BMW Garage BMW Meets Register Search Today's Posts Mark Forums Read

Go Back   7Post - 7 Series Forum > BIMMERPOST Universal Forums > Site Related Announcements - Suggestions - Feedback - Questions

Post Reply
 
Thread Tools Search this Thread
      05-04-2017, 04:02 PM   #1
hoyasaxa
Captain
685
Rep
899
Posts

Drives: GTI | 982 4.0
Join Date: Apr 2014
Location: USA

iTrader: (0)

Bimmerpost sends passwords in the clear; add SSL support

IMO this is a pretty serious issue. Can you please implement SSL support?

Note: This is especially serious because it indicates that the mobile app is likely also sending passwords in the clear. This means that when someone is using public wifi to access the site, they are sharing their login credentials with EVERYONE in the area. For people who might duplicate usernames/passwords (yes that is very insecure, but does happen) this is exposing them to their e-mails, facebook, etc. all being compromised. Even if the server configuration is fixed, admins need to push an update to the iOS app to make sure all traffic is passed via HTTPS because it is very unlikely the mobile app is actually using SSL right now (see the last example below).

Visiting the site via https will not result in a secure connection because the server is misconfigured (see below).

If you need a free SSL certificate, try Let's Encrypt which will sign your certificate. There are also good directions there about configuration.
https://letsencrypt.org/

Login screen reached via http:


Attempting to manually access the site via https:

Invalid certificate:





Server misconfigured once bypassed invalid/self-signed cert:


Apache configuration needs to be fixed to serve the website's directory on port 443; it's currently just telling you Apache is installed probably because something is missing/wrong in the configuration file.

For example:





----------------------------

Edit: Whatever package you're running right now for SSL also needs to be upgraded. Even if you correctly configure the servers, the site will still be insecure.






__________________
2014 228i (lease return) | 2018 ///M2 - ED Thread (sold) | 2023 Cayman GTS 4.0 (ordered)

Last edited by hoyasaxa; 05-04-2017 at 04:27 PM..
Appreciate 1
BoLLo_16.50
      05-05-2017, 01:57 PM   #2
hoyasaxa
Captain
685
Rep
899
Posts

Drives: GTI | 982 4.0
Join Date: Apr 2014
Location: USA

iTrader: (0)



__________________
2014 228i (lease return) | 2018 ///M2 - ED Thread (sold) | 2023 Cayman GTS 4.0 (ordered)
Appreciate 0
      05-05-2017, 08:45 PM   #3
BoLLo_
Enlisted Member
BoLLo_'s Avatar
17
Rep
45
Posts

Drives: 135i 6MT
Join Date: Jun 2016
Location: Perth, WA

iTrader: (0)

I too would like to see this fixed.
Appreciate 0
Post Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -5. The time now is 03:59 AM.




7post
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
1Addicts.com, BIMMERPOST.com, E90Post.com, F30Post.com, M3Post.com, ZPost.com, 5Post.com, 6Post.com, 7Post.com, XBimmers.com logo and trademark are properties of BIMMERPOST