Welcome to the CrackBerry Forums Create Your Account or Ask a Question Answers in 5 minutes - no registration required!
Page 1 of 8 1234 ... LastLast
Results 1 to 25 of 191
Like Tree70Likes
  1. ofutur's Avatar
    CrackBerry Genius

    Posts
    1,684 Posts
    Global Posts
    1,706 Global Posts
    Thread AuthorThread Author   #1  

    Thumbs down The "secure" BB10 OS is not great at establishing secure connections because it uses dated protocols

    UPDATE / 8th of April: There is even a bigger problem with some implementations of TLS. Some of BlackBerry's servers and products were/are vulnerable.
    Official BlackBerry statement

    The "secure" BB10 OS is not great at establishing secure connections because it uses dated protocols-img_20140225_165140.png

    TL;DR
    BlackBerry's choice of Internet Security Protocols to secure Internet connections made from a BlackBerry 10 device is not the greatest and the competition is doing much better. BlackBerry 10 is using TLS 1.0, the competition TLS 1.2.

    I'll let you decide if TLS 1.0 is safe enough to protect your connection to sites and services you use. Cryptographers, the US National Institute of Standards and Technology (NIST), Microsoft all say it isn't.

    Users on BES have an extra layer of protection which uses stronger cipher suites.

    Long version
    BlackBerry 10 is using TLS 1.0
    While configuring devices to make sure they can safely connect to secure servers, I had the unpleasant surprise of discovering that BlackBerry 10 was only offering dated, weak Internet Security Protocols:

    • SSL 2: Should be banned everywhere
    • SSL 3: It's so bad, only XP uses it today
    • TLS 1.0: Has been cracked and patched several times

    Those protocols only contain cipher suites containing dangerous, treacherous or weak algorithms such as:

    • RC4 (game over if your enemy has large resources)
    • ECDSA (NIST curves, owned by BlackBerry)
    • SHA1 (foundation is cracking, not recommended by BlackBerry, ECRYPT II, deprecated by FIPS)
    • 3DES, DES (Forget it)
    • DHE_DSS (Don't use DSS)
    • AES CBC (bad things happen if TLS 1.0 is not patched)
    • MD5 (cracked!)

    But not the stronger ones such as

    • AES GCM
    • Camellia GCM
    • SHA2 and
    • DHE without DSS.

    First I thought it was a general problem with smartphones, but iOS 7.0.6 (without the gotofail.com ), Chrome on Android 4.4 and the latest Firefox on Android all support TLS 1.2 and offer even stronger encryption than what you get on a typical Windows desktop:
    DHE+AES256+GCM+SHA384

    You can get the full list of cipher suites supported by your BlackBerry browser via :
    https://cc.dcsec.uni-hannover.de/

    Is TLS 1.0 considered weak cryptography?
    To make up your mind regarding how safe those ciphers are to use today, you should do your research. There are plenty of links available on Google, Wikipedia, crypto forums, IRC channels, etc. or ask a cryptographer on what they think of TLS 1.0...

    Here are a few links to get you started:

    • TLS version 1.1 is required, at a minimum, in order to mitigate various attacks on version 1.0 of the TLS protocol. Support for TLS version 1.2 is strongly recommended. NIST
    • RC4 in TLS is Broken: Now What? Qualys
    • A roster of TLS cipher suites weaknesses. Google Online Security Blog
    • Security Advisory: Recommendation to disable RC4 Microsoft
    • Is TLS secure? Bristol Cryptography Blog
    • "A double-byte bias attack on RC4 in TLS and SSL [...] was unveiled on 8 July 2013, and it was described as "feasible" [...] on August 15, 2013" Wikipedia
    • "In 2005, security flaws were identified in SHA-1, namely that a mathematical weakness might exist, indicating that a stronger hash function would be desirable" Wikipedia
    • Cipher security against publicly known feasible attacks Wikipedia

    The main problems are that the most secure suites on BB10 are:

    • using AES CBC which has had a lot of problems these past years (BEAST, Lucky 13) and while some vulnerabilities have probably been patched on the devices, it's still best to move to AES GCM
    • using SHA1 which shows more and more signs of weaknesses and is depcreciated by both ECRYPT II and FIPS.

