[Superdupont 2_0]

Firefox on desktop, Android and 10.3 blocks the site. It's mainly Chrome which traded security for speed.

Ups, Firefox on Android 4.2.2 does indeed pass the test on https://revoked.grc.com/

Could you post a screenshot of the 10.3 blocking the test site?

[anon(2729369)]

Could you post a screenshot of the 10.3 blocking the test site?

You get the exact same page as on the desktop version "Secure Connection Failed"

[Superdupont 2_0]

Only a handful. Most support OpenVPN which BlackBerry hasn't managed to get running yet. A lot of universities use OpenVPN.

If you do a quick google search, then yep, you find probably only 10-15 VPN providers and only 3-4 of them support BlackBerry.

I just have checked randomly a few more (AirVPN, Coccon, Okayfreedom, NordVPN, WorldVPN, YourFreedom)...and ups, indeed no BlackBerry support.

I've read somewhere that 10.3 will support OpenVPN.

Hope the university admins are aware of this one:
https://community.openvpn.net/openvpn/wiki/heartbleed

[Richard Buckley]

There are actually several like Witopia, 12vpn, purevpn etc. etc. ...
I just signed up, limits the risks of MITM considerably to a level that I can handle.

Only a handful. Most support OpenVPN which BlackBerry hasn't managed to get running yet. A lot of universities use OpenVPN.

If you get tired of waiting for native OpenVPN support you can follow the instructions in this thread to set up an IPSEC server on Amason EC2, then add OpenVPN tunnelling to the server of your choice. I can now tunnel from my BB10 devices, via IPSEC then OpenVPN to home.

[anon(2729369)]

I've read somewhere that 10.3 will support OpenVPN.

Would be cool if you could find the source of that rumour

If you get tired of waiting for native OpenVPN support you can follow the instructions in this thread to set up an IPSEC server on Amason EC2, then add OpenVPN tunnelling to the server of your choice. I can now tunnel from my BB10 devices, via IPSEC then OpenVPN to home.

It's the most secure option, but the costs are high (Instance + traffic + admin fees) ocmpared to an out of the box solution.

[Omnitech]

You get the exact same page as on the desktop version "Secure Connection Failed"

BB10 10.3? Not on mine. Loads the page.

10.3.0.296.

Or do you mean the Android browser or Firefox?

[anon(2729369)]

BB10 10.3? Not on mine. Loads the page.

10.3.0.296.

Or do you mean the Android browser or Firefox?

Firefox on 10.3

[anon(2729369)]

If you do a quick google search, then yep, you find probably only 10-15 VPN providers and only 3-4 of them support BlackBerry.

And out of these 3-4, you should check which of their servers support connections from BlackBerry. Witopia seems OK, but PureVPN would not be a good option.
And for some people, there is the problem of where the company is located. Witopia is US based.

[Superdupont 2_0]

And out of these 3-4, you should check which of their servers support connections from BlackBerry. Witopia seems OK, but PureVPN would not be a good option.
And for some people, there is the problem of where the company is located. Witopia is US based.

It's funny that you say that, because I chose Purevpn.

Purevpn supports Blackberry (over IKEv2) with servers in the USA, Canada and Romania.
If you comment is aiming at the problem with the 5-Eyes (NSA, CSEC...), Witopia is a no-no, because of this problem:

U.S. VPN provider shuts consumer service in response to Lavabit case | PCWorld

But to be honest, I chose Purevpn over Witopia for other reasons (service packages, prices, etc etc....)
My first concerns are criminals and insecure hotspots, while Purevpn appears to be neither criminal nor insecure.
Actually, Playbook and Q5 are running smoothly over Purevpn and instead of dozens of localsysAdmins, I have to keep an eye only on Purevpn.

If one really wants to hide information from agencies, you have to run your own servers (BES, VPN) and vote for other politicians.
Or even better: Don't use smartphones. Really.


Did some very, very unobstrusive tiny ping probes yesterday to check the (server side) firewall for my assigned IP (it's filtered).
And while connected to Purevpn, I can still see the green lock on sites like this https://www.grc.com/fingerprints.htm

Tried to find some stuff about hacking "IKEv2" "EAP-MS CHAPv2", but didn't find anything significant.

[Ragbert]

Great thread. I've been a fan of Steve Gibson since I first dialed up to the internet on a Windows 3.1 machine.

Running 10.2.1, the Evolution Browser passes the test and blocks the revoked page. But the built-in BlackBerry browser fails and gets the red warning on that page.

