Is there information on when BlackBerry is going to address the FREAK vulnerability? Attachment 338684
Posted via CB10
Printable View
Is there information on when BlackBerry is going to address the FREAK vulnerability? Attachment 338684
Posted via CB10
Well maybe someone should tell them before asking about their plans?
It hasn't even been 24hrs since it was announced on a mass scale
Let's see how long it will take them to fix this compared to other affected manufacturers. Then we'll see whether this "security" thing is just marketing or not ;)
They issued a statement:https://n4bb.com/blackberry-10-vulne...ppling-attack/
A crackberry member called Ofutur, once raised the issue of outdated SSL/TLS components of BlackBerry 10, which could render BB10 devices vulnerable to attacks, but some people were too quick to criticize and dismiss his claims. now i know he was right all along. here is the thread The "secure" BB10 OS is not great at establishing secure connections because it uses dated protocols
LOL the other give a date. Blackberry is just investigating.
The best move would be listing BBs browser as an installed app in BB world so that they could update it without having to issue a new OS that has to be tested by carriers.
Though it seems TLS components have long been updated to the most modern version on OS10.3.1. See
Attachment 338778
Posted via CB10 using my Gorgeous Z30
You're an ***** companies offer a bounty when you give them an opportunity to respond to a security bug and fix. Facebook recently paid �8000 to a developer who discovered a piece of code could delete photos forever.
Posted via CB10
I like your idea wholeheartedly.. :)) We can hopefully then get a leaked earlier bar for browser with flash.. however it would definitely keep you vulnerable to this attack they speak of..
Posted via CB10
Attachment 338802
My results the other day. And then I don't get a passing result the next day
Posted via CB10
But yes 10.3.1 is using the latest TLS1.2
Posted via CB10
The problem is that the browser bar file is not much more than a UI. Most functions lie in the OS itself. I'm not sure about this particular feature though.
Z30STA100-5/10.3.1.2267
Guess the Z30 owners who the update was pulled are still vulnerable until they find a fix for the reason it was pulled.
I wonder if that freak detector website does more than sniff the browser user agent. Most websites think the bb10 browser is the Apple Brower since both are based on webkit.
Posted via CB10
This is a misleading title
Posted via CB10
I'm still on 10.2.1
Should I go off the grid? /s
Posted via CB10
Yes, definitely.
Websites can query a browser for the security certificates it will accept. Likely the site is looking to see if a browser will accept an affected certificate, and if it doesn't gives you a positive result.
Posted via CB10
SSL/TLS negotiation requires server send to the client the list of encryption ciphers that it supports. The client then goes down the list of ciphers that it supports, in the order from first to last and compares them. When it finds one that both support, it informs the server of which cipher wait is going to use, and once the server agrees, the client generates a symmetric encryption key, and encrypts it, using the public key of the servers SSL certificate.
All the site mentioned has to do, is to pass the cipher algorithms that are vulnerable and see what the client returns.
Passing one time and not another could happen if the site mentioned earlier changes the sequence of ciphers it sends to the client, from one test to another.
Posted via CB10
http://www.theregister.co.uk/2015/03...ks_out_tlsssl/
Posted via CB10
Try Evolution Browser, tests not vulnerable under 10.2.1....
Posted via CB10
I just tried all browsers I have installed on my Passport, Evolution was listed as vulnerable! As was Alpha browser and the Blackberry browser. The only one I have that is safe is Firefox, but I didn't try other Android browsers.
Tested on my Passport with 10.2.1.2267 using https://freakattack.com/
I posted this on another thread before I saw this one.
Rockin a Passport and Z30! Two devices are better than 1!
This is not really a browser vulnerability, since the browser doesn't propose the cipher suite list. The site you connect to does.
If the server you are connecting to allows downgrades to export-grade (in other words, WEAK!) encryption, then there's a potential problem. But the fault does not lie with the browser, it lies with the server that allowed that to take place.
Disabling those ciphers in the BB10 browser would "fix" that risk, but at the cost of not allowing connections to servers that only support weak ciphers at all. I am not at all sure this is the right choice, given that BlackBerry sells into international markets, including some with repressive regimes that might mandate the use ONLY of "breakable" ciphers.
It is in fact a browser problem, and the browser does specify to the server what ciphers it is willing to accept. This article has more information but the hello message from the browser specifies the ciphers it is willing to accept, the server responds with the subset of that list that it supports and the browser chooses one. This attack works because some browsers will accept a list of ciphers that do not contain suits that they originally specified. Those are the browsers that need to be patched.
It isn't that the server allows the downgrade, but that the server has an export grade key that it is willing to use if asked for. A man in the middle attack is needed to intercept the browser request and replace it with one asking for a connection using a weak key. The server isn't downgraded because it never sees a request for a strong key. This is why browsers should not accept suites they didn't request.If the server you are connecting to allows downgrades to export-grade (in other words, WEAK!) encryption, then there's a potential problem. But the fault does not lie with the browser, it lies with the server that allowed that to take place.
This is true, but it is an argument for the ability to configure cipher suites in the browser.Disabling those ciphers in the BB10 browser would "fix" that risk, but at the cost of not allowing connections to servers that only support weak ciphers at all. I am not at all sure this is the right choice, given that BlackBerry sells into international markets, including some with repressive regimes that might mandate the use ONLY of "breakable" ciphers.
This vulnerability is, for now, mitigated by the fact that the attacker has to factor the key, which still takes about $100 worth of computer time (for each key), and some level of sophistication. Then go somewhere that they can launch a MiM attack (an open Wi-Fi hotspot) and wait for someone to visit a site for which they have factored the key. Certainly possible, but maybe not practical, or the most profitable use of their time and money. When keys start to appear pre-factored in attack toolkits it will be much more practical.