Why is the Mixlr website unsafe?

A sound choice? Mixlr's website security is found wanting

First of all, you may be asking, “What’s Mixlr?”.

Mixlr is a website, with associated mobile apps, that allows you to record and publish live podcasts – and allow people to join in, via text chat, whilst you do so. The popular PC Pro podcast uses it. But, is there a problem?

What’s the problem with Mixlr?

Visit the site in Chrome and you may see this in the URL bar:

That “Not Secure” message is because Mixlr isn’t using SSL, so pages are not encrypted.

Is this a problem? I raised this in the chat of the most recent recording of the PC Pro podcast and someone asked if it’s really necessary for static pages.

However, it’s not only static pages that aren’t secured on Mixlr (although there are strong arguments for encrypting static pages too). If you’re logged into a site and move between non-SSL pages, that login information is being passed around unsecured and is open for interception. It’s true that some Mixlr pages do use SSL but, to my mind, that makes this situation worse.

What does Mixlr say?

I reached out to Mixlr about its lack of SSL:

“Being worked on” is oddly vague and, considering that pretty much all websites have moved to SSL now (and you can get free certificates easily via Let’s Encrypt), there seems to be little excuse for this not to have been done already.

However, there is one thing in Mixlr’s reply that is factually incorrect: “all account… pages are already secure”. Not so. If you head to anywhere other than the home page, click on your profile or even try and login, the page is not SSL secured. I pointed out to Mixlr that its login was not secure and got this terse response:

I replied again, pointing out why this was wrong and… heard nothing back.

I tried to reach out to Mixlr, as a writer for this site, more formally for further details on its SSL plans but couldn’t find any contact details other than an online chat facility. In fact, for an online business, its site is oddly clear of any media/press information, or even details about the company. I had to look at the current job vacancies just to find that the company is based in London.

So, with no choice but to speak to Mixlr via the online chat service, I did so and asked about the plans for SSL. The company replied:

Certain of the login links [sic] from Mixlr livepages will present the listener with an overlay on the existing page. 

At the moment we’re not able to secure Mixlr livepages which means that it’s also not possible to secure these overlays.

We’re working on redirecting the log in links to ensure that anyone logging in from the livepage will be able to log in securely. Right now we can’t give an exact timeframe on when this work will be completed.

So, the plans for SSL turn out to be securing only the login parts, but there’s no timeframe for that. For the rest of the site? It sounds as if Mixlr is quite happy to pass your data around unsecured, as well as leaving you vulnerable to link interception, amongst other vulnerabilities.

Should you use Mixlr?

If you have a free account just for joining in on podcasts, then there’s little information to lose, but you’re still vulnerable.

However, if you have a paid account then I’d seriously consider the safety of your information. When a company seems to place security so low on its priority list, alarm bells should be ringing – there really is no excuse these days.

NOW READ THIS: Should you use Spotify for podcasts?

About the author

David Artiss

Works for Automattic Inc., the company behind and Tumblr. Tech geek, international speaker and occasional PC Pro podcaster. Lover of Lego and video games.

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.