ZPOST
BMW Garage BMW Meets Register Search Today's Posts Mark Forums Read


Go Back   ZPOST > BIMMERPOST Universal Forums > Site Related Announcements - Suggestions - Feedback - Questions
  TireRack

SUPPORT ZPOST BY DOING YOUR TIRERACK SHOPPING FROM THIS BANNER, THANKS!
Post Reply
 
Thread Tools Search this Thread
      12-12-2017, 08:54 AM   #1
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
150
Rep
280
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

Bimmerpost security problem - No SSL

I just noticed this morning that the site was just plain HTTP, and credentials were being sent in clear text. You can't even navigate the site via HTTPS, as the webservers aren't even configured to support it.

What does this mean for the average user? If you log in to any of the Bimmerpost sites on a public wifi connection, it is trivially easy for someone to read your login credentials over the air. I'm not overstating this. Your average 14 year old can Google how to do this and have it figured out in 15 minutes.

Why is this a problem? Only 22% of us use different passwords for each site. The other 78% reuse passwords across sites, which means their bimmerpost password is the same as at least one of their other accounts and many people use the same password for nearly every site.

Guys, a legitimate SSL certificate costs literally $0 via LetsEncrypt. This is a legitimate, trusted certificate authority structed as a 501(c)(3) non-profit and backed by huge industry names like:
  • The Linux Foundation
  • Mozilla (the Firefox people)
  • Chrome (the web browser that more than 60% of people use worldwide)
  • Akamai (the world leader in content delivery)
  • Cisco
  • Electronic Frontier Foundation
  • The Ford Foundation
  • Facebook

There is no reason to not be doing some type of SSL encryption. Hell, a lack of SSL (https) has a negative effect on your rankings in Google search results now. Browsers have already started showing sites without SSL as "not secure", and is expected to step up this warning in the near future.

There are hundreds of pages that explain why HTTPS should be enabled whenever possible.

If this hasn't been done due to a lack of resources, I'd be happy to assist setting this up pro bono and under an NDA. If you want a copy of my resume, let me know.
Appreciate 7
Olivo29.00
bobert858.50
Wolf 3352338.50
Dackelone10511.00
Soul_Glo13288.50
Law6377.00
      12-12-2017, 09:02 AM   #2
FriedPiston
Colonel
United_States
1968
Rep
2,711
Posts

Drives: Scraper
Join Date: Oct 2013
Location: East Oakland, CA

iTrader: (26)

Holy sh*t

https://www.ssllabs.com/ssltest/anal...bimmerpost.com
Appreciate 1
Mikecom32149.50
      12-13-2017, 08:04 AM   #3
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
150
Rep
280
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

Quote:
Originally Posted by nars3000 View Post
Yeah, it's the default self signed certificate for localhost. Apache isn't even configured to serve pages with it.
Appreciate 0
      12-13-2017, 08:39 AM   #4
jkoral
Lieutenant Colonel
United_States
1016
Rep
1,960
Posts

Drives: 2017 M2 LBB 6MT
Join Date: Oct 2007
Location: MA

iTrader: (7)

FWIW, I've seen this posted many times, by many users for a number of years. I can't find any old threads (maybe they were deleted) -- but nothing seems to change.

There are no password requirements (not even length, you can use 1 character as your password). But they do seem to make sure you are not using a throwaway email account (mailinator, dispostable, yopmail all are banned, I was too lazy to try all the alternatives).
Appreciate 4
Mikecom32149.50
No one1029.50
Olivo29.00
      12-13-2017, 10:50 AM   #5
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
150
Rep
280
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

I hate to ping a moderator/admin, but this isn't just an annoyance with the site.

mkoesel do you have any suggestions? Other than news posts, I don't think I've really ever seen Jason or Mark post, so I'm not sure they even read this stuff.
Appreciate 0
      12-14-2017, 01:15 AM   #6
Bunkei
Anti-Fanboy
United_States
68
Rep
572
Posts

Drives: 2018 BMW M4
Join Date: Apr 2008
Location: Seattle, WA

iTrader: (0)

Off-topic but also security related: This board uses an extremely outdated version of vBulletin. Now upgrades are NOT cheap for vBulletin. However, the patches should be free. At the very least, this board should be running v3.8.9.
Appreciate 1
Mikecom32149.50
      01-22-2018, 08:15 AM   #7
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
150
Rep
280
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

Bump - My offer to help fix this pro bono stands.
Appreciate 0
      01-23-2018, 01:17 PM   #8
Olivo
Enlisted Member
29
Rep
29
Posts

Drives: Nothing Cool
Join Date: Nov 2017
Location: North Jersey

iTrader: (0)

No reason a website with the size and traffic of Bimmerpost shouldn't have a SSL certificate. This needs to be fixed.
__________________
"On a given day, a given circumstance, you think you have a limit. And you then go for this limit and you touch this limit, and you think, 'Okay, this is the limit'. And so you touch this limit, something happens and you suddenly can go a little bit further. With your mind power, your determination, your instinct, and the experience as well, you can fly very high." -Ayrton Senna
Appreciate 1
Mikecom32149.50
      01-24-2018, 12:56 AM   #9
nomade30
Private First Class
123
Rep
168
Posts

Drives: 18 M2, 91 325, 05 DMAX
Join Date: Apr 2017
Location: UT

iTrader: (0)

Guys if you’re using an important password for forums you’re doing it wrong. Forums are dying, but I agree with you guys https should work even without a DA signed certificate so I can ensure my traffic at least gets encrypted, even though not really concerned about someone hacking my forum accounts.
Appreciate 0
      01-24-2018, 01:32 AM   #10
bimmer456
Major General
2940
Rep
5,983
Posts

Drives: 340i
Join Date: Nov 2016
Location: Pasadena, CA

iTrader: (0)

