BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 08-18-2010, 06:51 PM   #1 (permalink)
Talking BlackBerry Encyclopedia
 
The Sand's Avatar
 
Join Date: Oct 2008
Location: Los Angeles, CA
Model: 9810
OS: 7.0.1355
PIN: N/A
Carrier: AT&T
Posts: 357
Post Thanks: 4
Thanked 3 Times in 3 Posts
Exclamation BIS - No Better Security than Web Based Mail

Please Login to Remove!

It took 4 hours of talking to RIM to get to the bottom of, xxx8220;What protection does the BIS offerxxx8221;xxx8230; Please keep in mind I was told this from RIM xxx8211; thus donxxx8217;t xxx8220;shootxxx8221; the messengerxxx8230;

As for RIMS part in BIS emailxxx8230; When you type a message on the BB it goes to RIMxxx8217;s server or onto the BIS. From the point of writing the message to the server itxxx8217;s encrypted. When it hits the BIS for processing that stopsxxx8230; there is no encryption for BIS like there is for BES - which is why you want SSL enabled for emailxxx8230;

The following is the breakdown:

For incoming email the Yahoo port is 143 no SSL xxx8211; that cannot be changedxxx8230; that is the xxx8220;dealxxx8221; they have with Yahoo and you canxxx8217;t change it to the typical SSL port for Yahoo which is 995. For outgoingxxx8230; the BIS basically logs into your Yahoo account and the xxx8220;sendxxx8221; is like you sent it from Yahoo on the web. People like email clients so they can select enable SSL (or encryption). Typically, that is why people use the email clients on their smartphones. If the outgoing is the equivalent of xxx8220;web basedxxx8221; you are offered no advantage of going through the BIS. Yahoo incoming/outgoing has no SSL enablement xxx8211; again, you might as well be accessing Yahoo from the web.

Gmail can be on port 143 (which mine was) with no SSL or port 995 with SSL xxx8211; the outgoing is the same as Yahooxxx8217;s scenario. RIM/BIS log into Gmail and it goes out as if you were on the webxxx8230; Now Gmail uses xxx8220;httpsxxx8221; by default (they recently changed that whereas before you had to enable that feature.) xxx8220;Httpsxxx8221; is securexxx8230; So Gmail looks better with encryption for outgoing, but you would need to check to make sure you are not on the incoming port 143 like I was, unknowingly. Gmailxxx8217;s incoming/outgoing is the equivalent of other smartphones xxx8211; you can get Gmail secure. Heck, Gmail is secure on the webxxx8230; but Keep in mind that depends on what you think of Google themselves xxx8211; I think they know more than they should in regard to my personal business and limit their use.

Hotmail can be on port 110 no SSL or port 995 with SSL. The outgoing is the same xxx8211; like you were on the web, and Hotmail like Yahoo offers no xxx8220;httpsxxx8221; so you have no SSL for outgoing. Hotmail xxx8220;canxxx8221; (depending on the incoming port you have set up) deliver incoming secure - but not outgoing.

The carrier specific addresses like (carrier)blackberry.net is port 110 incoming no SSL and port 25 outgoing no SSL. So, this is like Yahoo xxx8211; justxxx8230; nothing.

In regard to security the BIS offers nothing over web based mailxxx8230;

Based on the above I will be deleting my AT&T account as well as Yahoo through the BIS... If you arenxxx8217;t a Google fan, you really have no xxx8220;good xxx8220;option here for email through the BIS.

At this time they have no intention of changing this. They also said this information is all readily available through xxx8220;Terms and Conditionxxx8221; when you set up your email through the BIS. I havenxxx8217;t checked but so what if itxxx8217;s there xxx8211; itxxx8217;s bad. They can wave it like a banner but it still sucks. The iPhone, HTCxxx8217;s, Nokia ALL have the ability to encrypt or enable SSL for the incoming/outgoing ports for their email clients. That is just the norm right now. Again, thatxxx8217;s a big reason people use smartphonesxxx8230;

At least disclosing the above (not buried in terms and conditions) letxxx8217;s the user decide how to protect themselves. Especially since credit card statements and banking can be done online now.

I wanted to know what was behind the BIS wallxxx8230;

Now we know - there is no wall.

