1. tickerguy's Avatar
    Ok, this is interesting.

    While playing around with an HTTPS test server this morning I shut off SSLv3 -- and as soon as I did so my Z10 refused to talk to the machine any more with an error indicating that there were no compatible ciphers!

    Now what it DID come up with when left alone was SSLv3:ECDHE-RSA-RC4-SHA, which is not terrible. But I'd much rather it be TLS1 (whether 1, 1.1 or 1.2) and AES as I'd like to disable RC4 entirely. Ideally it would be TLS 1.1 or better.

    Killing RC4 however means XP clients can't connect at present; for some services this is ok with me, but not for all since I still do have clients on XP.

    But SSLv3, while ok, is far from ideal. And modern browsers tend to support at least TLS 1.1, which doesn't have any of the known attack vectors.

    Interestingly enough a check at SSLLabs shows it DOES support TLS.

    Hmmmm..... now to see what's going on with the server end -- this is extremely odd.
    Attached Thumbnails BB10 SSL problem-img_00000484.jpg  
    10-03-13 02:55 PM
  2. pkcable's Avatar
    You are talking Greek to me!
    10-04-13 08:51 AM
  3. tickerguy's Avatar
    SSLv3 is considered obsolete, but it appears that the BB10 browser demands it.

    Web servers are increasingly turning this off (and with good reason) which means there's a forward problem here that is unlikely to bite you today, but will bite you tomorrow. The problem with shutting it off right now is that doing so precludes Windows XP running older IE versions from connecting using https: at all. It therefore is not typically shut off on commercial sites right now, but it will be in the future as there are traffic-prediction attacks that can be potentially used against it, particularly with site cookies if the cookie in question is known (e.g. an active attack .vs. a passive monitoring one.)

    In short the browser should be preferring TLS, preferably TLS 1.2 although 1.1 is acceptable (there is poor uptake on 1.2 thus far, but decent uptake on 1.1)
    Last edited by tickerguy; 10-04-13 at 09:20 AM.
    10-04-13 09:04 AM
  4. tickerguy's Avatar
    I suspect, although I'm not yet able to prove, that the screen displaying the protocol is wrong.

    This shouldn't be possible given how I have things configured right now and in fact ssllabs says that SSLv3 is in fact off. But the browser's display window says that's what it negotiated (impossible.)

    Therefore this looks like a "the browser is lying about the protocol it used" problem rather than "the browser actually forces a potentially-insecure protocol down the web site's throat."

    BTW the rest of what's in that string below is very secure. In fact, equal or better than pretty-much anything else in the market right now. AES256 is excellent as a cipher and ECDHE as a key exchange means that you have perfect forward secrecy, so even if the web site's private key is divulged later on retrospective decryption of previously-stored sessions is not helped.

    Assuming the actual protocol is TLS v1.1 or better (and not SSLv3 as claimed) the potential traffic-analysis attacks won't work either.
    Attached Thumbnails BB10 SSL problem-img_00000485.jpg  
    10-04-13 09:15 AM

Similar Threads

  1. Replies: 29
    Last Post: 10-04-13, 03:01 PM
  2. Lock video orientation at landscape
    By ibimmer in forum BlackBerry 10 OS
    Replies: 1
    Last Post: 10-03-13, 03:12 PM
  3. No Z30 announcement for Rogers/Fido time to complain
    By R Field in forum BlackBerry Z30
    Replies: 5
    Last Post: 10-03-13, 01:59 PM
  4. Loaded 1767 - Now SMS Text Messages no longer work at all!
    By Tim Smith2 in forum BlackBerry 10 OS
    Replies: 3
    Last Post: 10-03-13, 08:41 AM