MarsEdit 3.6.2 is available now from the MarsEdit home page, and has been submitted to the Mac App Store for review by Apple.

Last night Tumblr revealed on their staff blog that the Tumblr for iOS app sends a user’s password in plain-text when authenticating for the service. They published an updated version of the app which addresses the problem by connecting to Tumblr using the secure HTTPS protocol.

MarsEdit had precisely the same flaw in the way it communicates with Tumblr, so the fix is the same as Tumblr’s: use HTTPS when communicating a user’s password to Tumblr.

Who Should Update?

If you use MarsEdit to connect to a Tumblr blog, you should update to ensure that your password is sent securely to Tumblr.

What Was The Risk?

Because MarsEdit communicated a user’s Tumblr password in plain-text across a regular HTTP connection, it was theoretically possible for the communication to be intercepted en-route and read by an untrusted person.

What Else Should I Do?

After updating to MarsEdit 3.6.2, you may want to change your Tumblr password to be absolutely sure that it has not been compromised. Starting with MarsEdit 3.6.2 your Tumblr password will never be transmitted insecurely to Tumblr’s servers.

Tumblr uses an authentication system through which clients can maintain permission to connect even after your password has been changed. To be absolutely sure that your password is secure and that no unauthorized entities have authentication tokens to your blog, I recommend visiting Tumblr’s Apps Settings Page, where you can view a list of authenticated applications and revoke access to any that you are uncertain about.

Finally, as a matter of general internet security, don’t use the same password on any two services. By using unique passwords for each of the various web services you connect to, a compromised password will only ever provide an attacker with access to a single system.

What About Other Systems?

Many popular blogging systems use authentication schemes that are less secure than they ideally would be. For example, the XMLRPC-based APIs that WordPress, Movable type, and many other systems are based upon also require clients such as MarsEdit to communicate the authentication password in plain-text to the server.

However, many of these systems also support accessing the API endpoint via HTTPS, which ameliorates the problem. If you are connecting to a WordPress.com blog, the HTTPS version of the API Endpoint URL should be set up for you automatically. If you are connecting to a self-hosted WordPress blog, you may need to ask your hosting providers about whether you can switch to an HTTPS URL for accessing the blog.

For WordPress-style systems, you can get a sense for whether MarsEdit is connecting to your blog via a secure HTTPS connection by examining the blog settings in MarsEdit:

Note that for Google Blogger blogs that although the API Endpoint URL is HTTP-based, the authentication is handled separately from that URL, using a mechanism that prevents transmitting the password as plain text over the internet.

Anything Else?

MarsEdit 3.6.2 is primarily a “one-fix wonder,” but it also addresses some minor memory-usage issues, and another subtle
Tumblr authentication issue. Here are all the changes for this release:

• Improve security of Tumblr connections
• Fix an issue where MarsEdit would fail to re-authenticate with Tumblr after revoking privileges
• Fix some memory performance issues

MarsEdit 3.6 is now available. This is a free update for licensed MarsEdit customers. The update has been submitted to the Mac App Store and will be available there when Apple approves the update.

This update is primarily a “bug fixes” release, that is to say, no new features. However, I am allergic to version numbers such as “3.5.10”, which was where MarsEdit was heading. I decided to jump to 3.6 with this release, on the basis of a bug-fix change with wider implications:

MarsEdit can now apply the preview filter as part of the publishing process.

This is primarily of interest to folks who write in HTML Text mode with a text filter such as Markdown, but publish to a blog that doesn’t support it natively. Now you can check a box in the blog’s settings to ensure that the preview filter runs when you publish, causing for example the Markdown content to be converted automatically to HTML as part of the publishing process. Given that MarsEdit supports custom preview filter scripts, the sky is the limit for how you choose to manipulate your post content as part of the publishing process.

Generally I strongly encourage folks to set up their blogs in such a way that Markdown can be used natively and preserved for later editing, but this is not always possible. This is a great option for folks who want the convenience of writing in Markdown but need to publish in HTML.

The change was actually made to address a change of behavior with Blogger, where historically plain text separated by newlines was automatically converted to paragraphs. They changed this behavior sometime in the past few months, so that the paragraphs are “crunched together” if you write in HTML Text mode and were relying on automatic line breaks. Using the new “Apply preview filter” feature, you can work around the bug by causing MarsEdit’s default “Convert Line Breaks” filter to process the content of your post as it is being published.

There are a number of other bug fixes in this release. Complete change notes below:

• Restore auto-configuration functionality for Blogger/Blogspot blogs
• Fix a bug where an authentication dialog was not appearing for some LiveJournal and Squarespace configurations
• Fix a bug that prevented Flickr short-name being used in Flickr page links
• Fix a bug that prevented undo from working in some editor fields
• Fix a bug that allowed rich text to be pasted into Tumblr quotation text field
• Fix a bug that caused Tumblr quotation source text to be treated as plain instead of as HTML
• Fix a bug where new image albums for Blogger were created with public permissions
• Fix a cosmetic glitch with the Date Editor panel

Enjoy!

Update: 3.6 had a bug that caused the flagship “apply preview filter” feature to fail on some blog types including WordPress and Movable Type. 3.6.1 is now available and should address the problem.

Recently something changed in the format of Blogger blogs such that MarsEdit’s method of “auto-configuring” is now failing. This does not affect existing configurations in MarsEdit, but any new Blogger blog added to MarsEdit will fail to connect with a cryptic “Invalid Blog ID” error.

I’ve added a workaround of the problem to the Red Sweater Forums. The long and short of it is the “API Endpoint URL” and “Blog ID” fields in MarsEdit’s configuration need to be manually corrected.

I am working on a permanent fix for the next update to MarsEdit.

As I noted last year, when Squarespace released version 6 of their popular web hosting service, they opted not to continue supporting 3rd party blog editors such as MarsEdit.

Luckily for fans of MarsEdit who were already hosting with Squarespace version 5, they left support in place, and it has remained mostly functional for the past several months.

A few weeks ago, the API support for Squarespace 5 stopped abruptly, but then resumed. Last week, the service stopped again, and has yet to be restored.

I have been in touch with Squarespace through their regular support channels, but they do not yet seem to appreciate the scope of the problem. In short: all Squarespace customers who rely upon 3rd party editors (not just MarsEdit) that use the API interface, were met with a sudden stoppage of functionality for those apps. The reason? The API through which the service is provided suddenly stopped working and instead redirects to a 404 landing page:

http://www.squarespace.com/process/service/PostInterceptor

To seamlessly restore API service for all Squarespace 5 customers, they need to “flip the switch back on” for this API, so that it connects customers with 3rd party clients in to their sites.

Squarespace’s customer support team has been patient while I try to explain the scope of the problem, and did share with me a workaround that I believe will allow all MarsEdit customers to “fix” their configurations in MarsEdit, regardless of whether they ultimately decides to fix the problem for all customers. To get things back to normal for your Squarespace 5 blog in MarsEdit:

1. Open MarsEdit
2. Click the Squarespace blog icon in MarsEdit’s main window.
3. Select Blog -> Edit Settings from the menu bar at the top of the screen.
4. Change the API Endpoint URL to:

   http://five.squarespace.com/process/service/PostInterceptor

   Note that this is identical to the malfunctioning URL with the exception that the “www.” has changed to “five.”

5. Close the settings window and Refresh the blog to confirm it works.

Note that because of another nuance of Squarespace’s API, if you are configuring a Squarespace 5 blog from Scratch in MarsEdit, you will be met with a confusing error message when it first tries to connect: “Internal Server Error.” This indicates that you need to manually enter your username and password. Select the blog in the main window again, and then choose Blog -> Enter Password from the menu bar.