08-18-15 10:10 AM
132 123 ...
tools
  1. farvardinzad's Avatar
    Is there information on when BlackBerry is going to address the FREAK vulnerability? BB10 vulnerable to FREAK-img_20150304_122734.png

    Posted via CB10
    rhitdoph likes this.
    03-04-15 05:39 AM
  2. paulwallace1234's Avatar
    Well maybe someone should tell them before asking about their plans?
    It hasn't even been 24hrs since it was announced on a mass scale
    Last edited by paulwallace1234; 03-04-15 at 07:15 AM.
    Rustybronco likes this.
    03-04-15 06:51 AM
  3. Maxxxpower's Avatar
    Let's see how long it will take them to fix this compared to other affected manufacturers. Then we'll see whether this "security" thing is just marketing or not
    Magnetox, kbz1960 and techvisor like this.
    03-04-15 08:31 AM
  4. Maxxxpower's Avatar
    03-04-15 10:28 AM
  5. dustmalik's Avatar
    A crackberry member called Ofutur, once raised the issue of outdated SSL/TLS components of BlackBerry 10, which could render BB10 devices vulnerable to attacks, but some people were too quick to criticize and dismiss his claims. now i know he was right all along. here is the thread The "secure" BB10 OS is not great at establishing secure connections because it uses dated protocols
    03-04-15 10:59 AM
  6. kbz1960's Avatar
    LOL the other give a date. Blackberry is just investigating.
    techvisor likes this.
    03-04-15 11:02 AM
  7. Maxxxpower's Avatar
    The best move would be listing BBs browser as an installed app in BB world so that they could update it without having to issue a new OS that has to be tested by carriers.
    03-04-15 11:08 AM
  8. dustmalik's Avatar
    Though it seems TLS components have long been updated to the most modern version on OS10.3.1. See
    BB10 vulnerable to FREAK-img_20150304_184012.png

    Posted via CB10 using my Gorgeous Z30
    03-04-15 11:43 AM
  9. Acvdm's Avatar
    You're an ***** companies offer a bounty when you give them an opportunity to respond to a security bug and fix. Facebook recently paid 8000 to a developer who discovered a piece of code could delete photos forever.

    Posted via CB10
    rhitdoph likes this.
    03-04-15 12:10 PM
  10. annon91221's Avatar
    The best move would be listing BBs browser as an installed app in BB world so that they could update it without having to issue a new OS that has to be tested by carriers.
    I like your idea wholeheartedly.. ) We can hopefully then get a leaked earlier bar for browser with flash.. however it would definitely keep you vulnerable to this attack they speak of..

    Posted via CB10
    tipplex likes this.
    03-04-15 12:15 PM
  11. Dave Bourque's Avatar
    BB10 vulnerable to FREAK-img_20150303_184026.png
    My results the other day. And then I don't get a passing result the next day

    Posted via CB10
    03-04-15 12:43 PM
  12. Dave Bourque's Avatar
    But yes 10.3.1 is using the latest TLS1.2

    Posted via CB10
    03-04-15 12:43 PM
  13. conite's Avatar
    The best move would be listing BBs browser as an installed app in BB world so that they could update it without having to issue a new OS that has to be tested by carriers.
    The problem is that the browser bar file is not much more than a UI. Most functions lie in the OS itself. I'm not sure about this particular feature though.

    Z30STA100-5/10.3.1.2267
    03-04-15 12:50 PM
  14. kbz1960's Avatar
    But yes 10.3.1 is using the latest TLS1.2

    Posted via CB10
    Guess the Z30 owners who the update was pulled are still vulnerable until they find a fix for the reason it was pulled.
    03-04-15 01:01 PM
  15. gariac's Avatar
    I wonder if that freak detector website does more than sniff the browser user agent. Most websites think the bb10 browser is the Apple Brower since both are based on webkit.


    Posted via CB10
    03-05-15 02:24 AM
  16. Pluto is a planet's Avatar
    This is a misleading title

    Posted via CB10
    03-05-15 02:29 AM
  17. mvpcrossxover's Avatar
    Guess the Z30 owners who the update was pulled are still vulnerable until they find a fix for the reason it was pulled.
    I'm still on 10.2.1

    Should I go off the grid? /s

    Posted via CB10
    kbz1960 likes this.
    03-05-15 02:31 AM
  18. dcbo89's Avatar
    I'm still on 10.2.1

    Should I go off the grid? /s

    Posted via CB10
    Yes, definitely.
    kbz1960 likes this.
    03-05-15 03:38 AM
  19. rthonpm's Avatar
    I wonder if that freak detector website does more than sniff the browser user agent. Most websites think the bb10 browser is the Apple Brower since both are based on webkit.


