Reply with quote

My apologies for not posting this followup sooner... I just posted the following to http://demo.blogharbor.com/blog/_archives/2004/3/25/29640.html:

The outage was caused by a software upgrade to the Blogware system which did not go as planned, and had to be reversed. Processes have been implemented to make sure that this type of issue is avoided in the future.

It should be noted that the Blogware system which powers BlogHarbor is being developed and maintained by the same team that developed and administers the Tucows OpenSRS domain name registrar, which is now the second largest registrar with over 4 million domains under management. The Tucows mirror network processes hundreds of gigabytes of data daily, terabytes if internodal transfers are included.

This team has years of real world experience in building large scale, high availability database systems that serve large numbers of concurrent users and transfer enormous amounts of data every day. This level of experience and the resulting uptime and availability sets us apart from other hosted weblog services.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Search all BlogHarbor support resources.
View previous topic :: View next topic  
Display posts from previous:   
Post new topic   Reply to topic    BlogHarbor Community Forum Index -> General Discussion All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum