[anon(8063781)]

When I go to the FREAK attack website on the Bold 9900, it says that my browser is vulnerable.

However, I've been playing around with TLS/SSL settings (I'm trying to get LogicMail to work with Outlook.com again), and made a discovery.

If you go to Options > Security > Advanced Security Settings > TLS and change "Encryption Strength" to "Strong Only" the browser will subsequently pass the FREAK attack test.

I still don't know if I would trust it with anything important, but I think it could be a change worth making. Of course, it may break something else, so if you make this change, remember how to put it back if you need to do so later.

[anon(9721108)]

Yeah I did this with mine about a month ago, set to "Strong." I still get an occasional pop up on certain sites that "site may not be secure, proceed "yes" "no?" but thats a different animal, and not that the device isn't secure.

With an older device we need every edge we can take.

Sent from my BlackBerry 9900 using Tapatalk

[anon(6038817)]

Excellent tip! Thanks!

 Newfangled | C003C2D50 

[terminatorx]

I recently wiped my 9900 and upgraded the OS from 7.1.0.1033 to 1098 (O2 ). When I went into the TLS options, it was already configured for strong only encryption, so maybe this was an improvement in 1098.

To set the security even higher, you could uncheck SSL v3 support, which should force TLS 1.0 only. TLS 1.0 is very similar, but newer and considered v3.1 of SSL. A lot of newer browsers now have SSL 3.0 support disabled by default due to the exploits over the last year or so.

http://www.jscape.com/blog/ssl-vs-tl...the-difference

[anon(9721108)]

I recently wiped my 9900 and upgraded the OS from 7.1.0.1033 to 1098 (O2 ). When I went into the TLS options, it was already configured for strong only encryption, so maybe this was an improvement in 1098.
]

So basically you have to always have a passcode on the lock screen?

When I was setting up my encryption I read that for stronger encryption they just make you enter a longer passcode. Not sure if more is involved.

Sent from my BlackBerry 9900 using Tapatalk

[terminatorx]

This is slightly different, as what you are referring to is encrypting the device file system. On this newer version of bbos, I didn't set up device encryption and it doesn't force me to use a password either. Mine just boots straight to the home screen.

[anon(9721108)]

This is slightly different, as what you are referring to is encrypting the device file system. On this newer version of bbos, I didn't set up device encryption and it doesn't force me to use a password either. Mine just boots straight to the home screen.

Ok. On the old software when you set up encryption, we have to use a PW, as I'm sure you know. But beyond that I have a lot to learn.

Sent from my BlackBerry 9900 using Tapatalk

[terminatorx]

That makes sense. If I enable device encryption, it will still force me to set up a password.

The ssl/tls encryption which OP is talking about in this thread generally deals with your internet connections.

[anon(8063781)]

I recently wiped my 9900 and upgraded the OS from 7.1.0.1033 to 1098 (O2 ). When I went into the TLS options, it was already configured for strong only encryption, so maybe this was an improvement in 1098.

To set the security even higher, you could uncheck SSL v3 support, which should force TLS 1.0 only. TLS 1.0 is very similar, but newer and considered v3.1 of SSL. A lot of newer browsers now have SSL 3.0 support disabled by default due to the exploits over the last year or so.

SSL vs TLS - Know The Difference

Thanks for the link! I think I'll try unchecking SSL v3 to test whether the device is still usable.

[anon(8063781)]

Thanks for the link! I think I'll try unchecking SSL v3 to test whether the device is still usable.

Having this and the allow renegotiation box next to it unchecked will prevent you from signing into the Kindle app.

[idssteve]

Having this and the allow renegotiation box next to it unchecked will prevent you from signing into the Kindle app.

Hmm, SSL3 setting, either way, seems ineffectual to Kindle on mine but unchecking "allow renegotiation" breaks my Kindle sync. Any way to "white list" Kindle?

[anon(8063781)]

Hmm, SSL3 setting, either way, seems ineffectual to Kindle on mine but unchecking "allow renegotiation" breaks my Kindle sync. Any way to "white list" Kindle?