    Posted via CB10
    Websites can query a browser for the security certificates it will accept. Likely the site is looking to see if a browser will accept an affected certificate, and if it doesn't gives you a positive result.


    Posted via CB10
    03-05-15 04:49 AM
  20. IanWood62's Avatar
    SSL/TLS negotiation requires server send to the client the list of encryption ciphers that it supports. The client then goes down the list of ciphers that it supports, in the order from first to last and compares them. When it finds one that both support, it informs the server of which cipher wait is going to use, and once the server agrees, the client generates a symmetric encryption key, and encrypts it, using the public key of the servers SSL certificate.

    All the site mentioned has to do, is to pass the cipher algorithms that are vulnerable and see what the client returns.

    Passing one time and not another could happen if the site mentioned earlier changes the sequence of ciphers it sends to the client, from one test to another.

    Posted via CB10
    03-05-15 07:17 AM
  21. The Big Picture's Avatar
    03-05-15 10:52 AM
  22. tmichaelchurch's Avatar
    Try Evolution Browser, tests not vulnerable under 10.2.1....

    Posted via CB10
    03-06-15 11:06 AM
  23. DickDorf's Avatar
    I just tried all browsers I have installed on my Passport, Evolution was listed as vulnerable! As was Alpha browser and the Blackberry browser. The only one I have that is safe is Firefox, but I didn't try other Android browsers.

    Tested on my Passport with 10.2.1.2267 using https://freakattack.com/

    I posted this on another thread before I saw this one.



    Rockin a Passport and Z30! Two devices are better than 1!
    03-06-15 11:37 AM
  24. tickerguy's Avatar
    This is not really a browser vulnerability, since the browser doesn't propose the cipher suite list. The site you connect to does.

    If the server you are connecting to allows downgrades to export-grade (in other words, WEAK!) encryption, then there's a potential problem. But the fault does not lie with the browser, it lies with the server that allowed that to take place.

    Disabling those ciphers in the BB10 browser would "fix" that risk, but at the cost of not allowing connections to servers that only support weak ciphers at all. I am not at all sure this is the right choice, given that BlackBerry sells into international markets, including some with repressive regimes that might mandate the use ONLY of "breakable" ciphers.
    Joshu42 likes this.
    03-06-15 05:01 PM
  25. Richard Buckley's Avatar
    This is not really a browser vulnerability, since the browser doesn't propose the cipher suite list. The site you connect to does.
    It is in fact a browser problem, and the browser does specify to the server what ciphers it is willing to accept. This article has more information but the hello message from the browser specifies the ciphers it is willing to accept, the server responds with the subset of that list that it supports and the browser chooses one. This attack works because some browsers will accept a list of ciphers that do not contain suits that they originally specified. Those are the browsers that need to be patched.

    If the server you are connecting to allows downgrades to export-grade (in other words, WEAK!) encryption, then there's a potential problem. But the fault does not lie with the browser, it lies with the server that allowed that to take place.
    It isn't that the server allows the downgrade, but that the server has an export grade key that it is willing to use if asked for. A man in the middle attack is needed to intercept the browser request and replace it with one asking for a connection using a weak key. The server isn't downgraded because it never sees a request for a strong key. This is why browsers should not accept suites they didn't request.

    Disabling those ciphers in the BB10 browser would "fix" that risk, but at the cost of not allowing connections to servers that only support weak ciphers at all. I am not at all sure this is the right choice, given that BlackBerry sells into international markets, including some with repressive regimes that might mandate the use ONLY of "breakable" ciphers.
    This is true, but it is an argument for the ability to configure cipher suites in the browser.

    This vulnerability is, for now, mitigated by the fact that the attacker has to factor the key, which still takes about $100 worth of computer time (for each key), and some level of sophistication. Then go somewhere that they can launch a MiM attack (an open Wi-Fi hotspot) and wait for someone to visit a site for which they have factored the key. Certainly possible, but maybe not practical, or the most profitable use of their time and money. When keys start to appear pre-factored in attack toolkits it will be much more practical.
    techvisor likes this.
    03-06-15 05:23 PM
132 123 ...

Similar Threads

  1. Replies: 2
    Last Post: 04-03-15, 11:01 PM
  2. Replies: 14
    Last Post: 03-04-15, 12:10 PM
  3. Replies: 1
    Last Post: 03-04-15, 05:27 AM
  4. Passport to Knowledge
    By paxtonbt in forum BlackBerry Passport
    Replies: 0
    Last Post: 03-04-15, 03:09 AM
  5. How to do group texting for Blackberry 9900?
    By CrackBerry Question in forum Ask a Question
    Replies: 0
    Last Post: 03-04-15, 02:44 AM
LINK TO POST COPIED TO CLIPBOARD