    The good news is that the stronger suites in TLS 1.0 support Perfect Forward Secrecy via DHE and ECDHE (if you don't mind the unexplained magic numbers in NIST approved curves...), which means that an attacker can't record traffic to decrypt it later.

    What are the risks?
    • If you're the target of a government agency, well, there is not much you can do. Stronger crypto might not even help you as they'll probably target your device directly or the services that you use
    • If you use your device for business and you're connecting to company services using a combination of elliptic curves and ephemeral keys, only the US government and spies who have copied their keys will be able to intercept your conversations. Apart from that, you'll know when there is a SHA1 exploit or a new attack on CBC in the wild as banks will probably be the first targets, unless your business is very valuable
    • If you're a consumer, your bank, email provider, cloud, etc. will choose the strength of the connection for you and they'll probably pick the one which costs them the least in terms of resources from the list of what BlackBerry 10 has to offer. As long as it's DHE or ECDHE (click on the lock in a secure connection to find out), that's probably good enough to protect you from hackers until TLS 1.0 falls again, but won't stop the US government from collecting data


    Conclusions
    So BlackBerry 10 is lagging behind the competition when it comes to establishing secure connections on the Internet, but you're the only one who can tell whether it's relevant for what you're using your devices for.
    Let's just hope BlackBerry will soon follow Google, Apple, Opera, Microsoft, Firefox, etc. and upgrade BlackBerry 10 to the latest, safest version of TLS

    Note 1: What about their FIPS140-2 certification? That's not just about ciphers, but about building a secure environment and BlackBerry still rules that area, but the next revision of FIPS is moving away from some of the weak algos mentioned above.

    Note 2: If you're worried about governments casually monitoring your conversations, you can use Android chat apps like TextSecure or Surespot. They use one of the most promising cipher suite DHE+curve25519+xsalsa20+poly1305, which is fast and hasn't been influenced by the NSA or NIST. That's what security conscious sysadmins are migrating to today to manage servers.

    Note 3: The screenshot is from howsmyssl.com which gives the BB10 browser a bad rating for its use of TLS 1.0 which is not recommended today. It also contains lots of "good" ratings in a few areas they test, because their list of secure cipher suites is not up to date and they blindly mark any ephemeral key support as good when some are known to be weak or are not trusted any more by the crypto community.
    Last edited by ofutur; 04-11-2014 at 12:42 PM. Reason: Added a link to the BlackBerry's KB article
    Full specs of all current and near future BlackBerry devices: Thread and Channel C001231E5
    Leave tips and links anonymously using Twoople and share files anonymously using Onionshare

    BlackBerrys only protects DATA FOR ENTERPRISES through BES. See the difference with a properly configured Android.
    Thanked by 12:
    + Show/Hide list of the thanked
    Gerii (02-25-2014),  howarmat (02-25-2014),  Mack Gans (05-20-2014),  mikeo007 (02-26-2014),  muellerto (04-11-2014),  Nharzhool (02-25-2014),  sinkingphoenix (02-27-2014),  Smitty13 (05-13-2014),  Superdupont 2_0 (06-19-2014),  terminatorx (05-12-2014),  twiggyrj (04-09-2014),  zocster (02-25-2014) 
  2. sk8er_tor's Avatar
    CrackBerry Genius

    Posts
    1,526 Posts
    Global Posts
    1,528 Global Posts
    #2  

    Default

    There's more to it than a website telling you it's "bad." I'll wait for someone who's an expert in this field to provide details.
  3. ofutur's Avatar
    CrackBerry Genius

    Posts
    1,684 Posts
    Global Posts
    1,706 Global Posts
    Thread AuthorThread Author   #3  

    Default

    The website is there for people to get an idea of how good/bad their browser is. Show the list of ciphers to an expert and he'll tell you that it's just not good enough in the post-Snowden era.

    Also, on the desktop, Firefox does not enable TLS 1.2 by default, so many people are not really better off.

    And finally, if the servers don't support stronger encryption, then having it in the browser won't offer better protection. It's just much easier for an admin to paste a new cipher suite in the server's config than it is to force BlackBerry to upgrade BB10.
    Full specs of all current and near future BlackBerry devices: Thread and Channel C001231E5
    Leave tips and links anonymously using Twoople and share files anonymously using Onionshare

    BlackBerrys only protects DATA FOR ENTERPRISES through BES. See the difference with a properly configured Android.
  4. Mr.Conviviality's Avatar
    CrackBerry Abuser

    Posts
    341 Posts
    PIN
    t of Beer?
    #4  

    Default

    interestingly, if I chose not to question what you're sharing with us... I'd read your post and think my blackberry is in trouble, using dated stuff... vulnerable and behind. Almost like reading a BGR article.

    when I go to the website that you've listed, in one breath it mentions that version is "bad" and that it's possibly susceptible to the "BEAST" attack...

    however...

    if you scroll down the page, the same one that says that everything else is "good",... it says that "your client is not vulnerable to the BEAST attack" as it uses TLS 1.0 in conjuction with blah blah blah....

    to me it looks like you're trolling.
    Thanked by 2:
    BCITMike (02-26-2014),  higherdestiny (02-25-2014) 
  5. eddy_berry's Avatar
    CrackBerry Genius

    Posts
    2,392 Posts
    #5  

    Default

    I saw the same thing but scrolled down to see this...


    The "secure" BB10 OS is not great at establishing secure connections because it uses dated protocols-img_20140225_125323.png
    For the best typing experience only one brand does it the best. That brand is BlackBerry.
    BlackBerry. Nobody likes a typo.

    Check out my collection of CB and BB wallpapers
    Thanked by 4:
    Sith_Apprentice (03-12-2014),  Superfly_FR (03-12-2014),  TheScionicMan (02-26-2014),  urskruz (06-02-2014) 
  6. dbmalloy's Avatar
    CrackBerry Genius

    Posts
    1,597 Posts
    #6  

    Default

    Security on any platform is only as secure as its weakest link... you can have the most secure device in the world and if you connect to an unsecure server or service... whatever info you give it is not secure...
  7. ofutur's Avatar
    CrackBerry Genius

    Posts
    1,684 Posts
    Global Posts
    1,706 Global Posts
    Thread AuthorThread Author   #7  

    Default

    Quote Originally Posted by Mr.Conviviality View Post
    interestingly, if I chose not to question what you're sharing with us... I'd read your post and think my blackberry is in trouble, using dated stuff... vulnerable and behind. Almost like reading a BGR article.

    when I go to the website that you've listed, in one breath it mentions that version is "bad" and that it's possibly susceptible to the "BEAST" attack...

    however...

    if you scroll down the page, the same one that says that everything else is "good",... it says that "your client is not vulnerable to the BEAST attack" as it uses TLS 1.0 in conjuction with blah blah blah....

    to me it looks like you're trolling.
    That's because it's not your field of expertise and you didn't do your due diligence by doing some simple Google or Wikipedia searches on the algorithms I've mentioned.

    You can check this table to see that TLS 1.0 contains ZERO secure Ciphers.
    https://en.wikipedia.org/wiki/Transp...ecurity#Cipher

    It's clearly a complex matter and it's the combinations and implementation of algos which make a certain stack vulnerable.
    The website I've listed is just used to get an overall rating. It's not taking into consideration the latest development in cryptography, but it has the advantage of being readable by novices. Having said that, several people have provided feedback similar to yours, because it's true, all this green make people think things are all right.
    Full specs of all current and near future BlackBerry devices: Thread and Channel C001231E5
    Leave tips and links anonymously using Twoople and share files anonymously using Onionshare

