PCI compliance is finding blogs.svc, but it doesn't exist
We had a PCI compliance scan, and it comes back with an item that states "Web application Transmits Login Credentials Without Encryption". The evidence is "ipaddress/.../Blogs.svc".
This file does not exist on the server. I do not see it listed in the csproj file on the server.
If I go to the URL, then I will get username/password prompt, but only if I use HTTP. If I use local admin credentials it will pass them through, but will go to a 404 error.
Any ideas on where the PCI scan is getting this Blogs.svc page?
I believe I have answered your question in the support ticket you have opened. I am pasting the reply here for your convenience:
According to the information you have provided, it seems that you experience the issue when you browse a page where you have published the blog posts widget. In the <head> section of the pages where the blog posts are published we add the Sitefinity/Services/Atompub/Blogs.svc service as a reference so that we can use it to publish and edit blog posts from external applications like Live Writer. Please refer to the screenshot. However, this service should not cause any issues. In addition, when this page is opened under https:// the link to the service is properly generated under https:// as well.
As I have also noted in the support ticket, we have a bug logged in our system that this link to the atompub service should not be added if you have not allowed Live Writer blogging. Here is the link to the feedback portal where you can track the progress of the bug.
Our developers are currently working on fixing this issue and to remove the reference to the atompub service if the Windows Live Writer is not configured. The fix will probably be included in the latest internal build which might be released this Friday. So what I can suggest is to upgrade to the latest internal build once it is released following the instruction in our upgrade documentation.