Bimmerpost for iPhone and Android have just been updated with a host of bug fixes. If you've ever had trouble logging into it in the past, give it a try now!
BMW 1 Series Coupe Forum / 1 Series Convertible Forum (1M / tii / 135i / 128i / Coupe / Cabrio / Hatchback) (BMW E82 E88 128i 130i 135i)
 





 

Post Reply
 
Thread Tools Search this Thread
      12-12-2017, 10:54 AM   #1
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
71
Rep
249
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

Bimmerpost security problem - No SSL

I just noticed this morning that the site was just plain HTTP, and credentials were being sent in clear text. You can't even navigate the site via HTTPS, as the webservers aren't even configured to support it.

What does this mean for the average user? If you log in to any of the Bimmerpost sites on a public wifi connection, it is trivially easy for someone to read your login credentials over the air. I'm not overstating this. Your average 14 year old can Google how to do this and have it figured out in 15 minutes.

Why is this a problem? Only 22% of us use different passwords for each site. The other 78% reuse passwords across sites, which means their bimmerpost password is the same as at least one of their other accounts and many people use the same password for nearly every site.

Guys, a legitimate SSL certificate costs literally $0 via LetsEncrypt. This is a legitimate, trusted certificate authority structed as a 501(c)(3) non-profit and backed by huge industry names like:
  • The Linux Foundation
  • Mozilla (the Firefox people)
  • Chrome (the web browser that more than 60% of people use worldwide)
  • Akamai (the world leader in content delivery)
  • Cisco
  • Electronic Frontier Foundation
  • The Ford Foundation
  • Facebook

There is no reason to not be doing some type of SSL encryption. Hell, a lack of SSL (https) has a negative effect on your rankings in Google search results now. Browsers have already started showing sites without SSL as "not secure", and is expected to step up this warning in the near future.

There are hundreds of pages that explain why HTTPS should be enabled whenever possible.

If this hasn't been done due to a lack of resources, I'd be happy to assist setting this up pro bono and under an NDA. If you want a copy of my resume, let me know.
Appreciate 6
      12-12-2017, 11:02 AM   #2
nars3000
Captain
nars3000's Avatar
United_States
152
Rep
878
Posts

Drives: 2017 M3 ZCP
Join Date: Oct 2013
Location: San Francisco, CA

iTrader: (15)

Holy sh*t

https://www.ssllabs.com/ssltest/anal...bimmerpost.com
Appreciate 1
      12-13-2017, 10:04 AM   #3
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
71
Rep
249
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

Quote:
Originally Posted by nars3000 View Post
Yeah, it's the default self signed certificate for localhost. Apache isn't even configured to serve pages with it.
Appreciate 0
      12-13-2017, 10:39 AM   #4
jkoral
Major
United_States
83
Rep
1,012
Posts

Drives: '09 135i MSport 6MT
Join Date: Oct 2007
Location: MA

iTrader: (5)

FWIW, I've seen this posted many times, by many users for a number of years. I can't find any old threads (maybe they were deleted) -- but nothing seems to change.

There are no password requirements (not even length, you can use 1 character as your password). But they do seem to make sure you are not using a throwaway email account (mailinator, dispostable, yopmail all are banned, I was too lazy to try all the alternatives).
Appreciate 4
      12-13-2017, 12:50 PM   #5
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
71
Rep
249
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

I hate to ping a moderator/admin, but this isn't just an annoyance with the site.

mkoesel do you have any suggestions? Other than news posts, I don't think I've really ever seen Jason or Mark post, so I'm not sure they even read this stuff.
Appreciate 0
      12-14-2017, 03:15 AM   #6
Bunkei
Anti-Fanboy
United_States
28
Rep
557
Posts

Drives: 2016 Hyundai Genesis 3.8
Join Date: Apr 2008
Location: Seattle, WA

iTrader: (0)

Send a message via AIM to Bunkei Send a message via MSN to Bunkei Send a message via Skype™ to Bunkei
Off-topic but also security related: This board uses an extremely outdated version of vBulletin. Now upgrades are NOT cheap for vBulletin. However, the patches should be free. At the very least, this board should be running v3.8.9.
Appreciate 1
      01-22-2018, 10:15 AM   #7
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
71
Rep
249
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

Bump - My offer to help fix this pro bono stands.
Appreciate 0
      01-23-2018, 03:17 PM   #8
Olivo
Enlisted Member
19
Rep
31
Posts

Drives: Nothing Cool
Join Date: Nov 2017
Location: North Jersey

iTrader: (0)

No reason a website with the size and traffic of Bimmerpost shouldn't have a SSL certificate. This needs to be fixed.
__________________
"On a given day, a given circumstance, you think you have a limit. And you then go for this limit and you touch this limit, and you think, 'Okay, this is the limit'. And so you touch this limit, something happens and you suddenly can go a little bit further. With your mind power, your determination, your instinct, and the experience as well, you can fly very high." -Ayrton Senna
Appreciate 1
      01-24-2018, 02:56 AM   #9
nomade30
Private
38
Rep
69
Posts

Drives: Many
Join Date: Apr 2017
Location: UT

iTrader: (0)

Guys if you’re using an important password for forums you’re doing it wrong. Forums are dying, but I agree with you guys https should work even without a DA signed certificate so I can ensure my traffic at least gets encrypted, even though not really concerned about someone hacking my forum accounts.
Appreciate 0
      01-24-2018, 03:32 AM   #10
bimmer456
Colonel
399
Rep
2,062
Posts

Drives: 340i
Join Date: Nov 2016
Location: Pasadena, CA

iTrader: (0)

I use different passwords for everything
Appreciate 1
      01-24-2018, 07:37 AM   #11
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
71
Rep
249
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