    BlackBerrys only protects DATA FOR ENTERPRISES through BES. See the difference with a properly configured Android.
    Thanked by:
    amnan.pahamin (02-27-2014) 
    mikeo007 likes this.
  8. ofutur's Avatar
    CrackBerry Genius

    Posts
    1,684 Posts
    Global Posts
    1,706 Global Posts
    Thread AuthorThread Author   #8  

    Default

    Quote Originally Posted by dbmalloy View Post
    Security on any platform is only as secure as its weakest link... you can have the most secure device in the world and if you connect to an unsecure server or service... whatever info you give it is not secure...
    Exactly, but in this case, the limiting factor is the BlackBerry devices. Today's servers have no problem supporting much stronger encryption.
    And it's OK for a device to support weak ones, for compatibility reasons, but it should offer the stronger ones, for those who need it.
    Full specs of all current and near future BlackBerry devices: Thread and Channel C001231E5
    Leave tips and links anonymously using Twoople and share files anonymously using Onionshare

    BlackBerrys only protects DATA FOR ENTERPRISES through BES. See the difference with a properly configured Android.
    Mack Gans likes this.
  9. Mr.Conviviality's Avatar
    CrackBerry Abuser

    Posts
    341 Posts
    PIN
    t of Beer?
    #9  

    Default

    Quote Originally Posted by ofutur View Post
    That's because it's not your field of expertise and you didn't do your due diligence by doing some simple Google or Wikipedia searches on the algorithms I've mentioned.

    You can check this table to see that TLS 1.0 contains ZERO secure Ciphers.
    https://en.wikipedia.org/wiki/Transp...ecurity#Cipher

    It's clearly a complex matter and it's the combinations and implementation of algos which make a certain stack vulnerable.
    The website I've listed is just used to get an overall rating. It's not taking into consideration the latest development in cryptography, but it has the advantage of being readable by novices. Having said that, several people have provided feedback similar to yours, because it's true, all this green make people think things are all right.
    If your recommended process of DD is to do a "google search" or consult "Wikipedia", I question yours.

    I won't pretend to be an expert in cryptography or mobile security, but I don't get the point of your finding.
    The website says things are good, and things are bad. It does nothing to shed any light on any problem. You've shared nothing to confirm that there is an issue. You haven't shared a solution. In a way, you've come here to tell us that an M1A1 Abrams doesn't have an airbag, and as such isn't a safe vehicle.
    Thanked by:
    NtotheK (02-25-2014) 
  10. ofutur's Avatar
    CrackBerry Genius

    Posts
    1,684 Posts
    Global Posts
    1,706 Global Posts
    Thread AuthorThread Author   #10  

    Default

    Quote Originally Posted by Mr.Conviviality View Post
    If your recommended process of DD is to do a "google search" or consult "Wikipedia", I question yours.
    That's what's accessible to the layman, this is not the cr.yp.to mailing list...

    Quote Originally Posted by Mr.Conviviality View Post
    I won't pretend to be an expert in cryptography or mobile security, but I don't get the point of your finding.
    The website says things are good, and things are bad. It does nothing to shed any light on any problem..
    Maybe I should remove the website so that people stop focusing on that... The goal was to get the list of ciphers so that people could do their own research.

    Quote Originally Posted by Mr.Conviviality View Post
    You've shared nothing to confirm that there is an issue. You haven't shared a solution. In a way, you've come here to tell us that an M1A1 Abrams doesn't have an airbag, and as such isn't a safe vehicle.
    I've shared the list of algos which are problematic and mentioned you can do you own research. It doesn't take that long to see that there are problems with what I listed, but here, 2 links to start exploring:
    • "A double-byte bias attack on RC4 in TLS and SSL [...] was unveiled on 8 July 2013, and it was described as "feasible" [...] on August 15, 2013" Wikipedia
    • "In 2005, security flaws were identified in SHA-1, namely that a mathematical weakness might exist, indicating that a stronger hash function would be desirable" Wikipedia


    I did mention in my OP that the competition had upgraded to TLS 1.2 and that I was hoping that BlackBerry 10 would do the same. The only workaround would be to use an Android browser if it uses its own SSL stack.
    Full specs of all current and near future BlackBerry devices: Thread and Channel C001231E5
    Leave tips and links anonymously using Twoople and share files anonymously using Onionshare

    BlackBerrys only protects DATA FOR ENTERPRISES through BES. See the difference with a properly configured Android.
    Mack Gans likes this.
  11. ofutur's Avatar
    CrackBerry Genius

    Posts
    1,684 Posts
    Global Posts
    1,706 Global Posts
    Thread AuthorThread Author   #11  

    Default

    I've updated the OP, to give a bit more info on why it's a good idea to upgrade the crypto stack.
    Full specs of all current and near future BlackBerry devices: Thread and Channel C001231E5
    Leave tips and links anonymously using Twoople and share files anonymously using Onionshare

    BlackBerrys only protects DATA FOR ENTERPRISES through BES. See the difference with a properly configured Android.
  12. stabstabdie's Avatar
    CrackBerry Genius

    Posts
    2,988 Posts
    Global Posts
    2,995 Global Posts
    #12  

    Default

    imagine if the 'expert' consultant you just hired sat across the table and gave you Wikipedia as the source of their information.......
  13. ofutur's Avatar
    CrackBerry Genius

    Posts
    1,684 Posts
    Global Posts
    1,706 Global Posts
    Thread AuthorThread Author   #13  

    Default

    Wikipedia isn't the source... it contains an easy to read collection of references for people who care to learn more.
    Full specs of all current and near future BlackBerry devices: Thread and Channel C001231E5
    Leave tips and links anonymously using Twoople and share files anonymously using Onionshare

    BlackBerrys only protects DATA FOR ENTERPRISES through BES. See the difference with a properly configured Android.
    Mack Gans likes this.
  14. Richard Buckley's Avatar
    CrackBerry Genius

    Posts
    1,682 Posts
    #14  

    Default

    Of course it is desirable to have the latest version of TLS, However let's take your claim that TLS 1.0 has on trusted ciphers and howsmyssl.com is a good source to find out which ones are offered.

    Chrome, which gets a score of "Probably OK" (the highest possible) offers the following as the number 1 and 2 chiphers:
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    My Z10 browser offers these as the number 1 and 2 chiphers (they are offered as number 5 and 6 by Chrome):
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

    After BEAST mitigation the following ciphers were recommended to be left in Firefox:
    C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    002F TLS_RSA_WITH_AES_128_CBC_SHA
    0035 TLS_RSA_WITH_AES_256_CBC_SHA

    I think you didn't read the foot notes on the "depends" state on the Wikipedia TLS article.

    As we found out from the GOTO FAIL bug, and many before it doesn't matter how advanced your cryptography is if you screw up the implementation. There are known ways to mitigate the problems with TLS 1.0.

    Edit:
    This has been brought up before, this is what I had to say then:
    The BEAST attack exploits problems discovered in TLS 1.0. While it is desirable for all clients to move to newer versions of TLS in order to be protected from the BEAST attack simply by using a later version of TLS requires that the server also support the later version. Servers are often even slower to upgrade than clients so many browsers have been patch to provide protection from BEAST while still using TLS 1.0. I do not know the status of the BB10 browser with respect to this.

    Importantly this site is not a test for vulnerability to BEAST, it only looks at the version of TLS supported.

    It would certainly be better for BlackBerry to move cryptographic support to TLS 1.2, but the servers of the sites you visit must also upgrade to this support. Test sites like this one perform a useful function of bringing the issue to the masses and act as a prod to bring about the upgrades, but should not be used as a reason to be over concerned.
    Thanked by:
    BCITMike (02-26-2014) 
  15. IgotsThis's Avatar
    CrackBerry Genius

    Posts
    1,772 Posts
    #15  

    Default

    Quote Originally Posted by Mr.Conviviality View Post
    If your recommended process of DD is to do a "google search" or consult "Wikipedia", I question yours.

