F30POST
F30POST
2012-2015 BMW 3-Series and 4-Series Forum
BMW Garage BMW Meets Register Search Today's Posts Mark Forums Read
BMW 3-Series and 4-Series Forum (F30 / F32) | F30POST > BIMMERPOST Universal Forums > Site Related Announcements - Suggestions - Feedback - Questions > Bimmerpost security problem - No SSL
GetBMWParts
Post Reply
 
Thread Tools Search this Thread
      12-12-2017, 10:54 AM   #1
Mikecom32
Second Lieutenant
United_States
52
Rep
215
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

Bimmerpost security problem - No SSL

I just noticed this morning that the site was just plain HTTP, and credentials were being sent in clear text. You can't even navigate the site via HTTPS, as the webservers aren't even configured to support it.

What does this mean for the average user? If you log in to any of the Bimmerpost sites on a public wifi connection, it is trivially easy for someone to read your login credentials over the air. I'm not overstating this. Your average 14 year old can Google how to do this and have it figured out in 15 minutes.

Why is this a problem? Only 22% of us use different passwords for each site. The other 78% reuse passwords across sites, which means their bimmerpost password is the same as at least one of their other accounts and many people use the same password for nearly every site.

Guys, a legitimate SSL certificate costs literally $0 via LetsEncrypt. This is a legitimate, trusted certificate authority structed as a 501(c)(3) non-profit and backed by huge industry names like:
  • The Linux Foundation
  • Mozilla (the Firefox people)
  • Chrome (the web browser that more than 60% of people use worldwide)
  • Akamai (the world leader in content delivery)
  • Cisco
  • Electronic Frontier Foundation
  • The Ford Foundation
  • Facebook

There is no reason to not be doing some type of SSL encryption. Hell, a lack of SSL (https) has a negative effect on your rankings in Google search results now. Browsers have already started showing sites without SSL as "not secure", and is expected to step up this warning in the near future.

There are hundreds of pages that explain why HTTPS should be enabled whenever possible.

If this hasn't been done due to a lack of resources, I'd be happy to assist setting this up pro bono and under an NDA. If you want a copy of my resume, let me know.
Appreciate 1
      12-12-2017, 11:02 AM   #2
nars3000
Captain
nars3000's Avatar
United_States
64
Rep
666
Posts

Drives: 2017 M3 ZCP
Join Date: Oct 2013
Location: San Francisco, CA

iTrader: (14)

Holy sh*t

https://www.ssllabs.com/ssltest/anal...bimmerpost.com
Appreciate 1
      12-13-2017, 10:04 AM   #3
Mikecom32
Second Lieutenant
United_States
52
Rep
215
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

Quote:
Originally Posted by nars3000 View Post
Yeah, it's the default self signed certificate for localhost. Apache isn't even configured to serve pages with it.
Appreciate 0
      12-13-2017, 10:39 AM   #4
jkoral
Major
United_States
79
Rep
1,009
Posts

Drives: '09 135i MSport 6MT
Join Date: Oct 2007
Location: MA

iTrader: (5)

FWIW, I've seen this posted many times, by many users for a number of years. I can't find any old threads (maybe they were deleted) -- but nothing seems to change.

There are no password requirements (not even length, you can use 1 character as your password). But they do seem to make sure you are not using a throwaway email account (mailinator, dispostable, yopmail all are banned, I was too lazy to try all the alternatives).
Appreciate 3
      12-13-2017, 12:50 PM   #5
Mikecom32
Second Lieutenant
United_States
52
Rep
215
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

I hate to ping a moderator/admin, but this isn't just an annoyance with the site.

mkoesel do you have any suggestions? Other than news posts, I don't think I've really ever seen Jason or Mark post, so I'm not sure they even read this stuff.
Appreciate 0
      12-14-2017, 03:15 AM   #6
Bunkei
Anti-Fanboy
United_States
27
Rep
557
Posts

Drives: 2016 Hyundai Genesis 3.8
Join Date: Apr 2008
Location: Seattle, WA

iTrader: (0)

Send a message via AIM to Bunkei Send a message via MSN to Bunkei Send a message via Skype™ to Bunkei
Off-topic but also security related: This board uses an extremely outdated version of vBulletin. Now upgrades are NOT cheap for vBulletin. However, the patches should be free. At the very least, this board should be running v3.8.9.
Appreciate 0
Post Reply

Bookmarks

Tags
http, https, security, ssl

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 02:48 PM.




f30post
Powered by vBulletin® Version 3.7.0
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
1Addicts.com, BIMMERPOST.com, E90Post.com, F30Post.com, M3Post.com, ZPost.com, 5Post.com, 6Post.com, 7Post.com, XBimmers.com logo and trademark are properties of BIMMERPOST