I don't know about the white list, but it looks like you've isolated the real culprit -- it must be the renegotiation setting.

[mushroom_daddy]

So I've now unchecked 'Permit SSL 3.0' and have left 'Permit Insecure Renegotiation' checked. Is that a good thing to do?!

While looking for this setting on my 9900 I've stumbled across 'Key Stores' � what's that all about?

When using the BB Browser I regularly get plagued (often repeatedly on the same page) with a dialogue box
'The security of this connection cannot be verified <Continue> <Stop> <Details>'
which when pressing <Details> usually comes up with 'Server Certificate Warning Details | Expired certificate The server certificate expired on ...' It would be great if somebody know how to stop that happening

[anon(9721108)]

So I've now unchecked 'Permit SSL 3.0' and have left 'Permit Insecure Renegotiation' checked. Is that a good thing to do?!

While looking for this setting on my 9900 I've stumbled across 'Key Stores' � what's that all about?

When using the BB Browser I regularly get plagued (often repeatedly on the same page) with a dialogue box
'The security of this connection cannot be verified <Continue> <Stop> <Details>'
which when pressing <Details> usually comes up with 'Server Certificate Warning Details | Expired certificate The server certificate expired on ...' It would be great if somebody know how to stop that happening

If I recall Key Stores is when you set a password for something on your device. I had to deal with this even after wiping my 9900 clean and I could not get rid of a key or Password the previous owner had set for MP3 songs on this device. It was under "Private Certificates" if I recall. There are Private and Public Certificates. The permit Insecure Renegociation just keeps a "10 attempt" limit off of your device for this or it would be fully wiped clean, if I recall.

I remember when my Youtube refused to upload while I was in my hometown for Christmas and I tried adding Youtube.com to "Default Client Certificates" but this didn't help, it was a wifi setting under permissions that was the reason.

Sent from my BlackBerry 9900 using Tapatalk

[anon(9721108)]

The server certificate expired on ..[/I].' It would be great if somebody know how to stop that happening

My Permit 3.0 and Allow Renegociation are checked off. I am trying to remember how I was able to open the locked certificate and then finally delete it. I remember options on each certificate when you press the BB button.

Sent from my BlackBerry 9900 using Tapatalk

[anon(8063781)]

This is my little bit of knowledge, and as we know, a little bit of knowledge is a dangerous thing

The Key Store stores certificates and encryption keys: Key Store; About The Key Store; Change The Key Store Password - Blackberry Bold 9900 User Manual [Page 258]

Permit insecure renegotiation, if I understand it correctly, allows your device to contact a server via an insecure plain text connection, and then negotiate an upgrade to an encrypted SSL or TLS connection.

TLS is supposed to be an upgrade over SSL 3.0, which is the last version of SSL, but I have no idea whether using SSL 3.0 increases your vulnerability to attacks or not. I do know that SSL is still used by a lot of servers, so you may find functionality broken if you disable it. I don't know.

[anon(9721108)]

This is my little bit of knowledge, and as we know, a little bit of knowledge is a dangerous thing
.

This is why if I make a mistake, I want you to correct me, or anyone. After all it has been 6 months since I went through all this, and hopefully I never have to go through it again.

Still much to learn.

Sent from my BlackBerry 9900 using Tapatalk

[anon(8063781)]

This is why if I make a mistake, I want you to correct me, or anyone. After all it has been 6 months since I went through all this, and hopefully I never have to go through it again.

Still much to learn.

Sent from my BlackBerry 9900 using Tapatalk

That wasn't directed at you, Ralph! It was my own disclaimer. I don't know much about this at all. What I do know I learned over at webOS Nation (since webOS is open source, they've fixed their certificate issues), and when I was (unsuccessfully) trying to get LogicMail to work with SSL.

[anon(9721108)]

Cool. Just clarifying

Sent from my BlackBerry 9900 using Tapatalk