05-04-2017, 05:02 PM | #1 |
Captain
745
Rep 908
Posts |
Bimmerpost sends passwords in the clear; add SSL support
IMO this is a pretty serious issue. Can you please implement SSL support?
Note: This is especially serious because it indicates that the mobile app is likely also sending passwords in the clear. This means that when someone is using public wifi to access the site, they are sharing their login credentials with EVERYONE in the area. For people who might duplicate usernames/passwords (yes that is very insecure, but does happen) this is exposing them to their e-mails, facebook, etc. all being compromised. Even if the server configuration is fixed, admins need to push an update to the iOS app to make sure all traffic is passed via HTTPS because it is very unlikely the mobile app is actually using SSL right now (see the last example below). Visiting the site via https will not result in a secure connection because the server is misconfigured (see below). If you need a free SSL certificate, try Let's Encrypt which will sign your certificate. There are also good directions there about configuration. https://letsencrypt.org/ Login screen reached via http: Attempting to manually access the site via https: Invalid certificate: Server misconfigured once bypassed invalid/self-signed cert: Apache configuration needs to be fixed to serve the website's directory on port 443; it's currently just telling you Apache is installed probably because something is missing/wrong in the configuration file. For example: ---------------------------- Edit: Whatever package you're running right now for SSL also needs to be upgraded. Even if you correctly configure the servers, the site will still be insecure.
__________________
MKVI GTI (retired) | 2014 228i (lease return) | 2018 ///M2 - ED Thread (sold) | 2023 Cayman GTS 4.0 | 2024 Model Y
Last edited by hoyasaxa; 05-04-2017 at 05:27 PM.. |
Post Reply |
Bookmarks |
|
|