| 12-12-2017, 09:54 AM | #1 |
|
Second Lieutenant
 
148
Rep 280
Posts |
Bimmerpost security problem - No SSL
I just noticed this morning that the site was just plain HTTP, and credentials were being sent in clear text. You can't even navigate the site via HTTPS, as the webservers aren't even configured to support it.
What does this mean for the average user? If you log in to any of the Bimmerpost sites on a public wifi connection, it is trivially easy for someone to read your login credentials over the air. I'm not overstating this. Your average 14 year old can Google how to do this and have it figured out in 15 minutes. Why is this a problem? Only 22% of us use different passwords for each site. The other 78% reuse passwords across sites, which means their bimmerpost password is the same as at least one of their other accounts and many people use the same password for nearly every site. Guys, a legitimate SSL certificate costs literally $0 via LetsEncrypt. This is a legitimate, trusted certificate authority structed as a 501(c)(3) non-profit and backed by huge industry names like:
There is no reason to not be doing some type of SSL encryption. Hell, a lack of SSL (https) has a negative effect on your rankings in Google search results now. Browsers have already started showing sites without SSL as "not secure", and is expected to step up this warning in the near future. There are hundreds of pages that explain why HTTPS should be enabled whenever possible. If this hasn't been done due to a lack of resources, I'd be happy to assist setting this up pro bono and under an NDA. If you want a copy of my resume, let me know. |
|
Appreciate
6
|
| 12-13-2017, 09:04 AM | #3 | |
|
Second Lieutenant
148
Rep 280
Posts |
Quote:
|
|
|
Appreciate
0
|
| 12-13-2017, 09:39 AM | #4 |
|
Colonel
1171
Rep 2,086
Posts |
FWIW, I've seen this posted many times, by many users for a number of years. I can't find any old threads (maybe they were deleted) -- but nothing seems to change.
There are no password requirements (not even length, you can use 1 character as your password). But they do seem to make sure you are not using a throwaway email account (mailinator, dispostable, yopmail all are banned, I was too lazy to try all the alternatives). |
|
Appreciate
4
|
| 12-13-2017, 11:50 AM | #5 |
|
Second Lieutenant
148
Rep 280
Posts |
I hate to ping a moderator/admin, but this isn't just an annoyance with the site.
mkoesel do you have any suggestions? Other than news posts, I don't think I've really ever seen Jason or Mark post, so I'm not sure they even read this stuff. |
|
Appreciate
0
|
| 12-14-2017, 02:15 AM | #6 |
|
Anti-Fanboy
70
Rep 572
Posts |
Off-topic but also security related: This board uses an extremely outdated version of vBulletin. Now upgrades are NOT cheap for vBulletin. However, the patches should be free. At the very least, this board should be running v3.8.9.
|
|
Appreciate
1
Mikecom32148.00 |
| 01-23-2018, 02:17 PM | #8 |
|
Enlisted Member
 29
Rep 29
Posts |
No reason a website with the size and traffic of Bimmerpost shouldn't have a SSL certificate. This needs to be fixed.
__________________
"On a given day, a given circumstance, you think you have a limit. And you then go for this limit and you touch this limit, and you think, 'Okay, this is the limit'. And so you touch this limit, something happens and you suddenly can go a little bit further. With your mind power, your determination, your instinct, and the experience as well, you can fly very high." -Ayrton Senna
|
|
Appreciate
1
Mikecom32148.00 |
| 01-24-2018, 01:56 AM | #9 |
|
Private First Class
 125
Rep 168
Posts |
Guys if you’re using an important password for forums you’re doing it wrong. Forums are dying, but I agree with you guys https should work even without a DA signed certificate so I can ensure my traffic at least gets encrypted, even though not really concerned about someone hacking my forum accounts.
|
|
Appreciate
0
|
| 01-24-2018, 06:37 AM | #11 | |
|
Second Lieutenant
148
Rep 280
Posts |
Quote:
https://www.statista.com/statistics/...ine-passwords/ It doesn't matter, honestly. Regardless of how sensitive a login is, credentials should NEVER be sent unencrypted. |
|
| 01-26-2018, 07:43 AM | #12 |
|
Lieutenant General
 
3985
Rep 10,664
Posts |
I brought this up a few months ago and posters told me to pound sand.
__________________
"Drive more, worry less. "
435i, MPPK, MPE, M-Sport Line |
|
Appreciate
0
|
| 01-26-2018, 02:44 PM | #13 | |
|
Major General
3143
Rep 6,088
Posts |
Quote:
|
|
|
Appreciate
0
|
| 01-26-2018, 03:17 PM | #14 |
|
Private First Class
216
Rep 183
Posts |
It's a shame that the leadership group still hasn't addressed this. Not sure if it's an issue with time management, cost, or caring, but something should be done given the size of this community.
|
|
Appreciate
0
|
| 01-26-2018, 03:26 PM | #15 |
|
MSgt (ret)
586
Rep 2,114
Posts
Drives: VO 1M #739/740
Join Date: May 2010
Location: Where the car was born
|
Why allow this forum to be unsecure?
Mark or Jason or Dackelone ...in this era of stolen credentials and hacked identities why would you allow this to continue? ... one of the forum members offered to help, why not solve this to save all of us heartache? And potentially compromise other accounts?
__________________
 |
| 01-29-2018, 12:12 PM | #19 |
|
Administrator
7215
Rep 4,203
Posts |
You can actually access some parts of the forums with SSL (with mixed-content warnings and all), but an actual 'all traffic to SSL' thing wont happen until March most likely
|
| 01-29-2018, 08:30 PM | #21 | |
|
Second Lieutenant
148
Rep 280
Posts |
Quote:
|
|
|
Appreciate
1
Mark7214.50 |
| 01-29-2018, 08:56 PM | #22 | |
|
Administrator
7215
Rep 4,203
Posts |
Quote:
 Until then feel free to access the https individual bimmerpost sites (https://f80.bimmerpost.com/forums/) (note not all all our subsites are fully ready, but the big ones are) |
|
Post Reply |
| Bookmarks |
| Tags |
| http, https, security, ssl |
|
|
