1 Attachment(s)
The "secure" BB10 OS is not great at establishing secure connections because it uses dated protocols
UPDATE / 8th of April: There is even a bigger problem with some implementations of TLS. Some of BlackBerry's servers and products were/are vulnerable.
Official BlackBerry statement
Attachment 250831
TL;DR
BlackBerry's choice of Internet Security Protocols to secure Internet connections made from a BlackBerry 10 device is not the greatest and the competition is doing much better. BlackBerry 10 is using TLS 1.0, the competition TLS 1.2.
I'll let you decide if TLS 1.0 is safe enough to protect your connection to sites and services you use. Cryptographers, the US National Institute of Standards and Technology (NIST), Microsoft all say it isn't.
Users on BES have an extra layer of protection which uses stronger cipher suites.
Long version
BlackBerry 10 is using TLS 1.0
While configuring devices to make sure they can safely connect to secure servers, I had the unpleasant surprise of discovering that BlackBerry 10 was only offering dated, weak Internet Security Protocols:
- SSL 2: Should be banned everywhere
- SSL 3: It's so bad, only XP uses it today
- TLS 1.0: Has been cracked and patched several times
Those protocols only contain cipher suites containing dangerous, treacherous or weak algorithms such as:
- RC4 (game over if your enemy has large resources)
- ECDSA (NIST curves, owned by BlackBerry)
- SHA1 (foundation is cracking, not recommended by BlackBerry, ECRYPT II, deprecated by FIPS)
- 3DES, DES (Forget it)
- DHE_DSS (Don't use DSS)
- AES CBC (bad things happen if TLS 1.0 is not patched)
- MD5 (cracked!)
But not the stronger ones such as
- AES GCM
- Camellia GCM
- SHA2 and
- DHE without DSS.
First I thought it was a general problem with smartphones, but iOS 7.0.6 (without the gotofail.com ;)), Chrome on Android 4.4 and the latest Firefox on Android all support TLS 1.2 and offer even stronger encryption than what you get on a typical Windows desktop:
DHE+AES256+GCM+SHA384
You can get the full list of cipher suites supported by your BlackBerry browser via :
https://cc.dcsec.uni-hannover.de/
Is TLS 1.0 considered weak cryptography?
To make up your mind regarding how safe those ciphers are to use today, you should do your research. There are plenty of links available on Google, Wikipedia, crypto forums, IRC channels, etc. or ask a cryptographer on what they think of TLS 1.0...
Here are a few links to get you started:
- TLS version 1.1 is required, at a minimum, in order to mitigate various attacks on version 1.0 of the TLS protocol. Support for TLS version 1.2 is strongly recommended. NIST
- RC4 in TLS is Broken: Now What? Qualys
- A roster of TLS cipher suites weaknesses. Google Online Security Blog
- Security Advisory: Recommendation to disable RC4 Microsoft
- Is TLS secure? Bristol Cryptography Blog
- "A double-byte bias attack on RC4 in TLS and SSL [...] was unveiled on 8 July 2013, and it was described as "feasible" [...] on August 15, 2013" Wikipedia
- "In 2005, security flaws were identified in SHA-1, namely that a mathematical weakness might exist, indicating that a stronger hash function would be desirable" Wikipedia
- Cipher security against publicly known feasible attacks Wikipedia
The main problems are that the most secure suites on BB10 are:
- using AES CBC which has had a lot of problems these past years (BEAST, Lucky 13) and while some vulnerabilities have probably been patched on the devices, it's still best to move to AES GCM
- using SHA1 which shows more and more signs of weaknesses and is depcreciated by both ECRYPT II and FIPS.
The good news is that the stronger suites in TLS 1.0 support Perfect Forward Secrecy via DHE and ECDHE (if you don't mind the unexplained magic numbers in NIST approved curves...), which means that an attacker can't record traffic to decrypt it later.
What are the risks?
- If you're the target of a government agency, well, there is not much you can do. Stronger crypto might not even help you as they'll probably target your device directly or the services that you use
- If you use your device for business and you're connecting to company services using a combination of elliptic curves and ephemeral keys, only the US government and spies who have copied their keys will be able to intercept your conversations. Apart from that, you'll know when there is a SHA1 exploit or a new attack on CBC in the wild as banks will probably be the first targets, unless your business is very valuable
- If you're a consumer, your bank, email provider, cloud, etc. will choose the strength of the connection for you and they'll probably pick the one which costs them the least in terms of resources from the list of what BlackBerry 10 has to offer. As long as it's DHE or ECDHE (click on the lock in a secure connection to find out), that's probably good enough to protect you from hackers until TLS 1.0 falls again, but won't stop the US government from collecting data
Conclusions
So BlackBerry 10 is lagging behind the competition when it comes to establishing secure connections on the Internet, but you're the only one who can tell whether it's relevant for what you're using your devices for.
Let's just hope BlackBerry will soon follow Google, Apple, Opera, Microsoft, Firefox, etc. and upgrade BlackBerry 10 to the latest, safest version of TLS
Note 1: What about their FIPS140-2 certification? That's not just about ciphers, but about building a secure environment and BlackBerry still rules that area, but the next revision of FIPS is moving away from some of the weak algos mentioned above.
Note 2: If you're worried about governments casually monitoring your conversations, you can use Android chat apps like TextSecure or Surespot. They use one of the most promising cipher suite DHE+curve25519+xsalsa20+poly1305, which is fast and hasn't been influenced by the NSA or NIST. That's what security conscious sysadmins are migrating to today to manage servers.
Note 3: The screenshot is from howsmyssl.com which gives the BB10 browser a bad rating for its use of TLS 1.0 which is not recommended today. It also contains lots of "good" ratings in a few areas they test, because their list of secure cipher suites is not up to date and they blindly mark any ephemeral key support as good when some are known to be weak or are not trusted any more by the crypto community.