    I won't pretend to be an expert in cryptography or mobile security, but I don't get the point of your finding.
    The website says things are good, and things are bad. It does nothing to shed any light on any problem. You've shared nothing to confirm that there is an issue. You haven't shared a solution. In a way, you've come here to tell us that an M1A1 Abrams doesn't have an airbag, and as such isn't a safe vehicle.
    Lolol alright alright I'll give you the Abrams example good one.

    Posted via CB10
  16. higherdestiny's Avatar
    CrackBerry Addict

    Posts
    506 Posts
    #16  

    Default

    ofutur.

    You're absolutely correct. BlackBerry 10 OS is not secure. You've proved it with absolute certainty with your wikipedia skills.

    I'm calling NATO to ask them why they certified BlackBerry 10 to receive NATO RESTRICTED status.
    I'm also going to demand the government to explain why they issued FIPS140-2 validation for BlackBerry 10 OS.
    I'm going to call the UK National security authority and blast them for issuing RESTRICTED IL3 classification for BlackBerry 10 Cryptographic API.
    I'm also going to email the Department of Defense and ask them for a reason they approved BlackBerry 10 for use in highly secure environments.

    CLEARLY these organizations haven't read wikipedia.
  17. ArmedHitman's Avatar
    CrackBerry Addict

    Posts
    575 Posts
    Global Posts
    577 Global Posts
    #17  

    Default

    Quote Originally Posted by ofutur View Post
    Exactly, but in this case, the limiting factor is the BlackBerry devices. Today's servers have no problem supporting much stronger encryption.
    And it's OK for a device to support weak ones, for compatibility reasons, but it should offer the stronger ones, for those who need it.
    It's a limiting factor because server hosting companies don't want to waste CPU utilisation encrypting and decrypting data on the fly to and from clients. This wastes power plus a lot of heat :/ just makes everything more tedious for them. People like bigger profit margins.

    Only offering a device with the strongest of encrypting techniques would leave it out in the cold and be left alone out in the world.

    Like for example the switch the USB 3.0 is there but it's too slow and legacy devices are still available and most PC's are still on 2.0.

    After Snowden I thought the world would get their act together. So they're actually pushing for better cryptographic methods in devices we use daily and rely on, but hey that hasn't happened.

    Posted via CB10
    Rocking a Xperia Z2 and a Q5
    Not powered by BlackBerry anymore but a hybrid!
  18. higherdestiny's Avatar
    CrackBerry Addict

    Posts
    506 Posts
    #18  

    Default

    P.S.

    On my desktop, I'm running the very latest beta release of firefox - and according to that site, it's "bad".

    I'm taking this site with a grain of salt.

    Not to mention, there's a LOT more to the security of a platform than the SSL version in the browser.
  19. ArmedHitman's Avatar
    CrackBerry Addict

    Posts
    575 Posts
    Global Posts
    577 Global Posts
    #19  

    Default

    Quote Originally Posted by higherdestiny View Post
    P.S.

    On my desktop, I'm running the very latest beta release of firefox - and according to that site, it's "bad".

    I'm taking this site with a grain of salt.

    Not to mention, there's a LOT more to the security of a platform than the SSL version in the browser.
    Kind of quoting someone up above, 'Firefox doesn't have everything enabled out of the box, the more advanced encryptions ain't actually activated out of the box'.

    Posted via CB10
    Rocking a Xperia Z2 and a Q5
    Not powered by BlackBerry anymore but a hybrid!
  20. ArmedHitman's Avatar
    CrackBerry Addict

    Posts
    575 Posts
    Global Posts
    577 Global Posts
    #20  

    Default

    Quote Originally Posted by higherdestiny View Post
    ofutur.

    You're absolutely correct. BlackBerry 10 OS is not secure. You've proved it with absolute certainty with your wikipedia skills.

    I'm calling NATO to ask them why they certified BlackBerry 10 to receive NATO RESTRICTED status.
    I'm also going to demand the government to explain why they issued FIPS140-2 validation for BlackBerry 10 OS.
    I'm going to call the UK National security authority and blast them for issuing RESTRICTED IL3 classification for BlackBerry 10 Cryptographic API.
    I'm also going to email the Department of Defense and ask them for a reason they approved BlackBerry 10 for use in highly secure environments.

    CLEARLY these organizations haven't read wikipedia.
    Has someone ever told you 'The one thing you think is the most powerful part of something is normally the chink in its armour'. I agree as a sandboxed environment, BlackBerry 10 is near perfect. But as time passes encryptions are cracked and flaws are found. This is one of them flaws which is probably there because of website compatibility because most websites do not support it, simple.

    Furthermore to invalidate your point and emphasis on a government actually supporting a device. The United States of America Air Force last time I looked going to use iPhones. Last week 5 vulnerabilities were released and shown to work on iOS devices. So yes you should be doing something about that! Plus android and iOS have been cleared to be used on these networks.

    Link : http://m.crackberry.com/us-air-force...evices-iphones

    Facepalm time!

    Posted via CB10
    Rocking a Xperia Z2 and a Q5
    Not powered by BlackBerry anymore but a hybrid!
  21. p_r_a_g_m_a's Avatar
    CrackBerry Abuser

    Posts
    148 Posts
    #21  

    Default

    I know nothing about encryption but I remember urgent flash player update recently and I do know blackberries didn't get it.

    Posted.
  22. ofutur's Avatar
    CrackBerry Genius

    Posts
    1,684 Posts
    Global Posts
    1,706 Global Posts
    Thread AuthorThread Author   #22  

    Default

    Quote Originally Posted by Richard Buckley View Post
    Chrome, which gets a score of "Probably OK" (the highest possible) offers the following as the number 1 and 2 chiphers:
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    Which are good enough today, even if not as good as what you get on iOS and Android.

    Quote Originally Posted by Richard Buckley View Post
    My Z10 browser offers these as the number 1 and 2 chiphers (they are offered as number 5 and 6 by Chrome):
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    Which are not good enough, especially for a vendor touting the security card.

    Quote Originally Posted by Richard Buckley View Post
    After BEAST mitigation the following ciphers were recommended to be left in Firefox:
    C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    002F TLS_RSA_WITH_AES_128_CBC_SHA
    0035 TLS_RSA_WITH_AES_256_CBC_SHA
    Yep, (c0, 2f) is OK and stronger than what a BlackBerry supports. The rest is just there for compatibility reasons

    Quote Originally Posted by Richard Buckley View Post
    I think you didn't read the foot notes on the "depends" state on the Wikipedia TLS article.
    I did and wrote in my OP than BEAST can be mitigated by patching the clients, but the protocol has evolved to better protect against this family of exploits and other vendors have moved on to a more secure stack, not BlackBerry.

    Quote Originally Posted by Richard Buckley View Post
    As we found out from the GOTO FAIL bug, and many before it doesn't matter how advanced your cryptography is if you screw up the implementation.
    I completely agree, but many SSL attacks take place outside of the client and BlackBerry devices are missing the stronger cipher suites which would offer better protection for businesses in 2014.
    10.2.1 was just launched and they've missed an opportunity to level up with the competition.
    Full specs of all current and near future BlackBerry devices: Thread and Channel C001231E5
    Leave tips and links anonymously using Twoople and share files anonymously using Onionshare

    BlackBerrys only protects DATA FOR ENTERPRISES through BES. See the difference with a properly configured Android.
  23. ofutur's Avatar
    CrackBerry Genius

    Posts
    1,684 Posts
    Global Posts
    1,706 Global Posts
    Thread AuthorThread Author   #23  

    Default

    Quote Originally Posted by higherdestiny View Post
    ofutur.

    You're absolutely correct. BlackBerry 10 OS is not secure. You've proved it with absolute certainty with your wikipedia skills.
    You can keep your head in the sand and twist my words all you want, at the end of the day it's the security of your transactions which are at stake... Ask any cryptographer what they think of TLS 1.0 and take decisions based on their answer.

    For reference, I said: "is not great at establishing secure connections" and Wikipedia is there so that people like you can get a grasp on what's going on.
    Quote Originally Posted by higherdestiny View Post
    I'm calling NATO to ask them why they certified BlackBerry 10 to receive NATO RESTRICTED status.
    Funny you mention NATO since we all know how secure their communications were...

    Quote Originally Posted by higherdestiny View Post
    I'm also going to demand the government to explain why they issued FIPS140-2 validation for BlackBerry 10 OS.
    I'm going to call the UK National security authority and blast them for issuing RESTRICTED IL3 classification for BlackBerry 10 Cryptographic API.
    I'm also going to email the Department of Defense and ask them for a reason they approved BlackBerry 10 for use in highly secure environments.

    CLEARLY these organizations haven't read wikipedia.
    You CLEARLY didn't read my paragraph about FIPS and you CLEARLY mix up completely different concepts...

    Connecting to a secure site and decrypting documents on device are 2 separate things.... on top of that BES may create a more secure tunnel than what TLS offers for the browser and apps on device.

    Quote Originally Posted by higherdestiny
    P.S.


    On my desktop, I'm running the very latest beta release of firefox - and according to that site, it's "bad".


    I'm taking this site with a grain of salt.


    Not to mention, there's a LOT more to the security of a platform than the SSL version in the browser.
    It's bad because Firefox is trailing. You need to manually enable TLS 1.2, but at least it's there.
    Chrome and Opera support (c0, 2f) and Safari on Mac is ahead.

    And yes, howsmyssl is to take with a grain of salt, it's mainly useful to get the list of cipher suites, but I've listed a better site for that, which should be less confusing.

    And yes, security is about more than the version of TLS available on a device, that's what FIPS140-2 is for, but you can be FIPS compliant and still establish weak (by 2014's definition) connections with external websites.
    Full specs of all current and near future BlackBerry devices: Thread and Channel C001231E5
    Leave tips and links anonymously using Twoople and share files anonymously using Onionshare

    BlackBerrys only protects DATA FOR ENTERPRISES through BES. See the difference with a properly configured Android.
    Mack Gans likes this.
  24. oystersourced's Avatar
    CrackBerry Addict

    Posts
    773 Posts
    #24  

    Default

    You're overlooking the biggest flaw in the security model and that is the imbecile pushing the buttons.

    Posted via CB10
  25. kbz1960's Avatar
    Doesn't Matter

    Posts
    65,198 Posts
    Global Posts
    65,353 Global Posts
    #25  

    Default

    Quote Originally Posted by oystersourced View Post
    You're overlooking the biggest flaw in the security model and that is the imbecile pushing the buttons.

    Posted via CB10
    That's why the imbeciles need someone else to look out for them.

    Edit: BTW win 8.1 modern side browser is probably OK
    Sent from me using my fingers. Be pantless in 5K. Febreze - for more than smells.
    the 50K CrackBerry challenge
    Posted from my phone or pc or tablet that are no better than anyone else's
Page 1 of 8 1234 ... LastLast

Similar Threads

  1. Not Taking a Step Back
    By JAS0NB0URNE in forum BlackBerry Classic
    Replies: 11
    Last Post: 02-28-2014, 02:05 PM
  2. BlackBerry ahead of Android 2 years back , hope we had the same thing now.
    By rave1090 in forum General BlackBerry Discussion
    Replies: 4
    Last Post: 02-25-2014, 11:43 AM
  3. It's business as usual with app development on the BlackBerry Q20
    By CrackBerry News in forum CrackBerry.com News Discussion
    Replies: 1
    Last Post: 02-25-2014, 11:12 AM

Posting Permissions