This is a follow up to my previous post: Tumblr sends passwords in the clear.
First, the official response from Tumblr: A short, polite, but generally uninformative email from Marc at support@tumblr.com. The jist of it was “Yes, we are aware of how we are handling passwords.” and “I’ve passed your suggestion along to our development team.”
So at least they are aware of the situation.
Second, a bit of context: Many websites do this (send passwords in the clear). In fact, my own impetus to check Tumblr was inspired by an article on Seven Major Websites that Send Passwords Unprotected that I got from this thread on Hacker News. Both are good reading.
Without getting too technical, the problem lies with the HTTP protocol itself, not anything Tumblr went out of their way to break (however I do think their current behaviour counts as negligence). HTTP packets are not encrypted. HTTPS packets are (the ‘S’ stands for secure). That’s why when you log in to your bank, the browser bar reads ‘https’.
However, if some other, lower network layer is encrypted, then you’re all good. More specifically, when I said I can “I can snoop anybody on the same wireless network as me”, I should have qualified that a bit. It depends on how you’re connected. Here are a few examples, in the first list are network types where any close neighbour (same local connection) can read your password using Wireshark. Using networks in the second list, they can’t.
Insecure
- Wireless Networks without passwords (the default setup after you buy most home routers) or Wireless Networks where the ‘authentication’ is in-browser, even if that authentication page uses https. For example, the default network at my school, ubc, is called ubc. It is not encrypted. You connect, and the first time you open your web browser you’re brought to a login page and you authenticate there. That’s no good. A lot of airports work like this. Also no good.
- Standard Ethernet/LAN. If any of you still use wired connections… probably not good. Standard ethernet sends everything to everybody. So if you’re having a LAN party and check in to Tumblr on the side, your gaming friends could be sniffing your password.
Secure
- Most Password-Protected Wireless Networks. If you’re on a wireless network that uses WEP, WAP, or any other type of encryption then you’re all good. These are the type where you enter passwords through you operating system, not your browser. The vast majority of home networks are set up like this now, and - at least where I live - a good number of coffee shops too. Here the Wireless packets (that encapsulate the HTTP packets) themselves are encrypted, so it doesn’t matter than HTTP is not. (of course not all wifi encryption techniques are made equal, see here for more info if you’re really anal).
In my previous post, I mentioned how I ran a little experiment with my iPhone to demonstrate the vulnerability. I did this in my hotel room in Toronto (Holiday Inn) where they have the second type of insecure wireless network - the kind where you enter a password through your browser. So it worked, I could sniff the password. I reran it again at home on my home WPA2-encrypted network, and it mostly definitely did not work.
So yes, this is a real vulnerability but Tumblr is not alone on this. Moreover, they did not create this vulnerability through any action they took but rather through inaction (by using plain jane http instead of https for their login page). That’s no excuse, any site on the Alexa top 100 sites in the US (Tumblr was #89 at time of writing) should easily be able to afford an SSL certificate and should use https. The current behaviour is simply negligence.
I’d like to hear more of a response from Tumblr, though this may not happen if I’m the only squeaky wheel. So please email Marc at support@tumblr.com (feel free to mention my original post or this one), blog, or otherwise make some noise. This is a simple case of the community being able to improve a site - an SSL certificate is cheap, but having your user’s password compromised could be very, very costly. Let’s do our bit to help Tumblr and get this hole filled.
