[anon(2729369)]

UPDATE / 8th of April: There is even a bigger problem with some implementations of TLS. Some of BlackBerry's servers and products were/are vulnerable.
Official BlackBerry statement



TL;DR
BlackBerry's choice of Internet Security Protocols to secure Internet connections made from a BlackBerry 10 device is not the greatest and the competition is doing much better. BlackBerry 10 is using TLS 1.0, the competition TLS 1.2.

I'll let you decide if TLS 1.0 is safe enough to protect your connection to sites and services you use. Cryptographers, the US National Institute of Standards and Technology (NIST), Microsoft all say it isn't.

Users on BES have an extra layer of protection which uses stronger cipher suites.

Long version
BlackBerry 10 is using TLS 1.0
While configuring devices to make sure they can safely connect to secure servers, I had the unpleasant surprise of discovering that BlackBerry 10 was only offering dated, weak Internet Security Protocols:

• SSL 2: Should be banned everywhere
• SSL 3: It's so bad, only XP uses it today
• TLS 1.0: Has been cracked and patched several times

Those protocols only contain cipher suites containing dangerous, treacherous or weak algorithms such as:

• RC4 (game over if your enemy has large resources)
• ECDSA (NIST curves, owned by BlackBerry)
• SHA1 (foundation is cracking, not recommended by BlackBerry, ECRYPT II, deprecated by FIPS)
• 3DES, DES (Forget it)
• DHE_DSS (Don't use DSS)
• AES CBC (bad things happen if TLS 1.0 is not patched)
• MD5 (cracked!)

But not the stronger ones such as

• AES GCM
• Camellia GCM
• SHA2 and
• DHE without DSS.

First I thought it was a general problem with smartphones, but iOS 7.0.6 (without the gotofail.com ), Chrome on Android 4.4 and the latest Firefox on Android all support TLS 1.2 and offer even stronger encryption than what you get on a typical Windows desktop:
DHE+AES256+GCM+SHA384

You can get the full list of cipher suites supported by your BlackBerry browser via :
https://cc.dcsec.uni-hannover.de/

Is TLS 1.0 considered weak cryptography?
To make up your mind regarding how safe those ciphers are to use today, you should do your research. There are plenty of links available on Google, Wikipedia, crypto forums, IRC channels, etc. or ask a cryptographer on what they think of TLS 1.0...

Here are a few links to get you started:

• TLS version 1.1 is required, at a minimum, in order to mitigate various attacks on version 1.0 of the TLS protocol. Support for TLS version 1.2 is strongly recommended. NIST
• RC4 in TLS is Broken: Now What? Qualys
• A roster of TLS cipher suites weaknesses. Google Online Security Blog
• Security Advisory: Recommendation to disable RC4 Microsoft
• Is TLS secure? Bristol Cryptography Blog
• "A double-byte bias attack on RC4 in TLS and SSL [...] was unveiled on 8 July 2013, and it was described as "feasible" [...] on August 15, 2013" Wikipedia
• "In 2005, security flaws were identified in SHA-1, namely that a mathematical weakness might exist, indicating that a stronger hash function would be desirable" Wikipedia
• Cipher security against publicly known feasible attacks Wikipedia

The main problems are that the most secure suites on BB10 are:

• using AES CBC which has had a lot of problems these past years (BEAST, Lucky 13) and while some vulnerabilities have probably been patched on the devices, it's still best to move to AES GCM
• using SHA1 which shows more and more signs of weaknesses and is depcreciated by both ECRYPT II and FIPS.

The good news is that the stronger suites in TLS 1.0 support Perfect Forward Secrecy via DHE and ECDHE (if you don't mind the unexplained magic numbers in NIST approved curves...), which means that an attacker can't record traffic to decrypt it later.

What are the risks?

• If you're the target of a government agency, well, there is not much you can do. Stronger crypto might not even help you as they'll probably target your device directly or the services that you use
• If you use your device for business and you're connecting to company services using a combination of elliptic curves and ephemeral keys, only the US government and spies who have copied their keys will be able to intercept your conversations. Apart from that, you'll know when there is a SHA1 exploit or a new attack on CBC in the wild as banks will probably be the first targets, unless your business is very valuable
• If you're a consumer, your bank, email provider, cloud, etc. will choose the strength of the connection for you and they'll probably pick the one which costs them the least in terms of resources from the list of what BlackBerry 10 has to offer. As long as it's DHE or ECDHE (click on the lock in a secure connection to find out), that's probably good enough to protect you from hackers until TLS 1.0 falls again, but won't stop the US government from collecting data

Conclusions
So BlackBerry 10 is lagging behind the competition when it comes to establishing secure connections on the Internet, but you're the only one who can tell whether it's relevant for what you're using your devices for.
Let's just hope BlackBerry will soon follow Google, Apple, Opera, Microsoft, Firefox, etc. and upgrade BlackBerry 10 to the latest, safest version of TLS

Note 1: What about their FIPS140-2 certification? That's not just about ciphers, but about building a secure environment and BlackBerry still rules that area, but the next revision of FIPS is moving away from some of the weak algos mentioned above.

Note 2: If you're worried about governments casually monitoring your conversations, you can use Android chat apps like TextSecure or Surespot. They use one of the most promising cipher suite DHE+curve25519+xsalsa20+poly1305, which is fast and hasn't been influenced by the NSA or NIST. That's what security conscious sysadmins are migrating to today to manage servers.

Note 3: The screenshot is from howsmyssl.com which gives the BB10 browser a bad rating for its use of TLS 1.0 which is not recommended today. It also contains lots of "good" ratings in a few areas they test, because their list of secure cipher suites is not up to date and they blindly mark any ephemeral key support as good when some are known to be weak or are not trusted any more by the crypto community.

[sk8er_tor]

There's more to it than a website telling you it's "bad." I'll wait for someone who's an expert in this field to provide details.

[anon(2729369)]

The website is there for people to get an idea of how good/bad their browser is. Show the list of ciphers to an expert and he'll tell you that it's just not good enough in the post-Snowden era.

Also, on the desktop, Firefox does not enable TLS 1.2 by default, so many people are not really better off.

And finally, if the servers don't support stronger encryption, then having it in the browser won't offer better protection. It's just much easier for an admin to paste a new cipher suite in the server's config than it is to force BlackBerry to upgrade BB10.

[Mr.Conviviality]

interestingly, if I chose not to question what you're sharing with us... I'd read your post and think my blackberry is in trouble, using dated stuff... vulnerable and behind. Almost like reading a BGR article.

when I go to the website that you've listed, in one breath it mentions that version is "bad" and that it's possibly susceptible to the "BEAST" attack...

however...

if you scroll down the page, the same one that says that everything else is "good",... it says that "your client is not vulnerable to the BEAST attack" as it uses TLS 1.0 in conjuction with blah blah blah....

to me it looks like you're trolling.

[eddy_berry]

I saw the same thing but scrolled down to see this...

[dbmalloy]

Security on any platform is only as secure as its weakest link... you can have the most secure device in the world and if you connect to an unsecure server or service... whatever info you give it is not secure...

[anon(2729369)]

interestingly, if I chose not to question what you're sharing with us... I'd read your post and think my blackberry is in trouble, using dated stuff... vulnerable and behind. Almost like reading a BGR article.

when I go to the website that you've listed, in one breath it mentions that version is "bad" and that it's possibly susceptible to the "BEAST" attack...

however...

if you scroll down the page, the same one that says that everything else is "good",... it says that "your client is not vulnerable to the BEAST attack" as it uses TLS 1.0 in conjuction with blah blah blah....

to me it looks like you're trolling.

That's because it's not your field of expertise and you didn't do your due diligence by doing some simple Google or Wikipedia searches on the algorithms I've mentioned.

You can check this table to see that TLS 1.0 contains ZERO secure Ciphers.
https://en.wikipedia.org/wiki/Transp...ecurity#Cipher

It's clearly a complex matter and it's the combinations and implementation of algos which make a certain stack vulnerable.
The website I've listed is just used to get an overall rating. It's not taking into consideration the latest development in cryptography, but it has the advantage of being readable by novices. Having said that, several people have provided feedback similar to yours, because it's true, all this green make people think things are all right.

[anon(2729369)]

Security on any platform is only as secure as its weakest link... you can have the most secure device in the world and if you connect to an unsecure server or service... whatever info you give it is not secure...

Exactly, but in this case, the limiting factor is the BlackBerry devices. Today's servers have no problem supporting much stronger encryption.
And it's OK for a device to support weak ones, for compatibility reasons, but it should offer the stronger ones, for those who need it.

[Mr.Conviviality]

That's because it's not your field of expertise and you didn't do your due diligence by doing some simple Google or Wikipedia searches on the algorithms I've mentioned.

You can check this table to see that TLS 1.0 contains ZERO secure Ciphers.
https://en.wikipedia.org/wiki/Transp...ecurity#Cipher

It's clearly a complex matter and it's the combinations and implementation of algos which make a certain stack vulnerable.
The website I've listed is just used to get an overall rating. It's not taking into consideration the latest development in cryptography, but it has the advantage of being readable by novices. Having said that, several people have provided feedback similar to yours, because it's true, all this green make people think things are all right.

If your recommended process of DD is to do a "google search" or consult "Wikipedia", I question yours.

I won't pretend to be an expert in cryptography or mobile security, but I don't get the point of your finding.
The website says things are good, and things are bad. It does nothing to shed any light on any problem. You've shared nothing to confirm that there is an issue. You haven't shared a solution. In a way, you've come here to tell us that an M1A1 Abrams doesn't have an airbag, and as such isn't a safe vehicle.

[anon(2729369)]

If your recommended process of DD is to do a "google search" or consult "Wikipedia", I question yours.

That's what's accessible to the layman, this is not the cr.yp.to mailing list...

I won't pretend to be an expert in cryptography or mobile security, but I don't get the point of your finding.
The website says things are good, and things are bad. It does nothing to shed any light on any problem..

Maybe I should remove the website so that people stop focusing on that... The goal was to get the list of ciphers so that people could do their own research.

You've shared nothing to confirm that there is an issue. You haven't shared a solution. In a way, you've come here to tell us that an M1A1 Abrams doesn't have an airbag, and as such isn't a safe vehicle.

I've shared the list of algos which are problematic and mentioned you can do you own research. It doesn't take that long to see that there are problems with what I listed, but here, 2 links to start exploring:

• "A double-byte bias attack on RC4 in TLS and SSL [...] was unveiled on 8 July 2013, and it was described as "feasible" [...] on August 15, 2013" Wikipedia
• "In 2005, security flaws were identified in SHA-1, namely that a mathematical weakness might exist, indicating that a stronger hash function would be desirable" Wikipedia

I did mention in my OP that the competition had upgraded to TLS 1.2 and that I was hoping that BlackBerry 10 would do the same. The only workaround would be to use an Android browser if it uses its own SSL stack.

[anon(2729369)]

I've updated the OP, to give a bit more info on why it's a good idea to upgrade the crypto stack.

[stabstabdie]

imagine if the 'expert' consultant you just hired sat across the table and gave you Wikipedia as the source of their information.......

[anon(2729369)]

Wikipedia isn't the source... it contains an easy to read collection of references for people who care to learn more.

[Richard Buckley]

Of course it is desirable to have the latest version of TLS, However let's take your claim that TLS 1.0 has on trusted ciphers and howsmyssl.com is a good source to find out which ones are offered.

Chrome, which gets a score of "Probably OK" (the highest possible) offers the following as the number 1 and 2 chiphers:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

My Z10 browser offers these as the number 1 and 2 chiphers (they are offered as number 5 and 6 by Chrome):
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

After BEAST mitigation the following ciphers were recommended to be left in Firefox:
C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
002F TLS_RSA_WITH_AES_128_CBC_SHA
0035 TLS_RSA_WITH_AES_256_CBC_SHA

I think you didn't read the foot notes on the "depends" state on the Wikipedia TLS article.

As we found out from the GOTO FAIL bug, and many before it doesn't matter how advanced your cryptography is if you screw up the implementation. There are known ways to mitigate the problems with TLS 1.0.

Edit:
This has been brought up before, this is what I had to say then:

The BEAST attack exploits problems discovered in TLS 1.0. While it is desirable for all clients to move to newer versions of TLS in order to be protected from the BEAST attack simply by using a later version of TLS requires that the server also support the later version. Servers are often even slower to upgrade than clients so many browsers have been patch to provide protection from BEAST while still using TLS 1.0. I do not know the status of the BB10 browser with respect to this.

Importantly this site is not a test for vulnerability to BEAST, it only looks at the version of TLS supported.

It would certainly be better for BlackBerry to move cryptographic support to TLS 1.2, but the servers of the sites you visit must also upgrade to this support. Test sites like this one perform a useful function of bringing the issue to the masses and act as a prod to bring about the upgrades, but should not be used as a reason to be over concerned.

[IgotsThis]

If your recommended process of DD is to do a "google search" or consult "Wikipedia", I question yours.

I won't pretend to be an expert in cryptography or mobile security, but I don't get the point of your finding.
The website says things are good, and things are bad. It does nothing to shed any light on any problem. You've shared nothing to confirm that there is an issue. You haven't shared a solution. In a way, you've come here to tell us that an M1A1 Abrams doesn't have an airbag, and as such isn't a safe vehicle.

Lolol alright alright I'll give you the Abrams example good one.

Posted via CB10

[higherdestiny]

ofutur.

You're absolutely correct. BlackBerry 10 OS is not secure. You've proved it with absolute certainty with your wikipedia skills.

I'm calling NATO to ask them why they certified BlackBerry 10 to receive NATO RESTRICTED status.
I'm also going to demand the government to explain why they issued FIPS140-2 validation for BlackBerry 10 OS.
I'm going to call the UK National security authority and blast them for issuing RESTRICTED IL3 classification for BlackBerry 10 Cryptographic API.
I'm also going to email the Department of Defense and ask them for a reason they approved BlackBerry 10 for use in highly secure environments.

CLEARLY these organizations haven't read wikipedia.

[ArmedHitman]

Exactly, but in this case, the limiting factor is the BlackBerry devices. Today's servers have no problem supporting much stronger encryption.
And it's OK for a device to support weak ones, for compatibility reasons, but it should offer the stronger ones, for those who need it.

It's a limiting factor because server hosting companies don't want to waste CPU utilisation encrypting and decrypting data on the fly to and from clients. This wastes power plus a lot of heat :/ just makes everything more tedious for them. People like bigger profit margins.

Only offering a device with the strongest of encrypting techniques would leave it out in the cold and be left alone out in the world.

Like for example the switch the USB 3.0 is there but it's too slow and legacy devices are still available and most PC's are still on 2.0.

After Snowden I thought the world would get their act together. So they're actually pushing for better cryptographic methods in devices we use daily and rely on, but hey that hasn't happened.

Posted via CB10

[higherdestiny]

P.S.

On my desktop, I'm running the very latest beta release of firefox - and according to that site, it's "bad".

I'm taking this site with a grain of salt.

Not to mention, there's a LOT more to the security of a platform than the SSL version in the browser.

[ArmedHitman]

P.S.

On my desktop, I'm running the very latest beta release of firefox - and according to that site, it's "bad".

I'm taking this site with a grain of salt.

Not to mention, there's a LOT more to the security of a platform than the SSL version in the browser.

Kind of quoting someone up above, 'Firefox doesn't have everything enabled out of the box, the more advanced encryptions ain't actually activated out of the box'.

Posted via CB10

[ArmedHitman]

ofutur.

You're absolutely correct. BlackBerry 10 OS is not secure. You've proved it with absolute certainty with your wikipedia skills.

I'm calling NATO to ask them why they certified BlackBerry 10 to receive NATO RESTRICTED status.
I'm also going to demand the government to explain why they issued FIPS140-2 validation for BlackBerry 10 OS.
I'm going to call the UK National security authority and blast them for issuing RESTRICTED IL3 classification for BlackBerry 10 Cryptographic API.
I'm also going to email the Department of Defense and ask them for a reason they approved BlackBerry 10 for use in highly secure environments.

CLEARLY these organizations haven't read wikipedia.

Has someone ever told you 'The one thing you think is the most powerful part of something is normally the chink in its armour'. I agree as a sandboxed environment, BlackBerry 10 is near perfect. But as time passes encryptions are cracked and flaws are found. This is one of them flaws which is probably there because of website compatibility because most websites do not support it, simple.

