In the past month I have seen a few blogs discuss that Windows Live Writer sends credentials to the blog service via plain text across HTTP. This is most certainly true, but it doesn’t need to be!
WLW uses RSD to find the endpoints for atom/metaweblog when it detects the configuration for your blog.
For example if Scoble(sorry I had to pick on someone) wanted to setup WLW for his blog:
WLW would first download the homepage and look for a link with a type of "application+rsd/xml", and then follow that link. In Scoble’s case it would point to:
Once WLW examines the RSD file to find out where it should send it API calls it finds out that it should send them to:
Now as you can see this is a HTTP url and not a HTTPS url. This means when WLW makes a metaweblog call it will send it via HTTP and pass his username and password as plain text. If you want to fix this you need to make sure you have HTTPS setup for your blog and need to change your RSD file to point to a HTTPS address.
The real outrage here isn’t that WLW uses HTTP for its API calls. The real outrage is that most blogging services allow HTTP access to the login page and their RSD documents point to HTTP urls.
For more information about this problem you might want to read what Chris Blankenship say about this.