1. thurask's Avatar
    It's $CURRENT_YEAR, HTTPS should be on more than just the login page. If we're running the most secure smartphones we should be able to discuss them securely.
    03-15-17 02:47 PM
  2. Superfly_FR's Avatar
    Well while I understand the costs involved, I agree.
    03-15-17 03:48 PM
  3. thurask's Avatar
    Well while I understand the costs involved, I agree.
    They're already paying for SSL for *.mobilenations.com (which includes Passport SSO), but extending that to crackberry.com, androidcentral.com, imore.com, etc. would probably increase the cost, yes.

    I mean, Let's Encrypt would be cheaper ($0) but that's problematic for older devices and browsers, and they already have something set up with their hosting provider.
    03-15-17 04:06 PM
  4. 1122334455667788's Avatar
    They're already paying for SSL for *.mobilenations.com (which includes Passport SSO), but extending that to crackberry.com, androidcentral.com, imore.com, etc. would probably increase the cost, yes.

    I mean, Let's Encrypt would be cheaper ($0) but that's problematic for older devices and browsers, and they already have something set up with their hosting provider.
    Actually I think they must already be paying whatever cost is necessary.
    Try adding the s into the url manually. It seems to work fine.
    The only issue remaining is that it doesn't default to https. Ideally they would redirect all http traffic to https, and tell the browser not to allow insecure connections to CrackBerry in the future (I forget what that feature is called, but it does exist).

    I also wonder what type of connection the CrackBerry Apps are using. This seems to be a flaw in the whole App system as I haven't found an easy way to check if an App is using a secure connection.

    On a somewhat related topic, who else find it funny that several official BlackBerry sites don't support https? It's a bit strange reading about the latest advancements in security on an official BlackBerry Blog knowing that any kid in the same coffee shop may have changed something on the page.
    03-16-17 01:20 PM
  5. thurask's Avatar


    Should be simpler then.
    03-16-17 01:24 PM
  6. thurask's Avatar
    On desktop Chrome it redirects https to http, like they have some sort of bizarro-HTTPS Everywhere installed.
    03-16-17 10:22 PM
  7. Superfly_FR's Avatar
    I didn't meant SSL certificates but the cost of migration (it's NOT only redirecting or defaulting: you need to rethink cross scripting and all) and also somehow, performance (encrypt/decrypt has a resource cost). So it's not the kind of thing you do in a snap; that's a real project you have to lead and monitor for weeks; I believe we're still on the new design migration follow-up; once stabilized, there might be room for the SSL .
    I'm pretty sure it's somewhere in the plans, as Google will weight it in ranking position so, besides privacy, that's something most editors will require in the short term.
    03-17-17 04:39 AM
  8. 1122334455667788's Avatar
    So it's not the kind of thing you do in a snap;
    No. Its the kind of thing you start doing when you read the headlines about Firesheep. That was in 2010.
    So we've only been waiting 7 years since it was publicly demonstrated that using https only for the login page doesn't really accomplish anything at all.
    03-17-17 08:52 AM
  9. 1122334455667788's Avatar
    On desktop Chrome it redirects https to http, like they have some sort of bizarro-HTTPS Everywhere installed.
    I'm not observing this.
    03-18-17 01:42 PM
  10. 1122334455667788's Avatar
    For desktop Firefox you can ensure that you don't accidentally use the non-secure connection using https://addons.mozilla.org/en-US/fir...ce-encryption/
    There may be an equivalent for Chrome.
    03-18-17 01:43 PM
  11. thurask's Avatar
    I'm not observing this.
    Huh, must have been some extension acting up.