Furthermore to invalidate your point and emphasis on a government actually supporting a device. The United States of America Air Force last time I looked going to use iPhones. Last week 5 vulnerabilities were released and shown to work on iOS devices. So yes you should be doing something about that! Plus android and iOS have been cleared to be used on these networks.

Link : http://m.crackberry.com/us-air-force...evices-iphones

Facepalm time!

Posted via CB10

[p_r_a_g_m_a]

I know nothing about encryption but I remember urgent flash player update recently and I do know blackberries didn't get it.

Posted.

[anon(2729369)]

Chrome, which gets a score of "Probably OK" (the highest possible) offers the following as the number 1 and 2 chiphers:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Which are good enough today, even if not as good as what you get on iOS and Android.

My Z10 browser offers these as the number 1 and 2 chiphers (they are offered as number 5 and 6 by Chrome):
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Which are not good enough, especially for a vendor touting the security card.

After BEAST mitigation the following ciphers were recommended to be left in Firefox:
C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
002F TLS_RSA_WITH_AES_128_CBC_SHA
0035 TLS_RSA_WITH_AES_256_CBC_SHA

Yep, (c0, 2f) is OK and stronger than what a BlackBerry supports. The rest is just there for compatibility reasons

I think you didn't read the foot notes on the "depends" state on the Wikipedia TLS article.

I did and wrote in my OP than BEAST can be mitigated by patching the clients, but the protocol has evolved to better protect against this family of exploits and other vendors have moved on to a more secure stack, not BlackBerry.

As we found out from the GOTO FAIL bug, and many before it doesn't matter how advanced your cryptography is if you screw up the implementation.

I completely agree, but many SSL attacks take place outside of the client and BlackBerry devices are missing the stronger cipher suites which would offer better protection for businesses in 2014.
10.2.1 was just launched and they've missed an opportunity to level up with the competition.

[anon(2729369)]

ofutur.

You're absolutely correct. BlackBerry 10 OS is not secure. You've proved it with absolute certainty with your wikipedia skills.

You can keep your head in the sand and twist my words all you want, at the end of the day it's the security of your transactions which are at stake... Ask any cryptographer what they think of TLS 1.0 and take decisions based on their answer.

For reference, I said: "is not great at establishing secure connections" and Wikipedia is there so that people like you can get a grasp on what's going on.

I'm calling NATO to ask them why they certified BlackBerry 10 to receive NATO RESTRICTED status.

Funny you mention NATO since we all know how secure their communications were...

I'm also going to demand the government to explain why they issued FIPS140-2 validation for BlackBerry 10 OS.
I'm going to call the UK National security authority and blast them for issuing RESTRICTED IL3 classification for BlackBerry 10 Cryptographic API.
I'm also going to email the Department of Defense and ask them for a reason they approved BlackBerry 10 for use in highly secure environments.

CLEARLY these organizations haven't read wikipedia.

You CLEARLY didn't read my paragraph about FIPS and you CLEARLY mix up completely different concepts...

Connecting to a secure site and decrypting documents on device are 2 separate things.... on top of that BES may create a more secure tunnel than what TLS offers for the browser and apps on device.

P.S.


On my desktop, I'm running the very latest beta release of firefox - and according to that site, it's "bad".


I'm taking this site with a grain of salt.


Not to mention, there's a LOT more to the security of a platform than the SSL version in the browser.

It's bad because Firefox is trailing. You need to manually enable TLS 1.2, but at least it's there.
Chrome and Opera support (c0, 2f) and Safari on Mac is ahead.

And yes, howsmyssl is to take with a grain of salt, it's mainly useful to get the list of cipher suites, but I've listed a better site for that, which should be less confusing.

And yes, security is about more than the version of TLS available on a device, that's what FIPS140-2 is for, but you can be FIPS compliant and still establish weak (by 2014's definition) connections with external websites.

[oystersourced]

You're overlooking the biggest flaw in the security model and that is the imbecile pushing the buttons.

Posted via CB10

[kbz1960]

You're overlooking the biggest flaw in the security model and that is the imbecile pushing the buttons.

Posted via CB10

That's why the imbeciles need someone else to look out for them.

Edit: BTW win 8.1 modern side browser is probably OK