http versus https
As many of you know, the difference between "http" and "https", is that "https" instructs the browser to initate an encrypted session with the web server before sending any data.
I know I tend not to use https more out of laziness than anything else, however, once you’ve taken the effort to set it up, it’s done!
Lets look at a traceroute from BlogSecurity to gmail.google.com, as this may open your eyes a little more, and give you and me that little bit of extra motivation to make our blogs a little more secure.
traceroute to gmail.l.google.com (64.233.183.107), 30 hops max, 40 byte packets 1 lvps212-241-212-16 (212.241.212.16) 0.125 ms 0.061 ms 0.055 ms 2 ge-0-0-2.juwel.cgn3.hosteurope.de (80.237.129.97) 0.320 ms 0.375 ms 3 te-6-1-0.jc-blue.cgn.hosteurope.de (80.237.129.113) 0.549 ms 0.477 ms 0.536 ms 4 de-cix10.net.google.com (80.81.192.108) 3.894 ms 3.642 ms 3.823 ms 5 209.85.249.178 (209.85.249.178) 4.699 ms 3.651 ms 4.058 ms 6 209.85.248.182 (209.85.248.182) 10.151 ms 10.047 ms 11.880 ms 7 72.14.232.141 (72.14.232.141) 13.435 ms 13.535 ms 13.577 ms 8 72.14.233.83 (72.14.233.83) 13.943 ms 14.096 ms 14.088 ms 9 209.85.249.129 (209.85.249.129) 21.036 ms 18.932 ms 216.239.43.34 (216.239.43.34) 13.755 ms 10 nf-in-f107.google.com (64.233.183.107) 13.914 ms 13.631 ms 13.894 ms
What you are seeing above is the likely route my traffic will take to get to gmail.google.com. You will notice that we jump 10 times before reaching our target (gmail). What this means is that if an attacker controls any of these routes (any of the 10), my data going and coming from gmail is at risk should it use the attacker controlled route(s).
So your logging into your blog from some location? Imagine your username and password travelling across all those routes . . . not nice.
I like looking at it from this perspective as mostly we imagine our traffic is only at risk either on our local network or computer or at the end-point, which is gmail in this example. We don’t take into consideration all the transparent routes our traffic passes through to get to our destination.
Check with your hosting provider to see if your blog supports SSL, then you can use the WordPress Admin SSL plugin to ensure that you always access your admin panel over an encryped channel.
Hopefully I have put this into perspective and have encouraged you to use https where you can to help secure your blog from the prying eyes of a third party.
Random Posts
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
tenest, absolutely right, thanks for bringing it up.
the browser will warn us if the certificate doesn’t match the current site or if it a self-signed or a demo certificate, so watch out for this.
[...] about WordPress security? You should be. Learn about accessing your WordPress admin via secure connection. at Blog Security, by David [...]
And on that same note, dont blindly accept SSL certs when you get an ssl cert error, otherwise you are STILL open to man-in-the-middle attacks even with https.