Sandy

p.s. I had to submit a support ticket and pay RIM $49.99 to get this information - to get specifics about the ports, which is not disclosed in the Terms and Conditions...

Last edited by The Sand : 08-18-2010 at 06:56 PM.
Offline  
Old 08-18-2010, 07:17 PM   #2 (permalink)
Appleinator
 
Dubdub's Avatar
 
Join Date: Nov 2005
Location: New Hampshire
Model: App5
OS: AJBR549
PIN: Ask
Carrier: ATT & Verizon
Posts: 20,016
Post Thanks: 54
Thanked 778 Times in 740 Posts
Default

Moved to the Security section.

Interesting information. Thanks.
__________________
-->>BB FAQ

-->>Stinsonddog's Tip Site!

-->>Twitter


If someone helps, tell them by clicking the Thanks button.!!
Offline  
Old 08-18-2010, 07:30 PM   #3 (permalink)
Talking BlackBerry Encyclopedia
 
The Sand's Avatar
 
Join Date: Oct 2008
Location: Los Angeles, CA
Model: 9810
OS: 7.0.1355
PIN: N/A
Carrier: AT&T
Posts: 357
Post Thanks: 4
Thanked 3 Times in 3 Posts
Default

I don't think you should have moved this thread. It's specifically about what happens with email through the BIS - and really should stay in the area regarding the BIS.

If you want to know about email through the BIS, you aren't going to check "Blackberry and Mobile security."

Sandy
Offline  
Old 08-18-2010, 07:31 PM   #4 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: i5s
Carrier: AT&T
Posts: 27,770
Post Thanks: 32
Thanked 439 Times in 379 Posts
Default

That's why companies interested in securing their email use BES. BIS is for consumers only. Never was presented as an end to end secure solution.
Offline  
Old 08-18-2010, 07:47 PM   #5 (permalink)
Talking BlackBerry Encyclopedia
 
The Sand's Avatar
 
Join Date: Oct 2008
Location: Los Angeles, CA
Model: 9810
OS: 7.0.1355
PIN: N/A
Carrier: AT&T
Posts: 357
Post Thanks: 4
Thanked 3 Times in 3 Posts
Default

But why leave consumers out??? They are still part of the people who purchase BB's. All smartphones let you encrypt the incoming/outgoing ports.

Why doesn't BB do the same???

I believe that is why the information was so hard to get to... they know it's bad so they hid it.

Sandy
Offline  
Old 08-18-2010, 08:16 PM   #6 (permalink)
Talking BlackBerry Encyclopedia
 
ubizmo's Avatar
 
Join Date: Dec 2007
Location: Philadelphia
Model: 9780
OS: 6.0.0.600
PIN: ultimate
Carrier: T-mobile
Posts: 423
Post Thanks: 0
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by NJBlackBerry View Post
That's why companies interested in securing their email use BES. BIS is for consumers only. Never was presented as an end to end secure solution.
That's true, but there's more to it than that. We consumers hear so much about BlackBerry's legendary e-mail security, and how it sets BlackBerry apart from the competition, it's only natural that we would come to believe that it applies to BIS as well as BES. For example, how many discussions have there been here on BBF comparing BB to other platforms, and how many times have we been told admonished about the security of the BB? Many times. But I don't recall ever seeing the caveat that this high-level security applies only to BES.

The point here for consumers is that with BIS, email is no more secure on the BB than it is on other smartphones, and may be less secure than some. That's an important piece of information.

Ubizmo
Offline  
Old 08-18-2010, 08:47 PM   #7 (permalink)
Talking BlackBerry Encyclopedia
 
The Sand's Avatar
 
Join Date: Oct 2008
Location: Los Angeles, CA
Model: 9810
OS: 7.0.1355
PIN: N/A
Carrier: AT&T
Posts: 357
Post Thanks: 4
Thanked 3 Times in 3 Posts
Default

It is less secure than other smartphones for all accounts but Gmail. And even Gmail I am not "entirely" sure of as I was told there are 2 ports for Gmail and 1 port had no security. I know my Nokia is a lock down with SSL enabled on ALL ports for EVERY email account. Other smartphones have the same...

it's not my intention to bash RIM. Posting on this forum is to let users beware - they are not as secure as they might have thought. I for one was shocked and bummed

And I wil take this info elsewhere - hoping facilitating change from RIM. They either step it up on the BIS - or they let the consumer know they really are a "business" phone and BB's aren't for the consumer in regard to email.

Sandy
Offline  
Old 08-18-2010, 09:06 PM   #8 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: i5s
Carrier: AT&T
Posts: 27,770
Post Thanks: 32
Thanked 439 Times in 379 Posts
Default

So you assumed that there was security there.
And it isn't.

Now, tell me about other more secure platforms. Would that be the iPhone? Or the Droid?
Offline  
Old 08-18-2010, 09:24 PM   #9 (permalink)
Talking BlackBerry Encyclopedia
 
The Sand's Avatar
 
Join Date: Oct 2008
Location: Los Angeles, CA
Model: 9810
OS: 7.0.1355
PIN: N/A
Carrier: AT&T
Posts: 357
Post Thanks: 4
Thanked 3 Times in 3 Posts
Default

Yes, both the Apple and the Droid would be more secure. Of course I would never buy Apple as "I" am capable of changing my own battery and you can't read it as a mass storage device. And in my opinion - only a fool would run Droid giving Google more info then they already know about you. But yes, both are better than the BIS.

Just do some searching, "iPhone Yahoo SSl ports through email client."

Just basic searching, shows they ALL have the ability the BIS does not give you..

Sandy
Offline  
Old 08-19-2010, 04:56 AM   #10 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: i5s
Carrier: AT&T
Posts: 27,770
Post Thanks: 32
Thanked 439 Times in 379 Posts
Default

Good thing I don't use Yahoo Mail.
You seem to have uncovered a very serious problem that no one cares about.

And I guess your position on iPhones is not widely shared either.
Offline  
Old 08-19-2010, 06:55 AM   #11 (permalink)
BlackBerry Extraordinaire
 
CanuckBB's Avatar
 
Join Date: Feb 2006
Location: YYZ
Model: 9900
Carrier: Rogers
Posts: 1,183
Post Thanks: 0
Thanked 2 Times in 2 Posts
Default

However, when I access mail.yahoo.com, it is always a clear http connection. accessing htps://mail.yahoo.com it gives me a cert error and dumps me back to http://mail.yahoo.com. So Yahoo has no security anyway.

What are the odds of traffic between the BIS servers and the mail provider being intercepted?

Last edited by CanuckBB : 08-19-2010 at 07:34 AM.
Offline  
Old 08-19-2010, 07:04 AM   #12 (permalink)
BlackBerry Extraordinaire
 
Join Date: Dec 2006
Model: I747
OS: 4.1.1
Carrier: at&t
Posts: 2,340
Post Thanks: 43
Thanked 117 Times in 107 Posts
Default

Sandy, in post #5 you imply that RIM has hidden this information. I direct your attention to this document found on RIM's knowledge base which quite clearly spells it out. Page 2 - "Overview"

http://www.blackberry.com/btsc/micro...00%20733485502
Quote:
Overview
The BlackBerry® Internet Service is designed to provide you with automatic delivery of email messages, mobile access to attachments, and
convenient access to Internet content.
The BlackBerry Internet Service uses the security of the wireless network that it connects to. Email messages that are sent between the BlackBerry
Internet Service and your BlackBerry device are not encrypted. However, email messages that are sent between the BlackBerry Internet Service
and your messaging server can be encrypted using SSL encryption. SSL encryption can also be used by the BlackBerry® Browser and other
applications on your BlackBerry device to help protect your data when you connect to the Internet (for example, while shopping and banking
online). You can also set up your BlackBerry device to help protect it from theft, viruses, and spyware.

I don't think it's fair for you to accuse without proper research.
__________________
The Search tool and BlackBerryFAQ answer many questions.
Offline  
Old 08-19-2010, 08:25 AM   #13 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: i5s
Carrier: AT&T
Posts: 27,770
Post Thanks: 32
Thanked 439 Times in 379 Posts
Default

Hidden in plain sight.
Offline  
Old 08-19-2010, 11:37 AM   #14 (permalink)
Crimson Tide Moderator
 
JSanders's Avatar
 
Join Date: Oct 2004
Location: North of the moss line
Model: 9xx0
OS: 7.0sumtin
PIN: t low
Carrier: Verizon
Posts: 41,907
Post Thanks: 60
Thanked 244 Times in 182 Posts
Default

It was only hidden because Sandy hadn't searched and found it.
Offline  
Old 08-19-2010, 12:42 PM   #15 (permalink)
BlackBerry Extraordinaire
 
CanuckBB's Avatar
 
Join Date: Feb 2006
Location: YYZ
Model: 9900
Carrier: Rogers
Posts: 1,183
Post Thanks: 0
Thanked 2 Times in 2 Posts
Default

And 99.9% of BIS don't actually give a crap about it. They get their Yahoo, Gmail and Hotmail through the web. They use the simple setup on the phone to do their email setup. For most, SSL is not a big deal. Most don't know what SSL is. Most don't need it.
Offline  
Old 08-19-2010, 01:01 PM   #16 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: i5s
Carrier: AT&T
Posts: 27,770
Post Thanks: 32
Thanked 439 Times in 379 Posts
Default

And in the age of FaceBook, location based services, FourSquare and Twitter, most REALLY don't care about security or privacy.

And I think the 99.9% number is low.
Offline  
Old 08-19-2010, 01:03 PM   #17 (permalink)
Talking BlackBerry Encyclopedia
 
The Sand's Avatar
 
Join Date: Oct 2008
Location: Los Angeles, CA
Model: 9810
OS: 7.0.1355
PIN: N/A
Carrier: AT&T
Posts: 357
Post Thanks: 4
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by CanuckBB View Post
However, when I access mail.yahoo.com, it is always a clear http connection. accessing htps://mail.yahoo.com it gives me a cert error and dumps me back to http://mail.yahoo.com. So Yahoo has no security anyway.

What are the odds of traffic between the BIS servers and the mail provider being intercepted?
Yahoo is 993 SSL incomig and 465 SSL outgoing for smartphones. There are other ports that work as well for Yahoo. You wouldn't want to use port 110 or 143 - nothing like that.

This is common place practice for smartphones - to SSL enable incoming/outgoing. My Nokia rolled this through automatically.

Sandy
Offline  
Old 08-19-2010, 01:05 PM   #18 (permalink)
Talking BlackBerry Encyclopedia
 
The Sand's Avatar
 
Join Date: Oct 2008
Location: Los Angeles, CA
Model: 9810
OS: 7.0.1355
PIN: N/A
Carrier: AT&T
Posts: 357
Post Thanks: 4
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by JSanders View Post
It was only hidden because Sandy hadn't searched and found it.
It is hidden - you can't get to it... I had to pay to find out the incoming/outgoing ports and SSL enablement. It took 2 days and 50 bucks.

You can "see" that info on other smartphones...

Sandy
Offline  
Old 08-19-2010, 01:10 PM   #19 (permalink)
Talking BlackBerry Encyclopedia
 
The Sand's Avatar
 
Join Date: Oct 2008
Location: Los Angeles, CA
Model: 9810
OS: 7.0.1355
PIN: N/A
Carrier: AT&T
Posts: 357
Post Thanks: 4
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by devnull View Post
Sandy, in post #5 you imply that RIM has hidden this information. I direct your attention to this document found on RIM's knowledge base which quite clearly spells it out. Page 2 - "Overview"

http://www.blackberry.com/btsc/micro...00%20733485502



I don't think it's fair for you to accuse without proper research.
Right now they (RIM) log into your web based mail and send out the email. So, no there is no "SSL" that they speak of in this article going on unless you use Gmail (who basically did it for them) as they use https - your "outgoing" has nothing unless it's Gmail.

Sandy
Offline  
Old 08-19-2010, 01:14 PM   #20 (permalink)
Talking BlackBerry Encyclopedia
 
The Sand's Avatar
 
Join Date: Oct 2008
Location: Los Angeles, CA
Model: 9810
OS: 7.0.1355
PIN: N/A
Carrier: AT&T
Posts: 357
Post Thanks: 4
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by NJBlackBerry View Post
And in the age of FaceBook, location based services, FourSquare and Twitter, most REALLY don't care about security or privacy.

And I think the 99.9% number is low.
Just because people are stupid doesn't mean you should be. I want SSL enablement for the BIS. I want the same security ALL other smartphones get for the BB.

Sandy
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.