Mar 20 2008

The Good, the bad and the ugly: WordPress, Scribefire and Wireshark

Published by at 6:55 pm under Encryption,Humor,Site Configuration

As a security professional, I have a number of things I consider bad habits. One of these is that I let Firefox remember many of my passwords for me, at least when it comes to my low security sites. And for better or for worse I consider the blog one of the low risk sites, therefore I let Firefox keep the password for me and just know that I can log in with a click of the button. Until tonight that is; I upgraded to Firefox 3 beta 4 and for whatever reason, it lost the password to the blog.

At first, I didn’t think this was a big deal; after all I was pretty sure I remembered the password. But after trying the password I thought it was and half a dozen of my other passwords I use on low risk sites, none of them worked. I figured that was not a big deal either, since I could just use the reset password function to … well, reset my password. But that module told me I had a valid account name but an invalid e-mail address. This made me panic a little because I know that I sometimes get a little tricky with my email addresses and add a few descriptive characters then redirect to my active email address once the email hits my mail server. None of the standard email addresses worked, neither did some of the non-standards, and eventually I exceeded the allowed attempts.

That’s when I remembered the one other place I knew I had the password stored, Scribefire. I have been using Scribefire in one form or another for several years now, and in fact I’m writing this posting in it. It’s a great tool for WYSIWIG editing and life would be harder without it. One of the things they’ve done right is to make sure that you can’t recover the user name or password from inside Scribefire, a security measure I appreciate. Or usually appreciate, that is.

That’s when I remembered that for all the things WordPress does right, the login is done over plain vanilla http. There’s no encryption, no use of SSL, nothing. And since Scribefire has to log into WordPress to do some of the magic it does, that means the user name and password would be flowing across the ethernet cable in plain text. I had an older version of Ethereal, now Wireshark, on my system, fired that up, played with Scribefire for a couple of moments and examined the capture. Sure as snot, there was my user name and password, plain as day. Turns out I’d had the proper password, but I’d forgotten a character that’s supposed to capitalized in the user name. D’ooh.

The real lesson here is not that you shouldn’t rely on your browser to remember your password. Okay, that is a lesson, but it’s not the real lesson. The real lesson is that all too often, our passwords, user names and other sensitive information is flowing across the network unencrypted. It’s open for anyone with a little bit of curiosity. They just need one of the first tools any aspiring security pro or hacker learns to use, a sniffer. In properly switched and segmented networks, this may not be a problem, but there are probably more poorly setup networks than properly configured ones. And I don’t want to rely on the work of a network administrator I don’t know to keep me safe, I want my programs to do it themselves. I’m currently looking at Login Encrypt as a WordPress plugin to solve the problem, but I’m going to keep looking before I bite on this one. But this only solves the problem in WordPress; what about all of the other sites I use that allow unencrypted login?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “The Good, the bad and the ugly: WordPress, Scribefire and Wireshark”

  1. Mark Palmeron 21 Mar 2008 at 8:38 am

    Have you experienced the following:

    1. Login into secure webmail site (e.g. https://example.com)
    2. Then auto-magically it drops the secure connection (e.g. http://example.com)

    My ISP’s webmail service does this. That and the amount of ads they’ve placed onto the webmail interface is really annoying. You can read more about my rant at http://marktpalmer.com

    I was wondering if an ISP could be liable for any security issues related to having customer email pass through in clear text. I presume ISPs do this just to save a buck (are they really saving on the costs of SSL connections for webmail connections?).

    Regards,
    Mark Palmer

  2. Sebastianon 25 Mar 2008 at 7:19 pm

    I ran into the issue with passwords also. One of the best tools that I have come across (and best of all it’s free) is PasswordSafe. It’s like ScribeFire, except it’s a local program on your machine:
    http://passwordsafe.sourceforge.net/

  3. Mikeon 07 Dec 2008 at 12:05 am

    Sort of disheartening to be reminded that for all the strength you can try to put into your passwords and accounts, in the end it’s still up to the site or the application to make proper use of them and keep them secure while they get to where they’re going. Also I see the https -> http issue quite often when logging in to email and other sites. Not something I like seeing either.

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: