The Blogger API
I've considered adding support for the Blogger API for awhile now. It's not hard; I could get that working in no time flat. I have a rather hard time with one aspect of the API (1.0 and 2.0) though - Usernames and Passwords are passed in the clear. You just create an XML doc, shove unencrypted user info in there, and send it across the web. Well.
Unfortunately, many people use the same password for everything. So right off the bat, the Blogger API just asks for trouble. Not to mention that a popular blog could easily get masqueraded posts that way.
So thus far, I've said no. I create a form, encrypt all the data, and URL encode it. That gets sent to the server from my blog tool, and the servlet there decrypts and validates it. Much better. I guess what I want to know is, why in the heck doesn't the new blogger API specify encryption?
Comments
The FuzzyBlog / Feedster
[Scott Johnson] March 18, 2003 22:52:12.107
Hi, That's a really, really good question. I suspect the reason is one of perspective. Security is something you either really understand and make a priority or its just not and gets short shrift. That's a guess since I don't know the people involved directly but I suspect its an accurate one. Scott Ps -- I'd change "Fire Back" to Add Comment or Add Comment / Fire Back. I had to look all over the screen to figure it out since the other links all said "X Comment", I expected that to do so as well.
Re Comments
[James Robertson] March 18, 2003 23:17:30.501
good suggestion - I just changed the link from Fire Back! to Add Comment!
Normal HTTP Authentication
[Michael Lucas-Smith] March 19, 2003 0:49:48.940
Well, since you're posting it with HTTP anyway, who not dump the username/password stuff from the XML land use normal HTTP challenge authentication, which also leaves you open to use SSL if you want.