[brightberry]

Importing the cert below (settings > security&privacy > certificates) fixes the problem:
https://www.amazontrust.com/repository/SFSRootCAG2.pem

Posted via CB10

How does one import this certificate? Has anyone else tried this? If this is the fix? Yes? Comments? Did we just roll over his fix?



Posted via CB10

[ridmaur]

I imported the certificate but it didn't solve the problem for the synology site. To import, save the certificate to a .pem file and import it in the Security > Certificate part of Settings.

Posted via CB10

[Chuck Finley69]

This is the kind of stuff that started happening on my six month old Passport so I bought a PRIV. I don't think enough support is there for BB10 anymore hence the delays in 10.3.3. Seriously doubt whether 10.3.4 will ever happen. I feel they're just buying time until Android 7 Nougat. They've already made claim that it can be secured like BB10. Either way, I'm forced to move to Android or IOS. At least BerryDroid gives me some BB10 features.

Posted via the CrackBerry App for Android

[Richard Buckley]

... They've already made claim that it can be secured like BB10...

Actually they have not made that claim yet. That is their goal, and one could argue it is more secure than stock Android, but that really depends on how you asses security.

LeapSTR100-2/10.3.2.2876

[WP7Nettwerk]

Take a look when certificate expires. I believe this is problem.

[Chuck Finley69]

Actually they have not made that claim yet. That is their goal, and one could argue it is more secure than stock Android, but that really depends on how you asses security.

LeapSTR100-2/10.3.2.2876

Sorry, my statement was supposed to read that BlackBerry thinks it will achieve BB10 level of security with Android 7.0 Nougat.

Posted via the CrackBerry App for Android

[brightberry]

CrackBerry is this not one of the very issues that could be forwarded to BlackBerry by you? Would it not be possible to get some feedback on numbers to validate it's significance as a browser issue that requires a fix? This is something that used to be done as one of the special facets of the CrackBerry/BlackBerry relationship. Is that door no longer open? It is in BlackBerry's interest to demonstrate commitment to continue to support BB10 users...

Posted via CB10

[Chuck Finley69]

CrackBerry is this not one of the very issues that could be forwarded to BlackBerry by you? Would it not be possible to get some feedback on numbers to validate it's significance as a browser issue that requires a fix? This is something that used to be done as one of the special facets of the CrackBerry/BlackBerry relationship. Is that door no longer open? It is in BlackBerry's interest to demonstrate commitment to continue to support BB10 users...

Posted via CB10

I think Blackberry's true commitment is to Android going forward. Any commitment to BB10 is only to large enterprise clients and they are supporting those clients by moving to software based solutions for Android, IOS with BB10 conspicuously absent.

Posted via the CrackBerry App for Android

[moyah8]

I think Blackberry's true commitment is to Android going forward. Any commitment to BB10 is only to large enterprise clients and they are supporting those clients by moving to software based solutions for Android, IOS with BB10 conspicuously absent.

Posted via the CrackBerry App for Android

Spot on.

Took me awhile to accept that. I do now.

Posted via CB10 on my ClassicSQC100-1/10.3.2.2876

[TheAmazingHarold]

Spoke to BlackBerry on Twitter about this and their response seems like a cop out to me. Any web developers out there that might be able to explain why a misconfigured web site might break a certificate chain? Makes zero sense to me.

Posted via CB10

[Richard Buckley]

Spoke to BlackBerry on Twitter about this and their response seems like a cop out to me. Any web developers out there that might be able to explain why a misconfigured web site might break a certificate chain? Makes zero sense to me.

Posted via CB10

Actually when I was transitioning one of my web servers from Apache to Nginx I initially set up Nginx using the Apache certificate bundle. This caused a configuration error that only my BlackBerry detected. None of the other browsers responded badly. When I reformatted the certificate bundle to the form expected by Nginx the BlackBerry was happy. For the sake of clarity this bundle was using the exact same certificates signed by the same CA, the same chain, same serial number same signature, same hash; same everything.

So if your browser is paying attention to everything in the TLS handshaking, and does not accept the certificate because something is missconfigured then it is relatively easy to cause problems for such a browser. The questiion is, do you want your browser to indicate that there is an irregularity and, if it is serious enough, not accept the connection, or do you want it to shrug (figuratively) and carry on? After all, what could go wrong? You do have to remember that BlackBerry cryptography software comes from Certicom. Most other browsers use cryptography derrived from OpenSSL, the people who brought you HeartBleed.

Update:
The full URLs you are talking about with BlackBerry help are not fully readable. However I have browsed to https://reddit/r/blackberry/ without problems, and there are no certificate irregularities. Based on how HTTPS works I don't think any pages under /r/blackberry would have certificate based issues.

[Supa_Fly1]

I'm seeing a lot of this lately on my Passport. Not sure if this is good or bad.

BlackBerry certificates are outdated in Bb10 it's been a VERY long time since our browser was update actually.

 P A S S P O R T ;=> Yeah it gets me excited

[Supa_Fly1]

Spoke to BlackBerry on Twitter about this and their response seems like a cop out to me. Any web developers out there that might be able to explain why a misconfigured web site might break a certificate chain? Makes zero sense to me.

Posted via CB10

Passport. At least twitter over Web still works.

 P A S S P O R T ;=> Yeah it gets me excited

[Vistaus]

Passport. At least twitter over Web still works.

 P A S S P O R T ;=> Yeah it gets me excited

The Twitter app works great on my Passport still.

Posted via CB10 using BlackBerry Passport (OG Red)

[Vistaus]

BlackBerry certificates are outdated in Bb10 it's been a VERY long time since our browser was update actually.

 P A S S P O R T ;=> Yeah it gets me excited

Dude, have you even read Richard Buckley's post above yours? 'Cause it may not have anything to do with outdated certificates, as he explains.

Posted via CB10 using BlackBerry Passport (OG Red)

[Richard Buckley]

BlackBerry certificates are outdated in Bb10 it's been a VERY long time since our browser was update actually.

 P A S S P O R T ;=> Yeah it gets me excited

The only way certificates on a system can be outdated is if there is a big change in the cryptographic basis of the certificate standards, or if a new CA becomes popular.

One instance of the first example is the depreciation of the SHA1 signature algorithm in certificates. The official deadline for this is January 1 2017, although some companies are trying to push this up. However when the community agrees on an implementation date for deprecating something and a few individuals decide to go early, those individuals are the bad guys.

The key store in BB10 does still have many CA certificates that are signed using SHA1-RSA. It also has many that are signed with SHA2 hashes. This is probably a reflection of who had their Root CA Certificates updated prior to the last BB10 update. If 10.3.3 doesn't have any CA updates, or it comes after January 1, 2017 BB10 will be out of date. I just checked my Firefox certificate store, it still has CA certificates signed with SHA1 as well.

An instance of the second example would be the EFF's CA for let's encrypt. Acceptance of new CA's takes a lot of time and work. Firefox has just agreed to add the Let's Encrypt CA. As far as I know they are the only ones so far. The BlackBerry browser won't load Let's Encrypt secured sites without intervention. This not just because BB10 doesn't have their new CA, but also because BB10 doesn't trust the existing CA the EFF chose to cross sign with. Each browser provider has to choose which Root CAs ti include. This is a balance of security (since not all CAs are equally trustworthy) and convenience (users not having to take special action). BlackBerry, at least with BBOS and BB10 has set the security bar higher. This is one of the reasons I prefer BB10 over other mobile devices. I'm willing to accept that I will have to occasionally decided if I want to override the browser to see a site. I consider this a security feature. If you don't, then that is a reason to consider one of the other OSs or browsers available.

LeapSTR100-2/10.3.2.2876

[Delil]

I understand your explanation. The thing here is that we can't override the browser. We don't get the option "we understand the risks".

[Richard Buckley]

I understand your explanation. The thing here is that we can't override the browser. We don't get the option "we understand the risks".

Well as other browser providers start to recognise misconfigured TLS as a security problem they are starting to follow suit. On our development network I'm starting to see later versions of Firefox and Chrome refuse to allow connections during regression testing of some sites.

LeapSTR100-2/10.3.2.2876

[Vistaus]

I understand your explanation. The thing here is that we can't override the browser. We don't get the option "we understand the risks".

On my laptop in Chromium and Web (formerly Epiphany) I also don't get the option to override. My dad doesn't get the option on Pale Moon either. We're using the default security settings of said browsers.

So BlackBerry's not to blame here.

Posted via CB10 using my amazing BlackBerry Passport (OG Red)

[RAZiHaD]

Use http:// instead of https://

Posted via CB10

[Supa_Fly1]

The only way certificates on a system can be outdated is if there is a big change in the cryptographic basis of the certificate standards, or if a new CA becomes popular.

One instance of the first example is the depreciation of the SHA1 signature algorithm in certificates. The official deadline for this is January 1 2017, although some companies are trying to push this up. However when the community agrees on an implementation date for deprecating something and a few individuals decide to go early, those individuals are the bad guys.

The key store in BB10 does still have many CA certificates that are signed using SHA1-RSA. It also has many that are signed with SHA2 hashes. This is probably a reflection of who had their Root CA Certificates updated prior to the last BB10 update. If 10.3.3 doesn't have any CA updates, or it comes after January 1, 2017 BB10 will be out of date. I just checked my Firefox certificate store, it still has CA certificates signed with SHA1 as well.

An instance of the second example would be the EFF's CA for let's encrypt. Acceptance of new CA's takes a lot of time and work. Firefox has just agreed to add the Let's Encrypt CA. As far as I know they are the only ones so far. The BlackBerry browser won't load Let's Encrypt secured sites without intervention. This not just because BB10 doesn't have their new CA, but also because BB10 doesn't trust the existing CA the EFF chose to cross sign with. Each browser provider has to choose which Root CAs ti include. This is a balance of security (since not all CAs are equally trustworthy) and convenience (users not having to take special action). BlackBerry, at least with BBOS and BB10 has set the security bar higher. This is one of the reasons I prefer BB10 over other mobile devices. I'm willing to accept that I will have to occasionally decided if I want to override the browser to see a site. I consider this a security feature. If you don't, then that is a reason to consider one of the other OSs or browsers available.

LeapSTR100-2/10.3.2.2876

Thank you greatly for this explanation!

I'm curious, then why this ONLY occurs on the Passport, Classic, and Z30, not the Z10 ... and I see this jumping on the same exact WiFi AP and SSID. which I'm confused about.

[Richard Buckley]

Thank you greatly for this explanation!

I'm curious, then why this ONLY occurs on the Passport, Classic, and Z30, not the Z10 ... and I see this jumping on the same exact WiFi AP and SSID. which I'm confused about.

Well that is hardly enough information to start diagnosing the issue. Does the access point do deep packet inspection?

[mmhmm]

Yeah have seen this problem. If u have an administrator such as for BES management of browser, get them to add the website into their system.

[anon(4295315)]

I've been getting these too -- for legit websites.

Easiest workaround was to install firefox mobile, use the website, and then uninstall.

[Farzeen25]

The only way certificates on a system can be outdated is if there is a big change in the cryptographic basis of the certificate standards, or if a new CA becomes popular.

One instance of the first example is the depreciation of the SHA1 signature algorithm in certificates. The official deadline for this is January 1 2017, although some companies are trying to push this up. However when the community agrees on an implementation date for deprecating something and a few individuals decide to go early, those individuals are the bad guys.

The key store in BB10 does still have many CA certificates that are signed using SHA1-RSA. It also has many that are signed with SHA2 hashes. This is probably a reflection of who had their Root CA Certificates updated prior to the last BB10 update. If 10.3.3 doesn't have any CA updates, or it comes after January 1, 2017 BB10 will be out of date. I just checked my Firefox certificate store, it still has CA certificates signed with SHA1 as well.

An instance of the second example would be the EFF's CA for let's encrypt. Acceptance of new CA's takes a lot of time and work. Firefox has just agreed to add the Let's Encrypt CA. As far as I know they are the only ones so far. The BlackBerry browser won't load Let's Encrypt secured sites without intervention. This not just because BB10 doesn't have their new CA, but also because BB10 doesn't trust the existing CA the EFF chose to cross sign with. Each browser provider has to choose which Root CAs ti include. This is a balance of security (since not all CAs are equally trustworthy) and convenience (users not having to take special action). BlackBerry, at least with BBOS and BB10 has set the security bar higher. This is one of the reasons I prefer BB10 over other mobile devices. I'm willing to accept that I will have to occasionally decided if I want to override the browser to see a site. I consider this a security feature. If you don't, then that is a reason to consider one of the other OSs or browsers available.

LeapSTR100-2/10.3.2.2876

Brilliant. Thanks for this explanation and instilling confidence about blackberry's security. That was to the point.

Posted via CB10