Apparently, not very. At least, not yet. And certainly not how I have it currently configured.
The two previous posts (1, 2) were not made by me. PB uses an XML-RPC API call to post to a weblog. That API call requires a valid password for a user on the blog. PB captures the password from the caller during the telephone call and passes it on in the XML-RPC call. The password is not stored as part of any configuration file.
Presumably, someone figured out my password, or at least the password I was using up until a couple hours ago. Since I don’t have SSL set up for the domain where my blog is hosted, I am using an unencrypted HTTP connection. He/she might have sniffed the traffic on that connection. Or, he/she may have figured out how to retrieve my blog password from the MySQL database that I am using with Movable Type. Or, he/she might have just gotten lucky, as I can see about five failed attempts in the logs before the first successful post.
In case you’re reading this, is this you?
195.7.12.11 – – [15/Feb/2003:10:40:04 -0800] “GET /blog/archives/2003/01/welcom\
e_to_phoneblogger.html HTTP/1.1” 200 3866 “http://www.google.com/search?sourcei\
d=navclient&ie=UTF-8&oe=UTF-8&q=phoneblogger” “Mozilla/4.0 (compatible; MSIE 6.\
0; Windows NT 5.0; .NET CLR 1.1.4322)”
Name: romsat011.fx.ro
Address: 195.7.12.11
While I would like to use a secure HTTP connection, that would cost me about $180 per year for the unique IP address with my webhost and a digital certificate from Geotrust.