BlackBerry Forums Support Community

BlackBerry Forums Support Community (http://www.blackberryforums.com/)
-   BlackBerry and Mobile Security (http://www.blackberryforums.com/blackberry-mobile-security/)
-   -   BIS - No Better Security than Web Based Mail (http://www.blackberryforums.com/blackberry-mobile-security/233849-bis-no-better-security-than-web-based-mail.html)

The Sand 08-18-2010 06:51 PM

BIS - No Better Security than Web Based Mail
 
It took 4 hours of talking to RIM to get to the bottom of, xxx8220;What protection does the BIS offerxxx8221;xxx8230; Please keep in mind I was told this from RIM xxx8211; thus donxxx8217;t xxx8220;shootxxx8221; the messengerxxx8230;

As for RIMS part in BIS emailxxx8230; When you type a message on the BB it goes to RIMxxx8217;s server or onto the BIS. From the point of writing the message to the server itxxx8217;s encrypted. When it hits the BIS for processing that stopsxxx8230; there is no encryption for BIS like there is for BES - which is why you want SSL enabled for emailxxx8230;

The following is the breakdown:

For incoming email the Yahoo port is 143 no SSL xxx8211; that cannot be changedxxx8230; that is the xxx8220;dealxxx8221; they have with Yahoo and you canxxx8217;t change it to the typical SSL port for Yahoo which is 995. For outgoingxxx8230; the BIS basically logs into your Yahoo account and the xxx8220;sendxxx8221; is like you sent it from Yahoo on the web. People like email clients so they can select enable SSL (or encryption). Typically, that is why people use the email clients on their smartphones. If the outgoing is the equivalent of xxx8220;web basedxxx8221; you are offered no advantage of going through the BIS. Yahoo incoming/outgoing has no SSL enablement xxx8211; again, you might as well be accessing Yahoo from the web.

Gmail can be on port 143 (which mine was) with no SSL or port 995 with SSL xxx8211; the outgoing is the same as Yahooxxx8217;s scenario. RIM/BIS log into Gmail and it goes out as if you were on the webxxx8230; Now Gmail uses xxx8220;httpsxxx8221; by default (they recently changed that whereas before you had to enable that feature.) xxx8220;Httpsxxx8221; is securexxx8230; So Gmail looks better with encryption for outgoing, but you would need to check to make sure you are not on the incoming port 143 like I was, unknowingly. Gmailxxx8217;s incoming/outgoing is the equivalent of other smartphones xxx8211; you can get Gmail secure. Heck, Gmail is secure on the webxxx8230; but Keep in mind that depends on what you think of Google themselves xxx8211; I think they know more than they should in regard to my personal business and limit their use.

Hotmail can be on port 110 no SSL or port 995 with SSL. The outgoing is the same xxx8211; like you were on the web, and Hotmail like Yahoo offers no xxx8220;httpsxxx8221; so you have no SSL for outgoing. Hotmail xxx8220;canxxx8221; (depending on the incoming port you have set up) deliver incoming secure - but not outgoing.

The carrier specific addresses like (carrier)blackberry.net is port 110 incoming no SSL and port 25 outgoing no SSL. So, this is like Yahoo xxx8211; justxxx8230; nothing.

In regard to security the BIS offers nothing over web based mailxxx8230;

Based on the above I will be deleting my AT&T account as well as Yahoo through the BIS... If you arenxxx8217;t a Google fan, you really have no xxx8220;good xxx8220;option here for email through the BIS.

At this time they have no intention of changing this. They also said this information is all readily available through xxx8220;Terms and Conditionxxx8221; when you set up your email through the BIS. I havenxxx8217;t checked but so what if itxxx8217;s there xxx8211; itxxx8217;s bad. They can wave it like a banner but it still sucks. The iPhone, HTCxxx8217;s, Nokia ALL have the ability to encrypt or enable SSL for the incoming/outgoing ports for their email clients. That is just the norm right now. Again, thatxxx8217;s a big reason people use smartphonesxxx8230;

At least disclosing the above (not buried in terms and conditions) letxxx8217;s the user decide how to protect themselves. Especially since credit card statements and banking can be done online now.