Evolution screenshot: Attachment 271934

Ups, Firefox on Android 4.2.2 does indeed pass the test on https://revoked.grc.com/

Posted with my Q10, SQN100-2, 10.2.1.2947/2274 Radio

[anon(2729369)]

It's funny that you say that, because I chose Purevpn.

Purevpn supports Blackberry (over IKEv2) with servers in the USA, UK and Canada.
If you comment is aiming at the problem with the 5-Eyes (NSA, GCHQ, CSEC...), Witopia is a no-no, because of this problem:

U.S. VPN provider shuts consumer service in response to Lavabit case | PCWorld

But to be honest, I chose Purevpn over Witopia for other reasons (service packages, prices, etc etc....)
My first concerns are criminals and insecure hotspots, while Purevpn appears to be neither criminal nor insecure.
Actually, Playbook and Q5 are running smoothly over Purevpn and instead of dozens of localsysAdmins, I have to keep an eye only on Purevpn.

If one really wants to hide information from agencies, you have to run your own servers (BES, VPN) and vote for other politicians.
Or even better: Don't use smartphones. Really.


Did some very, very unobstrusive tiny ping probes yesterday to check the (server side) firewall for my assigned IP (it's filtered).
And while connected to Purevpn, I can still see the green lock on sites like this https://www.grc.com/fingerprints.htm

Tried to find some stuff about hacking "IKEv2" "EAP-MS CHAPv2", but didn't find anything significant.

Do you have access to UK servers over IKE2? Their list is unclear on that. Still it's only a handful of countries and not the ones with stronger data privacy rules such as Switzerland, but you're absolutely right about the fact that the use of a VPN on a smartphone is mainly to prevent local thugs to steal too much info. We're pretty powerless against a large government agency, even with BES and VPNs don't prevent the heavy tracking and profiling going on at the other end of the tunnel, but there is Tor for that (10.3 only).

[Superdupont 2_0]

Great thread. I've been a fan of Steve Gibson since I first dialed up to the internet on a Windows 3.1 machine.

Running 10.2.1, the Evolution Browser passes the test and blocks the revoked page. But the built-in BlackBerry browser fails and gets the red warning on that page.

Evolution screenshot: Attachment 271934

Yeah, his website could become my new startpage!
I have problems to view your screenshot.

Actually, when I visit https://revoked.grc.com/ with Evolution Browser (OS 10.2.1) it doesn't pass the test.

[Superdupont 2_0]

Do you have access to UK servers over IKE2? Their list is unclear on that. Still it's only a handful of countries and not the ones with stronger data privacy rules such as Switzerland, ...

Sorry, I checked it again and actually I don't have access to UK servers over IKEv2.
The third server location is Romania!

Will correct my post on this.

[Ragbert]

That's strange - I can't see the screenshot in your original post either, but it shows up in the quote now; silly CB10. *sigh*

I wonder if the settings in the Evolution browser affect how it reacts to that page.

Yeah, his website could become my new startpage!
I have problems to view your screenshot.

Actually, when I visit https://revoked.grc.com/ with Evolution Browser (OS 10.2.1) it doesn't pass the test.

Posted with my Q10, SQN100-2, 10.2.1.2947/2274 Radio

[whatever-berry]

use the ssh to company server, forward ports what you need (tunnels) to localhost from remote network, and enjoy da secure whatever ;-)

[Omnitech]

I wonder if the settings in the Evolution browser affect how it reacts to that page.

I can't see any obviously relevant settings, the only things that seem remotely possible are "Ad Blocker", "Lightning browsing", "Enable Javascript" or perhaps "Private browsing".

[Ragbert]

Same here, Omni. I have all of those enabled, except "Lightning Browsing" because frankly, I don't know what it is, lol.
The rest of the settings are cosmetic only, as far as I can tell.

I can't see any obviously relevant settings, the only things that seem remotely possible are "Ad Blocker", "Lightning browsing", "Enable Javascript" or perhaps "Private browsing".

Posted with my Q10, SQN100-2, 10.2.1.2947/2274 Radio

[Omnitech]

Same here, Omni. I have all of those enabled, except "Lightning Browsing" because frankly, I don't know what it is, lol.

IIRC it has to do with replacing some of the current page's script code with pre-compiled things to make it load faster. (With the tradeoff that sometimes it may not exactly mimic the raw code.)

[Ragbert]

That's about what I was guessing, too. I think I'll leave it off. I prefer to see the results of actual code on a web page, esp. if testing my own code.