Quote:
Originally Posted by bimmer456 View Post
I use different passwords for everything
Statistics show most people reuse their passwords.

https://www.statista.com/statistics/...ine-passwords/

It doesn't matter, honestly. Regardless of how sensitive a login is, credentials should NEVER be sent unencrypted.
Appreciate 2
      01-26-2018, 08:43 AM   #12
F32Fleet
Major General
F32Fleet's Avatar
United_States
516
Rep
6,656
Posts

Drives: 2015 435i
Join Date: May 2005
Location: Southeastern US

iTrader: (0)

I brought this up a few months ago and posters told me to pound sand.
__________________
"Drive more, worry less. "

435i, MPPK, MPE, M-Sport Line
Appreciate 0
      01-26-2018, 03:44 PM   #13
bimmer456
Colonel
399
Rep
2,062
Posts

Drives: 340i
Join Date: Nov 2016
Location: Pasadena, CA

iTrader: (0)

Quote:
Originally Posted by Mikecom32 View Post
Statistics show most people reuse their passwords.

https://www.statista.com/statistics/...ine-passwords/

It doesn't matter, honestly. Regardless of how sensitive a login is, credentials should NEVER be sent unencrypted.
Unfortunately that's what's happening if you're using this site.
Appreciate 0
      01-26-2018, 04:17 PM   #14
blue-mw
Private First Class
blue-mw's Avatar
102
Rep
177
Posts

Drives: E92 M3
Join Date: Jun 2016
Location: STL

iTrader: (1)

It's a shame that the leadership group still hasn't addressed this. Not sure if it's an issue with time management, cost, or caring, but something should be done given the size of this community.

They should also update the forum software. According to the footer, they're about 2 full builds behind on their vBulletin software... which I hope is at least patched, otherwise all of our info is subject to exploitation... or worse, already has been.
Appreciate 0
      01-26-2018, 04:26 PM   #15
Rikx1M
MSgt (ret)
Rikx1M's Avatar
Germany
192
Rep
1,930
Posts

Drives: VO 1M #739/740
Join Date: May 2010
Location: Where the car was born

iTrader: (2)

Garage List
Why allow this forum to be unsecure?

Mark or Jason or Dackelone ...in this era of stolen credentials and hacked identities why would you allow this to continue? ... one of the forum members offered to help, why not solve this to save all of us heartache? And potentially compromise other accounts?
__________________
Appreciate 2
      01-26-2018, 04:59 PM   #16
Wolf 335
Lieutenant Colonel
Wolf 335's Avatar
Canada
406
Rep
1,802
Posts

Drives: 2007 E92 335i
Join Date: Aug 2012
Location: GTA - Greater Toronto Area

iTrader: (0)

This is definitely concerning.

Curious to see what happens.
Appreciate 0
      01-26-2018, 05:39 PM   #17
byroncheung
Private First Class
United_States
16
Rep
174
Posts

Drives: 2011 e90 m3 zcp space grey
Join Date: Nov 2014
Location: Westchester, NY

iTrader: (0)

Quote:
Originally Posted by Wolf 335 View Post
This is definitely concerning.

Curious to see what happens.
upvote on having this fixed...
Appreciate 0
      01-29-2018, 12:31 PM   #18
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
71
Rep
249
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

I'm glad to see I'm not the only one concerned! Thanks for weighing in everyone.
Appreciate 0
      01-29-2018, 01:12 PM   #19
Mark
Administrator
Mark's Avatar
United_States
2938
Rep
4,154
Posts

Drives: 1M
Join Date: Mar 2005
Location: USA

iTrader: (1)

Garage List
You can actually access some parts of the forums with SSL (with mixed-content warnings and all), but an actual 'all traffic to SSL' thing wont happen until March most likely
__________________
Appreciate 2
      01-29-2018, 08:36 PM   #20
lax01
Captain
265
Rep
931
Posts

Drives: 2017 M2
Join Date: Jan 2007
Location: Los Angeles, CA

iTrader: (0)

Wow...never realized it. Glad I use my throw-away forum password for this place...
Appreciate 1
      01-29-2018, 09:30 PM   #21
Mikecom32
Second Lieutenant
Mikecom32's Avatar
United_States
71
Rep
249
Posts

Drives: '18 M4 ZCP 6MT, '05 330xi 6MT,
Join Date: Jul 2013
Location: Pittsburgh, PA

iTrader: (0)

Quote:
Originally Posted by Mark View Post
You can actually access some parts of the forums with SSL (with mixed-content warnings and all), but an actual 'all traffic to SSL' thing wont happen until March most likely
Thanks for letting us know Mark! My offer for pro bono assistance stands, if you are ever interested. I'd be happy to forward along my resume.
Appreciate 1
Mark2938

      01-29-2018, 09:56 PM   #22
Mark
Administrator
Mark's Avatar
United_States
2938
Rep
4,154
Posts

Drives: 1M
Join Date: Mar 2005
Location: USA

iTrader: (1)

Garage List
Quote:
Originally Posted by Mikecom32 View Post
Thanks for letting us know Mark! My offer for pro bono assistance stands, if you are ever interested. I'd be happy to forward along my resume.
Very kind of you and appreciated. Somewhere around February 27 we should be forcing all connections into SSL Until then feel free to access the https individual bimmerpost sites (https://f80.bimmerpost.com/forums/) (note not all all our subsites are fully ready, but the big ones are)
__________________
Appreciate 2
Post Reply

Bookmarks

Tags
http, https, security, ssl

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 01:54 PM.




1addicts
Powered by vBulletin® Version 3.7.0
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
1Addicts.com, BIMMERPOST.com, E90Post.com, F30Post.com, M3Post.com, ZPost.com, 5Post.com, 6Post.com, 7Post.com, XBimmers.com logo and trademark are properties of BIMMERPOST