I wanted to know what was behind the BIS wallxxx8230;

Now we know - there is no wall.

Sandy

p.s. I had to submit a support ticket and pay RIM $49.99 to get this information - to get specifics about the ports, which is not disclosed in the Terms and Conditions...

Dubdub 08-18-2010 07:17 PM

Moved to the Security section.

Interesting information. Thanks.

The Sand 08-18-2010 07:30 PM

I don't think you should have moved this thread. It's specifically about what happens with email through the BIS - and really should stay in the area regarding the BIS.

If you want to know about email through the BIS, you aren't going to check "Blackberry and Mobile security."

Sandy

NJBlackBerry 08-18-2010 07:31 PM

That's why companies interested in securing their email use BES. BIS is for consumers only. Never was presented as an end to end secure solution.

The Sand 08-18-2010 07:47 PM

But why leave consumers out??? They are still part of the people who purchase BB's. All smartphones let you encrypt the incoming/outgoing ports.

Why doesn't BB do the same???

I believe that is why the information was so hard to get to... they know it's bad so they hid it.

Sandy

ubizmo 08-18-2010 08:16 PM

Quote:

Originally Posted by NJBlackBerry (Post 1643557)
That's why companies interested in securing their email use BES. BIS is for consumers only. Never was presented as an end to end secure solution.

That's true, but there's more to it than that. We consumers hear so much about BlackBerry's legendary e-mail security, and how it sets BlackBerry apart from the competition, it's only natural that we would come to believe that it applies to BIS as well as BES. For example, how many discussions have there been here on BBF comparing BB to other platforms, and how many times have we been told admonished about the security of the BB? Many times. But I don't recall ever seeing the caveat that this high-level security applies only to BES.

The point here for consumers is that with BIS, email is no more secure on the BB than it is on other smartphones, and may be less secure than some. That's an important piece of information.

Ubizmo

The Sand 08-18-2010 08:47 PM

It is less secure than other smartphones for all accounts but Gmail. And even Gmail I am not "entirely" sure of as I was told there are 2 ports for Gmail and 1 port had no security. I know my Nokia is a lock down with SSL enabled on ALL ports for EVERY email account. Other smartphones have the same...

it's not my intention to bash RIM. Posting on this forum is to let users beware - they are not as secure as they might have thought. I for one was shocked and bummed :-(

And I wil take this info elsewhere - hoping facilitating change from RIM. They either step it up on the BIS - or they let the consumer know they really are a "business" phone and BB's aren't for the consumer in regard to email.

Sandy

NJBlackBerry 08-18-2010 09:06 PM

So you assumed that there was security there.
And it isn't.

Now, tell me about other more secure platforms. Would that be the iPhone? Or the Droid?

The Sand 08-18-2010 09:24 PM

Yes, both the Apple and the Droid would be more secure. Of course I would never buy Apple as "I" am capable of changing my own battery and you can't read it as a mass storage device. And in my opinion - only a fool would run Droid giving Google more info then they already know about you. But yes, both are better than the BIS.

Just do some searching, "iPhone Yahoo SSl ports through email client."

Just basic searching, shows they ALL have the ability the BIS does not give you..

Sandy

NJBlackBerry 08-19-2010 04:56 AM

Good thing I don't use Yahoo Mail.
You seem to have uncovered a very serious problem that no one cares about.

And I guess your position on iPhones is not widely shared either.

CanuckBB 08-19-2010 06:55 AM

However, when I access mail.yahoo.com, it is always a clear http connection. accessing htps://mail.yahoo.com it gives me a cert error and dumps me back to http://mail.yahoo.com. So Yahoo has no security anyway.

