Site Homepage (Top) Top of Murray's Writing Page Top of Article
 
 

Previous section: Customizing iBlog

Security and Privacy Concerns with iBlog

The feature that drove me to really study iBlog's inner workings was the ability to create password-protected "private" blogs. The theory was that you should be able to restrict your audience to those people who know a single username/password combination. I created a fake "private" weblog and published it to my web server. Indeed there was a login screen that asked for a username and password and then led me to the private web pages.

This is a function that usually requires server-side configuration. I was curious about how iBlog managed to protect content using only static web pages so I started looking at the HTML source. My immediate reaction was abject horror. Within minutes I was discovering how to circumvent the security be simply deactivating JavaScript in my browser! A little bit more investigation led me to realize that not only were these sites insecure, but I could use a simple Google search to hunt down and look at all the private (insecure) iBlogs on the Internet!

I wrote an article describing my findings and did my best to alert the public to this security breach. I also wrote the software developers and made a number of suggestions as to how they could improve this security system. None of my suggestions have been implemented as of the new version 1.3.2. I would personally convey the following warning to anyone who is considering establishing a "private" or restricted weblog:

The only safe way to restrict access to a web page is through careful configuration of your web server. The delicacy of your data should be proportional to the time and effort spent making sure it is secure. Do not use the privacy feature of iBlog for any data whose unauthorized access could cause financial or other damage.

If you do decide to publish a "private" weblog with iBlog, do not create any outside links to your private blog. Such links will allow unscrupulous people to find (and access) your site with a well-written Google search.

To their credit, the designers of iBlog pulled some cleaver tricks to implement their security system. To their discredit, luring their customers into a false sense of security and not patching obvious security holes (especially when I basically e-mailed them a guide of how to going about doing it!) is unforgivable.

Next section: Conclusions and References

  
 

Written material copyright © 2003 by Murray Todd Williams

Page last modified 11/02/2003 11:50