I use different passwords for everything
Appreciate 1
Spa2k1193.00
      01-24-2018, 05:37 AM   #11
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
150
Rep
280
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

Quote:
Originally Posted by bimmer456 View Post
I use different passwords for everything
Statistics show most people reuse their passwords.

https://www.statista.com/statistics/...ine-passwords/

It doesn't matter, honestly. Regardless of how sensitive a login is, credentials should NEVER be sent unencrypted.
Appreciate 2
bobert858.50
puppydax146.50
      01-26-2018, 06:43 AM   #12
F32Fleet
Lieutenant General
F32Fleet's Avatar
United_States
3540
Rep
10,327
Posts

Drives: 2015 435i
Join Date: May 2005
Location: Southeastern US

iTrader: (0)

I brought this up a few months ago and posters told me to pound sand.
__________________
"Drive more, worry less. "

435i, MPPK, MPE, M-Sport Line
Appreciate 0
      01-26-2018, 01:44 PM   #13
bimmer456
Major General
2940
Rep
5,983
Posts

Drives: 340i
Join Date: Nov 2016
Location: Pasadena, CA

iTrader: (0)

Quote:
Originally Posted by Mikecom32 View Post
Statistics show most people reuse their passwords.

https://www.statista.com/statistics/...ine-passwords/

It doesn't matter, honestly. Regardless of how sensitive a login is, credentials should NEVER be sent unencrypted.
Unfortunately that's what's happening if you're using this site.
Appreciate 0
      01-26-2018, 02:17 PM   #14
blue-mw
Private First Class
blue-mw's Avatar
217
Rep
183
Posts

Drives: E92 M3
Join Date: Jun 2016
Location: STL

iTrader: (1)

It's a shame that the leadership group still hasn't addressed this. Not sure if it's an issue with time management, cost, or caring, but something should be done given the size of this community.
Appreciate 0
      01-26-2018, 02:26 PM   #15
Rikx1M
MSgt (ret)
Rikx1M's Avatar
Germany
559
Rep
2,116
Posts

Drives: VO 1M #739/740
Join Date: May 2010
Location: Where the car was born

iTrader: (2)

Garage List
Why allow this forum to be unsecure?

Mark or Jason or Dackelone ...in this era of stolen credentials and hacked identities why would you allow this to continue? ... one of the forum members offered to help, why not solve this to save all of us heartache? And potentially compromise other accounts?
__________________
Appreciate 2
Mikecom32149.50
Dackelone10511.00
      01-26-2018, 02:59 PM   #16
Wolf 335
Brigadier General
Wolf 335's Avatar
Canada
2339
Rep
3,538
Posts

Drives: 2007 E92 335i
Join Date: Aug 2012
Location: GTA - Greater Toronto Area

iTrader: (0)

This is definitely concerning.

Curious to see what happens.
Appreciate 0
      01-26-2018, 03:39 PM   #17
byroncheung
Lieutenant
United_States
178
Rep
591
Posts

Drives: e90 m3, 997.2 c2s, x166 GL450
Join Date: Nov 2014
Location: Westchester, NY

iTrader: (0)

Quote:
Originally Posted by Wolf 335 View Post
This is definitely concerning.

Curious to see what happens.
upvote on having this fixed...
Appreciate 0
      01-29-2018, 10:31 AM   #18
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
150
Rep
280
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

I'm glad to see I'm not the only one concerned! Thanks for weighing in everyone.
Appreciate 0
      01-29-2018, 11:12 AM   #19
Mark
Administrator
Mark's Avatar
6667
Rep
4,201
Posts

Drives: 1M
Join Date: Mar 2005
Location: USA

iTrader: (1)

Garage List
You can actually access some parts of the forums with SSL (with mixed-content warnings and all), but an actual 'all traffic to SSL' thing wont happen until March most likely
__________________
Appreciate 2
joeinsd288.00
Mikecom32149.50
      01-29-2018, 06:36 PM   #20
lax01
Major
793
Rep
1,366
Posts

Drives: 2017 M2
Join Date: Jan 2007
Location: Los Angeles, CA

iTrader: (0)

Wow...never realized it. Glad I use my throw-away forum password for this place...
Appreciate 1
bimmer4562940.00
      01-29-2018, 07:30 PM   #21
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
150
Rep
280
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

Quote:
Originally Posted by Mark View Post
You can actually access some parts of the forums with SSL (with mixed-content warnings and all), but an actual 'all traffic to SSL' thing wont happen until March most likely
Thanks for letting us know Mark! My offer for pro bono assistance stands, if you are ever interested. I'd be happy to forward along my resume.
Appreciate 1
Mark6667.00
      01-29-2018, 07:56 PM   #22
Mark
Administrator
Mark's Avatar
6667
Rep
4,201
Posts

Drives: 1M
Join Date: Mar 2005
Location: USA

iTrader: (1)

Garage List
Quote:
Originally Posted by Mikecom32 View Post
Thanks for letting us know Mark! My offer for pro bono assistance stands, if you are ever interested. I'd be happy to forward along my resume.
Very kind of you and appreciated. Somewhere around February 27 we should be forcing all connections into SSL Until then feel free to access the https individual bimmerpost sites (https://f80.bimmerpost.com/forums/) (note not all all our subsites are fully ready, but the big ones are)
__________________
Appreciate 2
bimmer4562940.00
Mikecom32149.50
Post Reply

Bookmarks

Tags
http, https, security, ssl

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -5. The time now is 04:26 PM.




zpost
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
1Addicts.com, BIMMERPOST.com, E90Post.com, F30Post.com, M3Post.com, ZPost.com, 5Post.com, 6Post.com, 7Post.com, XBimmers.com logo and trademark are properties of BIMMERPOST