[Richard Buckley]

Unfortunately, you got it all wrong
BlackBerry 10 uses OpenSSL 1.0.1e and is vulnerable...

Are you sure about that? BlackBerry 10 provides OpenSSL (I'll take your word for the version), just as they provide many open source libraries to make bringing other open source projects to the platform. That doesn't mean they use OpenSSL as the support for TLS at the OS level. Read your own posts. You started this thread complaining that BB10 doesn't support TLS 1.2. But OpenSSL 1.0.1e supports TLS 1.2. So what song book are you going to sing from?



Edit: And one more thought. 1.0.1 through 1.0.1e are only vulnerable if compiled with heartbeat support on. Since heartbeat is designed to provide better service for DTLS it is entirely reasonable for BlackBerry to have not compiled that feature in.

[anon(2729369)]

Are you sure about that? BlackBerry 10 provides OpenSSL (I'll take your word for the version), just as they provide many open source libraries to make bringing other open source projects to the platform.

You are correct, the library is included so that apps can use it to establish secure connections. That's what makes BlackBerry 10 potentially vulnerable, if it has the heartbeat function enabled. An attacker would be able to access the memory space given to the app which connects to the rogue server.

That doesn't mean they use OpenSSL as the support for TLS at the OS level.

No, but it doesn't matter. Let's say the browser is vulnerable. An attacker could see which sites you're browsing and steal your logins/passwords if you've got other tabs opened. Worse, they might be able to get the client certificate you're using to securely connect to an company server.

Read your own posts. You started this thread complaining that BB10 doesn't support TLS 1.2. But OpenSSL 1.0.1e supports TLS 1.2. So what song book are you going to sing from?

Supporting and enabling are 2 different things...

EDIT: Also, they could be using a different library for some of their own binaries, like webkit. All we can see is what's available when establishing a connection.

Edit: And one more thought. 1.0.1 through 1.0.1e are only vulnerable if compiled with heartbeat support on. Since heartbeat is designed to provide better service for DTLS it is entirely reasonable for BlackBerry to have not compiled that feature in.

You're right and that's something with may mean that BlackBerry 10.2.1 is safe.
I was only able to test the Android side, but someone could release a tool to check the native side.


EDIT: On Android, only 4.1.1 is vulnerable in the 4.x branch, but since apps can include their own libs, some may be vulnerable.

[Richard Buckley]

You are correct, the library is included so that apps can use it to establish secure connections. That's what makes BlackBerry 10 potentially vulnerable, if it has the heartbeat function enabled. An attacker would be able to access the memory space given to the app which connects to the rogue server.

No, but it doesn't matter. Let's say the browser is vulnerable. An attacker could see which sites you're browsing and steal your logins/passwords if you've got other tabs opened. Worse, they might be able to get the client certificate you're using to securely connect to an company server.

Unless the bug allows for leakage of the system memory, or other process memory and not just the process memory of the vulnerable program then that would be correct. If the latter, then an attacker would only be able to access the affected process. Third party browsers should not be used to access the corporate intraweb unless they have been vetted and approved. A proper BES configuration would take care of this for the work side of balance.

You're right and that's something with may mean that BlackBerry 10.2.1 is safe.
I was only able to test the Android side, but someone could release a tool to check the native side.

I have a natural distrust of people who claim IT security cred but shoot first and ask questions later. You don't need to wait until someone writes a native tool. Just browse to ssllabs.com I've attached the results from the BlackBerry Browser on the simulator. If I get time I will post the results from my actual hardware later. To test the OpenSSL you only need to find a third party browser that uses it and perform the test. A little bit of research before making allegations can do wonders to protect your reputation.

[butterbean1983]

I don't understand, is this an attempt to paranoid us into not using our BlackBerry's? I don't really understand much about Internet security protocols, nor am I a business professional so even if someone were to hack my BlackBerry, all they would get would be access to the $5 in my bank account and my facebook password.

[anon(2729369)]

Unless the bug allows for leakage of the system memory, or other process memory and not just the process memory of the vulnerable program then that would be correct. If the latter, then an attacker would only be able to access the affected process. Third party browsers should not be used to access the corporate intraweb unless they have been vetted and approved. A proper BES configuration would take care of this for the work side of balance.

Ever heard of shared memory?
And my example was about attacking the standard browser's process, which contains plenty of private information, depending on what you're using it for, not some 3rd party solution. There is enough material on the web right now to understand what's possible.
People on BES would probably be safer since the work browser runs in a separate process, but I don't think BB10 supports memory partitioning yet.

I have a natural distrust of people who claim IT security cred but shoot first and ask questions later. You don't need to wait until someone writes a native tool. Just browse to ssllabs.com I've attached the results from the BlackBerry Browser on the simulator. If I get time I will post the results from my actual hardware later. To test the OpenSSL you only need to find a third party browser that uses it and perform the test. A little bit of research before making allegations can do wonders to protect your reputation.

IT security cred has nothing to do with raising awareness about a very serious bug which may affect BB10 users browsing the web, just like any affected company took responsibility and contacted their customers to let them know of what is going on, even if they were not affected.
I didn't have the time to write an app and BlackBerry offers a limited set of binaries that we can use, so I'll let someone else write a tool. I scanned services locally and couldn't find one which was vulnerable.

I have no idea what you're trying to say with that ssllabs test/screenshot

[anon(2729369)]

I don't understand, is this an attempt to paranoid us into not using our BlackBerry's? I don't really understand much about Internet security protocols, nor am I a business professional so even if someone were to hack my BlackBerry, all they would get would be access to the $5 in my bank account and my facebook password.

You should just generally be careful about the sites you visit from your mobile browser and the apps you install and not expect any privacy.
Now, BlackBerry should update their crypto libraries to better protect content encrypted in transit, but it's not like criminal organisations are actively exploiting the weaknesses described in the OP today, unlike what's happening this week with hackers busy scanning the Internet to collect as many passwords as they can.
Best not to do anything "important" on the Internet this week, using any browser, unless you've heard from the service you want to connect to.

[butterbean1983]

There will always be weaknesses to expose, and there will always be people trying to exploit them. The Internet is a leaky boat. Patch one hole, another one eventually pops up.

[Richard Buckley]

Ever heard of shared memory?
And my example was about attacking the standard browser's process, which contains plenty of private information, depending on what you're using it for, not some 3rd party solution. There is enough material on the web right now to understand what's possible.
People on BES would probably be safer since the work browser runs in a separate process, but I don't think BB10 supports memory partitioning yet.

Yes, I've heard of shared memory. A process has to offer it first, then another has to connect. Permissions have to be correct, and are not under app developer control. All applications on BB10 run as separatate processes.

IT security cred has nothing to do with raising awareness about a very serious bug which may affect BB10 users browsing the web, just like any affected company took responsibility and contacted their customers to let them know of what is going on, even if they were not affected.
I didn't have the time to write an app and BlackBerry offers a limited set of binaries that we can use, so I'll let someone else write a tool. I scanned services locally and couldn't find one which was vulnerable.

I have no idea what you're trying to say with that ssllabs test/screenshot

BlackBerry 10 uses OpenSSL 1.0.1e and is vulnerable...

Doesn't sound like raising awareness as much as fomenting alarm. Unless you have some proof to back up your claim that OpenSSL on BB10 is vulnerable.

SSLLabs is a very credible professionally run SSL suite test site, among other things. The screen shot I posted shows that the SSL used by the BB10 browser is not vulnerable because it supports only up to TLS 1.0 and therefore not the handshake extention.

What you are doing is no different than the press who claim that 66% of the web is vulnerable simply because a browser that uses OpenSSL has that market share. The truth is the handshake protocol is of little value to a webserver, or a smart phone. The Android runtime you tested seems to not have handshake compiled in. The majority of webservers that were initially reported as vulnerable were reported as such based only on the version of OpenSSL they were running, not whether they had handshake enabled. None of my servers have been vulnerable because while I use OpenSSL, I was not running vulnerable versions. The actual count of vulnerable sites is closer to 25%. Still not good, but not the end of the word.

If you want to rais awarness try speaking from facts rather than assumptions.

Edit: here is the SSLLabs results for a Z10 running 10.2.1. Also not vulnerable to heartbleed.
Attachment 262122

[Richard Buckley]

There will always be weaknesses to expose, and there will always be people trying to exploit them. The Internet is a leaky boat. Patch one hole, another one eventually pops up.

This may look like it is true, but many of the vulnerabilities can be avoided by (as SunMicrosystems always advised) don't upgrade gratuitously and don't install features you don't need and are't going to use. Following this last rule means that my servers, BlackBerry's BB10 browser and most of the internet that is using OpenSSL isn't vulnerable.

[anon(2729369)]

Yes, I've heard of shared memory. A process has to offer it first, then another has to connect. Permissions have to be correct, and are not under app developer control. All applications on BB10 run as separatate processes

It doesn't matter if apps use separate processes, if they share some of the memory, especially for caching.

Doesn't sound like raising awareness as much as fomenting alarm. Unless you have some proof to back up your claim that OpenSSL on BB10 is vulnerable.

I'm saying that it could be. You're not bringing proof that it isn't... Neither is BlackBerry. We'll have to wait for their full assessment to know for sure. I'm just glad that they've patched some servers and revoked/replaced their certificates.

SSLLabs is a very credible professionally run SSL suite test site, among other things. The screen shot I posted shows that the SSL used by the BB10 browser is not vulnerable because it supports only up to TLS 1.0 and therefore not the handshake extention.

Ssllabs was mentoned in the OP..., but now I finally understand what you were trying to say... and that's correct, the browser is not vulnerable. We only need to find out about the libraries and apps now.

The actual count of vulnerable sites is closer to 25%. Still not good, but not the end of the word.

If you want to rais awarness try speaking from facts rather than assumptions.

It's actually more like 17% just for websites, but that doesn't take into consideration all the appliances, such as routers which are affected. It's not the end of the world as it seems only governments and large criminal organisations have the resources to harvest useful information on a large scale, but still bad enough to warrant changing as many passwords as possible.
With something that big, I'd rather raise awareness before having all the facts than feeling sorry later on. BlackBerry does security differently. It's possible they've turned on the heartbeat feature in order to try and increase the level of protection against timing attacks.

[gariac]

No, shared memory is something you specifically enable. It is a scheme to share data between specific processes.

I think it would be best to leave shared memory out of the arguments.

I haven't dug into the guts of the BlackBerry browser, so I will stay out of that argument. But I can tell you I've updated openSSL on my desktop linux PC twice since Saturday.

Posted via CB10

[Richard Buckley]

It doesn't matter if apps use separate processes, if they share some of the memory, especially for caching.

But both apps have to participate in the sharing. QNX supports this, but I haven't seen anything about support in BB10 especially between applications from separate vendors.

You said the browser might be safer because it is a separate process, but all apps are separate process so why is the browser different?

I'm saying that it could be. You're not bringing proof that it isn't... Neither is BlackBerry. We'll have to wait for their full assessment to know for sure. I'm just glad that they've patched some servers and revoked/replaced their certificates.

Ssllabs was mentoned in the OP..., but now I finally understand what you were trying to say... and that's correct, the browser is not vulnerable. We only need to find out about the libraries and apps now.

The results from SSLLabs is proof.

We don't need to find that out. If you read my post with the reply from BBSIRT you know that they are looking into it and will take action if required. That would probably be responsible disclosure to vendors who are using it, if it is vulnerable.

If you want to test OpenSSL there must be a third party browser in BlackBerry World that uses the OpenSSL library. Find it, install it and go to SSLLABS.

BlackBerry does security differently. It's possible they've turned on the heartbeat feature in order to try and increase the level of protection against timing attacks.

More speculation.

Posted via CB10

[gariac]

The main news section of Crackberry has a message from BlackBerry that bb10 is not effected.

http://crackberry.com/blackberry-add...-vulnerability

Posted via CB10

[Richard Buckley]

The main news section of Crackberry has a message from BlackBerry that bb10 is not effected.

BlackBerry addresses OpenSSL Heartbleed vulnerability | CrackBerry.com

Posted via CB10

Yup, just saw it when I got home.

So I hope now it is settled.

They do have issues with some products, but BB10 isn't among them.

[BruvvaPete]

Anyone who trusts Wikipedia (where anyone can post anything about anything) for factual information may want to conduct research that doesn't include Wikipedia. Just my opinion.

@BruvvaPete :Channel: C0012176F. Live well

[gariac]

Running a linux box is like a news service on exploits. I see the updates roll out and then the press gets them about two days later. This is the first one I recall where the press knew about the bug before the linux patch rolled out.

I presume the person or organization that finds the exploit give the linux maintainers some head notice.



Posted via CB10

[aboldcurve]

Now if somebody competent in the matter has something to add or discuss to arrive at a consensus, let's hear it. Personal attacks do not bring anything worthwhile to the table.

Posted via CB10 on my Z30

Honestly, one of the major reasons I've stuck with this company is for their security and if you truly care about that you'd take this in a more serious way. I don't think this is something people should be personalized for it's something to be talked about, this guy brought up a good point and explained it thoroughly enough. This is not something that can't be fixed and instead of being pissed at the OP maybe you should contact BlackBerry instead with the keyboard rage. Everyone using a BB10 phone/browser should have the best security for it's a huge selling point and obviously important to the people who own it. I'm just saying this anger should be aimed at the company.

Posted via CB10

[jhirizarry]

Perhaps with the newer SSL versions bug, and BlackBerry using "dated" protocols we were not as exposed as others are. Just a thought!

Life is simple, we are the ones that complicate it !!! Z10STL100-3/10.2.1.2947/2235 on AT&T

[Richard Buckley]

Honestly, one of the major reasons I've stuck with this company is for their security and if you truly care about that you'd take this in a more serious way. I don't think this is something people should be personalized for it's something to be talked about, this guy brought up a good point and explained it thoroughly enough. This is not something that can't be fixed and instead of being pissed at the OP maybe you should contact BlackBerry instead with the keyboard rage. Everyone using a BB10 phone/browser should have the best security for it's a huge selling point and obviously important to the people who own it. I'm just saying this anger should be aimed at the company.

Posted via CB10

Why should any anger be directed at the company? All the vulnerabilities the OP brought up on this thread turned out to be wrong.

You are right that security is important. It is also important not to assert vulnerability in the absence of the facts. That you believe that there is a reason to direct anger at BlackBerry over this is an indication of how damaging that can be. For one thing it can focus attention away from where it really needs to be.

Posted via CB10

[anon(2729369)]

But both apps have to participate in the sharing. QNX supports this, but I haven't seen anything about support in BB10 especially between applications from separate vendors

I've looked it up and while BB10 supports it, you're right, it's not used for inter apps communication. I guess shared memory is more of a problem with apps such as a browser because it's so open and allows so many different tasks to be performed.

You said the browser might be safer because it is a separate process, but all apps are separate process so why is the browser different?

Because within the browser, different tabs might not be in different processes and even if they were, they would probably use shared memory to cache some elements. So, using the work browser, through BES, to connect to work servers, is a good way to protect work data, even without memory partitioning (since apps don't share memory anyway). Small businesses are not that lucky.
But that was all hypothetical, in case the browser was vulnerable, but since it's stuck at TLS 1.0, there is no problem there.

The results from SSLLabs is proof.

We don't need to find that out. If you read my post with the reply from BBSIRT you know that they are looking into it and will take action if required. That would probably be responsible disclosure to vendors who are using it, if it is vulnerable.

If you want to test OpenSSL there must be a third party browser in BlackBerry World that uses the OpenSSL library. Find it, install it and go to SSLLABS.

Proof about the browser only. Different parts/apps of the OS use different libraries. The libssl they ship is: "OpenSSL 1.0.1e 11 Feb 2013", which comes with TLS 1.2 support. Apparently, just like on Android, heartbeat wasn't turned on, so we have nothing to worry about, as far as the OS is concerned.

As for apps, the test you suggest won't give any meaningful results since what most 3rd party browsers do is change the shell only, just like the native browser, which used to be an HTML5 app.
It's not trivial to attack apps though, unless they act as local servers, as they have to be fooled into connecting to a rogue server. That's probably why BlackBerry is not too worried about BBM being vulnerable on other platforms.

Perhaps with the newer SSL versions bug, and BlackBerry using "dated" protocols we were not as exposed as others are. Just a thought!

Yeah, let's stick with Windows XP, just in case nasty bugs crawl in Windows 8

[anon(2729369)]

All the vulnerabilities the OP brought up on this thread turned out to be wrong.

The OP is about TLS1.0. Nothing has changed there, BlackBerry needs to upgrade. I then raised my concerned about a newly discovered flaw in the library used, which luckily didn't affect BlackBerry 10, but did affect some of their products.

[Richard Buckley]

The OP is about TLS1.0. Nothing has changed there, BlackBerry needs to upgrade. I then raised my concerned about a newly discovered flaw in the library used, which luckily didn't affect BlackBerry 10, but did affect some of their products.

They only need to upgrade to TLS 1.2 if there is something provided by that protocol that is necessary. Closing the door to the known problems with TLS 1.0 does not require upgrading to TLS 1.2, nor is upgrading to TLS 1.2 sufficient since if you communicate with a peer that only supports TLS 1.0 and you haven't fixed the problems then you are subject to the vulnerability anyway.

Heartbleed on the other hand is an example of why one should not rush to adopt new features unless they are needed. I wonder how many systems that are vulnerable to heartbleed actually need the heartbeat extension. One of the reasons my users and I don't have to be concerned about the systems I manage is that for the past two years we have been using OpenSSL 0.9.8 of various sub-versions that track the bug fixes of 1.0.1 but lack the addition features we don't need, like heatbeat.

BlackBerry is not perfect. It will be interesting to see, as time moves on, what the specifics behind the vulnerable products are. But if it comes down to believing that BlackBerry needs to do something because you say they do, or looking at BlackBerry's track record and concluding that they in fact know what they are doing, I'm going to have to side with BlackBerry on this one. There are choices in the market. If having TLS 1.2 on their smartphone is important enough to someone, they can exercise their freedom of choice. At the end of the day BB10 is not vulnerable to any of the things you sought to raise awareness of. People should not loose sight of that.

[NinjaB]

The OP is about TLS1.0. Nothing has changed there, BlackBerry needs to upgrade. I then raised my concerned about a newly discovered flaw in the library used, which luckily didn't affect BlackBerry 10, but did affect some of their products.

you did more than "raise concern"; you also mentioned multiple times BB10 was vulnerable and needed to be patched, before having all the facts and/or a statement from BlackBerry...

i respect you and have learned a lot from several of your posts, so while your other observations on TLS1.0 may be true, that was an assumption that should not have been made.

[NinjaB]

I don't understand, is this an attempt to paranoid us into not using our BlackBerry's? I don't really understand much about Internet security protocols, nor am I a business professional so even if someone were to hack my BlackBerry, all they would get would be access to the $5 in my bank account and my facebook password.

mashable has a pretty nice list of what's been patched and a general explanation video at the bottom...
The Heartbleed Hit List: The Passwords You Need to Change Right Now

no bank sites were affected directly.. but I'd take a moment to at least change the shopping/commerce sites or any site pw where u put your bank info in... cuz it may be only $5 now but you've got to pay for that phone ur browsing CB with somehow right? wouldn't want them to steal your next phone bill payment or we wouldn't be seeing you for a while! heh jk ...

[anon(2729369)]

you did more than "raise concern"; you also mentioned multiple times BB10 was vulnerable and needed to be patched, before having all the facts and/or a statement from BlackBerry...

i respect you and have learned a lot from several of your posts, so while your other observations on TLS1.0 may be true, that was an assumption that should not have been made.

I agree. I revisited my earlier posts about Heartbleed and assumed that because version 1.0.1e was in the OS, that the OS was vulnerable. That was before doing any research on the matter and I should have said "may be vulnerable".
Nobody has independently verified that BB10 is safe though. We're just taking BlackBerry's word for it.