What are the odds of traffic between the BIS servers and the mail provider being intercepted?

devnull 08-19-2010 07:04 AM

Sandy, in post #5 you imply that RIM has hidden this information. I direct your attention to this document found on RIM's knowledge base which quite clearly spells it out. Page 2 - "Overview"

http://www.blackberry.com/btsc/micro...00%20733485502
Quote:

Overview
The BlackBerry® Internet Service is designed to provide you with automatic delivery of email messages, mobile access to attachments, and
convenient access to Internet content.
The BlackBerry Internet Service uses the security of the wireless network that it connects to. Email messages that are sent between the BlackBerry
Internet Service and your BlackBerry device are not encrypted. However, email messages that are sent between the BlackBerry Internet Service
and your messaging server can be encrypted using SSL encryption. SSL encryption can also be used by the BlackBerry® Browser and other
applications on your BlackBerry device to help protect your data when you connect to the Internet (for example, while shopping and banking
online). You can also set up your BlackBerry device to help protect it from theft, viruses, and spyware.

I don't think it's fair for you to accuse without proper research.

NJBlackBerry 08-19-2010 08:25 AM

Hidden in plain sight.

JSanders 08-19-2010 11:37 AM

It was only hidden because Sandy hadn't searched and found it.

CanuckBB 08-19-2010 12:42 PM

And 99.9% of BIS don't actually give a crap about it. They get their Yahoo, Gmail and Hotmail through the web. They use the simple setup on the phone to do their email setup. For most, SSL is not a big deal. Most don't know what SSL is. Most don't need it.

NJBlackBerry 08-19-2010 01:01 PM

And in the age of FaceBook, location based services, FourSquare and Twitter, most REALLY don't care about security or privacy.

And I think the 99.9% number is low.

The Sand 08-19-2010 01:03 PM

Quote:

Originally Posted by CanuckBB (Post 1643728)
However, when I access mail.yahoo.com, it is always a clear http connection. accessing htps://mail.yahoo.com it gives me a cert error and dumps me back to http://mail.yahoo.com. So Yahoo has no security anyway.

What are the odds of traffic between the BIS servers and the mail provider being intercepted?

Yahoo is 993 SSL incomig and 465 SSL outgoing for smartphones. There are other ports that work as well for Yahoo. You wouldn't want to use port 110 or 143 - nothing like that.

This is common place practice for smartphones - to SSL enable incoming/outgoing. My Nokia rolled this through automatically.

Sandy

The Sand 08-19-2010 01:05 PM

Quote:

Originally Posted by JSanders (Post 1643843)
It was only hidden because Sandy hadn't searched and found it.

It is hidden - you can't get to it... I had to pay to find out the incoming/outgoing ports and SSL enablement. It took 2 days and 50 bucks.

You can "see" that info on other smartphones...

Sandy

The Sand 08-19-2010 01:10 PM

Quote:

Originally Posted by devnull (Post 1643731)
Sandy, in post #5 you imply that RIM has hidden this information. I direct your attention to this document found on RIM's knowledge base which quite clearly spells it out. Page 2 - "Overview"

http://www.blackberry.com/btsc/micro...00%20733485502



I don't think it's fair for you to accuse without proper research.

Right now they (RIM) log into your web based mail and send out the email. So, no there is no "SSL" that they speak of in this article going on unless you use Gmail (who basically did it for them) as they use https - your "outgoing" has nothing unless it's Gmail.

Sandy

The Sand 08-19-2010 01:14 PM

Quote:

Originally Posted by NJBlackBerry (Post 1643863)
And in the age of FaceBook, location based services, FourSquare and Twitter, most REALLY don't care about security or privacy.

And I think the 99.9% number is low.

Just because people are stupid doesn't mean you should be. I want SSL enablement for the BIS. I want the same security ALL other smartphones get for the BB.

Sandy


All times are GMT -5. The time now is 01:58 AM.

Powered by vBulletin® Version 3.6.12
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.