Friday, 27 April 2012

Blogger in HTTP only? What happened to HTTPS?

UPDATE (2016): Blogger has limited support for https, see https://security.googleblog.com/2016/05/bringing-https-to-all-blogspot-domain.html

Now that I'm blogging more, I'm finding the need to blog from insecure locations (like a coffee shop or conference).

But unfortunately it doesn't seem to be possible to use SSL with Blogger? WTF! in 2012?

After this 2009 letter Google moved some of its web apps to SSL (see Google's answer at HTTPS security for web applications) but blogger seems to have been missed!

At the moment it doesn't seem to be a way to write a blog post (like this one) without risking my sessionID being compromised. Am I missing something obvious?

Here is are thread Can I use an HTTPS connection for editing and posting on Blogger? (which points to a non-existing thread) that implies that Google doesn't do this due to performance issues.

Also annoying is the fact that https://diniscruz.blogspot.co.uk/ doesn't work! So how can I know that this blog's content is read as it was written (ie. without its content being tampered with)

On the topic of OWASP, note how there is no mention to it on the letter. Yes this letter is from 2009 but if it was written today, would OWASP be there? (this is what I'm now calling OWASP MIA (Missing In Action))

On that topic, why don't we write another letter to Google asking for them to extend their security efforts into blogger!

Also, if Google doesn't care about this and give us no solution, what other options do we have? What about a 'cloud' service that gives me secure access to this blog?
Post a Comment