IIRC it has to do with replacing some of the current page's script code with pre-compiled things to make it load faster. (With the tradeoff that sometimes it may not exactly mimic the raw code.)

Posted with my Q10, SQN100-2, 10.2.1.2947/2274 Radio

[Superdupont 2_0]

...even with BES and VPNs don't prevent the heavy tracking and profiling going on at the other end of the tunnel, but there is Tor for that (10.3 only).

Never gets old: What's your score on https://panopticlick.eff.org/ with Tor on 10.3?

My Q5 (10.2.) native browser's fingerprint is unique among the 4,152,566 tested so far!
Get the same result with Evolution Browser (js and cookies disabled).

[anon(2729369)]

Never gets old: What's your score on https://panopticlick.eff.org/ with Tor on 10.3?

My Q5 (10.2.) native browser's fingerprint is unique among the 4,152,566 tested so far!
Get the same result with Evolution Browser (js and cookies disabled).

Yeah, that site is scary, but I can't load it on 10.3 as it uses an invalid certificate

"Snap" is the best stop-gap solution for Android apps while we wait for BlackBerry to get its act together...

[Richard Buckley]

Yeah, that site is scary, but I can't load it on 10.3 as it uses an invalid certificate

"Snap" is the best stop-gap solution for Android apps while we wait for BlackBerry to get its act together...

The certificate is not invalid. it is signed by StartCom Ltd, but their CA certificate is not in the BB10 trusted list. Firefox and Chrome on Windows 7 accept it.

One thing that is scary is that it has a Java plug in. When you try to load that on Chrome/Win7 it does say that the certificate is invalid, but under more information the reason is that the Root CA is not trusted.

This is one of the beg problems with the current system, who decides which CAs should be trusted?

Posted via CB10

[Superdupont 2_0]

The certificate is not invalid. it is signed by StartCom Ltd, but their CA certificate is not in the BB10 trusted list. Firefox and Chrome on Windows 7 accept it.

One thing that is scary is that it has a Java plug in. When you try to load that on Chrome/Win7 it does say that the certificate is invalid, but under more information the reason is that the Root CA is not trusted.

This is one of the beg problems with the current system, who decides which CAs should be trusted?

Posted via CB10

May I suggest...

Option 1: One starts with the man in the mirror and untrusts certificates in the settings.

Option 2: Approach the industry with suggestions, e.g. these people here https://cabforum.org/ca-practices/


By the way, in the BB 10 browser one can click "site Info" > "More Info" > "Learn more"�where icons are explained. It seems that BlackBerry is not totally unaware of the problem.




However, when I visit https://test-sspev.verisign.com:2443...-verisign.html I get that green lock in my browser???






Uhm, they are still working on 10.3, so �no pressure.

I will probably move to Firefox on 10.3, although I speculate this move won't be necessarily the best solution, when I compare the number of CVE records �Firefox alone� vs. �BlackBerry Ecosystem�.

[Richard Buckley]

May I suggest...

Option 1: One starts with the man in the mirror and untrusts certificates in the settings.

Option 2: Approach the industry with suggestions, e.g. these people here https://cabforum.org/ca-practices/


By the way, in the BB 10 browser one can click "site Info" > "More Info" > "Learn more"…where icons are explained. It seems that BlackBerry is not totally unaware of the problem.




However, when I visit https://test-sspev.verisign.com:2443...-verisign.html I get that green lock in my browser???






Uhm, they are still working on 10.3, so …no pressure.

I will probably move to Firefox on 10.3, although I speculate this move won't be necessarily the best solution, when I compare the number of CVE records “Firefox alone” vs. “BlackBerry Ecosystem”.

My question was rhetorical, but good points.

Revocation checking by mobile browsers is not widespread, primarily it seems because the certificate revocation lists are very large. There are tens of thousands of certificates revoked on a daily basis. What we really need is OCSP Stapling. For now Firefox really is the leading browser in the mobile space for this issue.

[Superdupont 2_0]

While bbm is using only TLS1.0, it�s actually not as bad as I thought.

Interesting read here: https://os3.nl/_media/2013-2014/cour...bbm_report.pdf

One of the reasons their MITM attack failed was "(Un)fortunately, the client forces the use of TLS 1.0, which makes downgrading of the cipher suite impossible by including a hash over the handshake and key-material".


Which seems to be in good match with the whitepaper from BlackBerry.


For non-bes users who desperately want end-to-end encryption for bbm there is an app (that I have not tested yet): PGpgp - BlackBerry World