[wp-hackers] Plugin update & security / privacy

[Alex Günsche]

On Sun, 2007-09-23 at 03:52 -0700, Viper007Bond wrote:
> And by checking for an update, your server's IP address is sent
> automatically. It wouldn't be hard to reverse lookup that IP.

That's not true. Most blogs are on virtual hosting environments, where
many domains are assigned to one IP. And even if in fact you have only
one domain on your server, the party performing a reverse lookup will
not be able to tell that. Therefore it's a large difference whether you
log the client IP or you transmit the blog URL. And this is the very
reason why Automattic logs the Blog URL.

> Simply put, if you really insist on wearing a tin foil hat, it's uber easy
> to disable the automatic update checker. For the other 99.99999% of people
> out there, this feature will be a godsend to them in both terms of new
> features and more importantly, the _only_ real way to make sure your site
> doesn't get hacked -- by running the latest version.

It's none of WP's business who runs a blog. I know some people don't
care about privacy, I however do, and I disapprove anybody trying to
gather more information than neccessary about me and what I do. Unless
anybody can give me a good explaination for why Wordpress/Automattic
needs to know my URLs.

By the way, I was rather shocked when I saw what big bunch of data
Akismet transmits on connecting to its server. Why the heck does Akismet
transmit *all* my $_SERVER environment variables? That's a big reason to
mistrust Akismet, unless there are *very* good reasons for that. And I
doubt there are any.


Alex


-- 
Alex Günsche, Zirona OpenSource-Consulting
Blogs: http://www.zirona.com/ | http://www.regularimpressions.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc