Word 2007 Blog Feature’s Password Handling

I knew about the blog feature – hard not to notice when every time you go to make a new document, it gives you the option of making a blog post. I'd known about it for quite a while, as I was part of the group reviewing the threat model. Last night was the first time I'd used it – really, really easy to set up and use, and it sure is a lot nicer editing experience using Word than on the web. It also lets you do nice stuff like manage categories, accounts, etc. Now that I've actually used it myself, this is a really cool feature. The ribbon even cuts back to what makes sense for a blog post.

So where's the password go? All blog data is stored in HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Blog\Accounts, and you'll notice that the password is a fairly large binary blob. That's because they did the right thing, and used CryptProtectData to store it. I was a little worried about this, and asked the team how the password was protected on the wire.

It turns out the password is NOT protected on the wire at all! We come out with a completely new protocol this century, and we move passwords in plain-text across the wire??? I think the only ones that are protected in the least use SSL/TLS, but very few of the providers do this. Just what ARE people thinking?

Update

A clarification - when I said "we" came up with a new protocol, that would not be "we" as in Microsoft. It's actually an issue with the MetaWeblog API (maybe others), and the Atom Publishing Protocol is supposed to be better.

I'm just amazed when new protocols are created without taking into account security. I can understand rsh and telnet being insecure - the Internet was a small village then. But doing that now? Another issue that rankles me - USB and firewire both don't really help security.