|
BIS - No Better Security than Web Based Mail
It took 4 hours of talking to RIM to get to the bottom of, xxx8220;What protection does the BIS offerxxx8221;xxx8230; Please keep in mind I was told this from RIM xxx8211; thus donxxx8217;t xxx8220;shootxxx8221; the messengerxxx8230;
As for RIMS part in BIS emailxxx8230; When you type a message on the BB it goes to RIMxxx8217;s server or onto the BIS. From the point of writing the message to the server itxxx8217;s encrypted. When it hits the BIS for processing that stopsxxx8230; there is no encryption for BIS like there is for BES - which is why you want SSL enabled for emailxxx8230; The following is the breakdown: For incoming email the Yahoo port is 143 no SSL xxx8211; that cannot be changedxxx8230; that is the xxx8220;dealxxx8221; they have with Yahoo and you canxxx8217;t change it to the typical SSL port for Yahoo which is 995. For outgoingxxx8230; the BIS basically logs into your Yahoo account and the xxx8220;sendxxx8221; is like you sent it from Yahoo on the web. People like email clients so they can select enable SSL (or encryption). Typically, that is why people use the email clients on their smartphones. If the outgoing is the equivalent of xxx8220;web basedxxx8221; you are offered no advantage of going through the BIS. Yahoo incoming/outgoing has no SSL enablement xxx8211; again, you might as well be accessing Yahoo from the web. Gmail can be on port 143 (which mine was) with no SSL or port 995 with SSL xxx8211; the outgoing is the same as Yahooxxx8217;s scenario. RIM/BIS log into Gmail and it goes out as if you were on the webxxx8230; Now Gmail uses xxx8220;httpsxxx8221; by default (they recently changed that whereas before you had to enable that feature.) xxx8220;Httpsxxx8221; is securexxx8230; So Gmail looks better with encryption for outgoing, but you would need to check to make sure you are not on the incoming port 143 like I was, unknowingly. Gmailxxx8217;s incoming/outgoing is the equivalent of other smartphones xxx8211; you can get Gmail secure. Heck, Gmail is secure on the webxxx8230; but Keep in mind that depends on what you think of Google themselves xxx8211; I think they know more than they should in regard to my personal business and limit their use. Hotmail can be on port 110 no SSL or port 995 with SSL. The outgoing is the same xxx8211; like you were on the web, and Hotmail like Yahoo offers no xxx8220;httpsxxx8221; so you have no SSL for outgoing. Hotmail xxx8220;canxxx8221; (depending on the incoming port you have set up) deliver incoming secure - but not outgoing. The carrier specific addresses like (carrier)blackberry.net is port 110 incoming no SSL and port 25 outgoing no SSL. So, this is like Yahoo xxx8211; justxxx8230; nothing. In regard to security the BIS offers nothing over web based mailxxx8230; Based on the above I will be deleting my AT&T account as well as Yahoo through the BIS... If you arenxxx8217;t a Google fan, you really have no xxx8220;good xxx8220;option here for email through the BIS. At this time they have no intention of changing this. They also said this information is all readily available through xxx8220;Terms and Conditionxxx8221; when you set up your email through the BIS. I havenxxx8217;t checked but so what if itxxx8217;s there xxx8211; itxxx8217;s bad. They can wave it like a banner but it still sucks. The iPhone, HTCxxx8217;s, Nokia ALL have the ability to encrypt or enable SSL for the incoming/outgoing ports for their email clients. That is just the norm right now. Again, thatxxx8217;s a big reason people use smartphonesxxx8230; At least disclosing the above (not buried in terms and conditions) letxxx8217;s the user decide how to protect themselves. Especially since credit card statements and banking can be done online now. I wanted to know what was behind the BIS wallxxx8230; Now we know - there is no wall. Sandy p.s. I had to submit a support ticket and pay RIM $49.99 to get this information - to get specifics about the ports, which is not disclosed in the Terms and Conditions... |
Moved to the Security section.
Interesting information. Thanks. |
I don't think you should have moved this thread. It's specifically about what happens with email through the BIS - and really should stay in the area regarding the BIS.
If you want to know about email through the BIS, you aren't going to check "Blackberry and Mobile security." Sandy |
That's why companies interested in securing their email use BES. BIS is for consumers only. Never was presented as an end to end secure solution.
|
But why leave consumers out??? They are still part of the people who purchase BB's. All smartphones let you encrypt the incoming/outgoing ports.
Why doesn't BB do the same??? I believe that is why the information was so hard to get to... they know it's bad so they hid it. Sandy |
Quote:
The point here for consumers is that with BIS, email is no more secure on the BB than it is on other smartphones, and may be less secure than some. That's an important piece of information. Ubizmo |
It is less secure than other smartphones for all accounts but Gmail. And even Gmail I am not "entirely" sure of as I was told there are 2 ports for Gmail and 1 port had no security. I know my Nokia is a lock down with SSL enabled on ALL ports for EVERY email account. Other smartphones have the same...
it's not my intention to bash RIM. Posting on this forum is to let users beware - they are not as secure as they might have thought. I for one was shocked and bummed :-( And I wil take this info elsewhere - hoping facilitating change from RIM. They either step it up on the BIS - or they let the consumer know they really are a "business" phone and BB's aren't for the consumer in regard to email. Sandy |
So you assumed that there was security there.
And it isn't. Now, tell me about other more secure platforms. Would that be the iPhone? Or the Droid? |
Yes, both the Apple and the Droid would be more secure. Of course I would never buy Apple as "I" am capable of changing my own battery and you can't read it as a mass storage device. And in my opinion - only a fool would run Droid giving Google more info then they already know about you. But yes, both are better than the BIS.
Just do some searching, "iPhone Yahoo SSl ports through email client." Just basic searching, shows they ALL have the ability the BIS does not give you.. Sandy |
Good thing I don't use Yahoo Mail.
You seem to have uncovered a very serious problem that no one cares about. And I guess your position on iPhones is not widely shared either. |
However, when I access mail.yahoo.com, it is always a clear http connection. accessing htps://mail.yahoo.com it gives me a cert error and dumps me back to http://mail.yahoo.com. So Yahoo has no security anyway.
What are the odds of traffic between the BIS servers and the mail provider being intercepted? |
Sandy, in post #5 you imply that RIM has hidden this information. I direct your attention to this document found on RIM's knowledge base which quite clearly spells it out. Page 2 - "Overview"
http://www.blackberry.com/btsc/micro...00%20733485502 Quote:
I don't think it's fair for you to accuse without proper research. |
Hidden in plain sight.
|
It was only hidden because Sandy hadn't searched and found it.
|
And 99.9% of BIS don't actually give a crap about it. They get their Yahoo, Gmail and Hotmail through the web. They use the simple setup on the phone to do their email setup. For most, SSL is not a big deal. Most don't know what SSL is. Most don't need it.
|
And in the age of FaceBook, location based services, FourSquare and Twitter, most REALLY don't care about security or privacy.
And I think the 99.9% number is low. |
Quote:
This is common place practice for smartphones - to SSL enable incoming/outgoing. My Nokia rolled this through automatically. Sandy |
Quote:
You can "see" that info on other smartphones... Sandy |
Quote:
Sandy |
Quote:
Sandy |
| All times are GMT -5. The time now is 12:04 PM. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.