    In Incognito it pops up the EV SSL certificate (Mobile Nations LLC) for a fraction of a second then goes back to "Not Secure" the moment all of the tracker bullcrap is loaded over HTTP. I'm guessing that's why they aren't going whole hog with it.
    03-18-17 01:45 PM
  12. Superfly_FR's Avatar
    For desktop Firefox you can ensure that you don't accidentally use the non-secure connection using https://addons.mozilla.org/en-US/fir...ce-encryption/
    There may be an equivalent for Chrome.
    Latest Firefox natively point out not secured forms and don't auto-fill them anymore. You have to select login and associated pw in a list.
    03-19-17 03:59 PM
  13. 1122334455667788's Avatar
    Latest Firefox natively point out not secured forms and don't auto-fill them anymore. You have to select login and associated pw in a list.
    That's nice, but it doesn't stop you from accidentally using CrackBerry over an insecure connection.
    The login page is secure anyways, so the built in Firefox warning won't be triggered.

    The issue is that by default after the secure login you are sent to an insecure version of CrackBerry.
    At that point, I suspect the session can by hijacked (see: https://en.wikipedia.org/wiki/Session_hijacking, and https://en.wikipedia.org/wiki/Firesheep).

    The add-on I linked to ensures you are always using the secure version of CrackBerry. After configuring it, you simply can't access the http version, as Firefox automatically loads the https site.
    Superfly_FR likes this.
    03-19-17 09:05 PM
  14. thurask's Avatar
    Okay, tried a compare between http://forums.crackberry.com and https://forums.crackberry.com on Chrome 57 in Incognito Mode (no ad blocker on the browser or on the network).

    HTTP
    Click image for larger version. 

Name:	Screenshot (22).png 
Views:	6 
Size:	972.1 KB 
ID:	419805

    HTTPS
    Click image for larger version. 

Name:	Screenshot (23).png 
Views:	6 
Size:	838.9 KB 
ID:	419806

    So even the tracker mountain is loaded over HTTPS, but the mixed content warning is because it's loading some assets from the HTTP site, which are just two dumb PNG files anyway:

    Click image for larger version. 

Name:	webx.jpg 
Views:	5 
Size:	31.1 KB 
ID:	419807

    The strange thing is that entering "http://forums.crackberry.com" in Chrome 57 with HTTPS Everywhere still loads the HTTP page, not the HTTPS page. The same goes for just "forums.crackberry.com".

    It seems fixing those assets and redirecting HTTP to HTTPS should be it, no?
    Superfly_FR likes this.
    03-19-17 09:25 PM
  15. 1122334455667788's Avatar

    The strange thing is that entering "http://forums.crackberry.com" in Chrome 57 with HTTPS Everywhere still loads the HTTP page, not the HTTPS page. The same goes for just "forums.crackberry.com".
    I think https everywhere only works if a site has been added to a list they maintain.
    HTTPS support on CrackBerry is quite new, so they probably haven't added the site to their list yet.
    03-19-17 09:35 PM
  16. thurask's Avatar
    I think https everywhere only works if a site has been added to a list they maintain.
    HTTPS support on CrackBerry is quite new, so they probably haven't added the site to their list yet.
    Yeah, probably. They have Mobile Nations at least.
    03-19-17 10:00 PM

Similar Threads

  1. Is KEYone the little brother of Passport Silver Edition?
    By loveallnight in forum BlackBerry KEYone
    Replies: 35
    Last Post: 03-18-17, 09:18 PM
  2. Keypad change tool for Q10
    By tangozulu in forum Ask a Question
    Replies: 6
    Last Post: 03-17-17, 12:48 AM
  3. How to use the Suggestion Box!
    By James Falconer in forum Suggestion Box
    Replies: 0
    Last Post: 03-15-17, 02:34 PM
  4. Where do I find the sweet spot on Blackberry Priv 6.0?
    By CrackBerry Question in forum Ask a Question
    Replies: 1
    Last Post: 03-15-17, 01:41 PM
  5. Will the KEYone have a nice factory flip case?
    By CrackBerry Question in forum Ask a Question
    Replies: 1
    Last Post: 03-15-17, 10:16 AM
LINK TO POST COPIED TO CLIPBOARD