03-12-15 06:33 PM
227 ... 56789 ...
tools
  1. Superdupont 2_0's Avatar
    Firefox on desktop, Android and 10.3 blocks the site. It's mainly Chrome which traded security for speed.
    Ups, Firefox on Android 4.2.2 does indeed pass the test on https://revoked.grc.com/

    Could you post a screenshot of the 10.3 blocking the test site?
    05-19-14 07:19 AM
  2. ofutur's Avatar
    Could you post a screenshot of the 10.3 blocking the test site?
    You get the exact same page as on the desktop version "Secure Connection Failed"
    05-19-14 07:27 AM
  3. Superdupont 2_0's Avatar
    Only a handful. Most support OpenVPN which BlackBerry hasn't managed to get running yet. A lot of universities use OpenVPN.
    If you do a quick google search, then yep, you find probably only 10-15 VPN providers and only 3-4 of them support BlackBerry.

    I just have checked randomly a few more (AirVPN, Coccon, Okayfreedom, NordVPN, WorldVPN, YourFreedom)...and ups, indeed no BlackBerry support.

    I've read somewhere that 10.3 will support OpenVPN.

    Hope the university admins are aware of this one:
    https://community.openvpn.net/openvpn/wiki/heartbleed
    05-19-14 07:42 AM
  4. Richard Buckley's Avatar
    There are actually several like Witopia, 12vpn, purevpn etc. etc. ...
    I just signed up, limits the risks of MITM considerably to a level that I can handle.
    Only a handful. Most support OpenVPN which BlackBerry hasn't managed to get running yet. A lot of universities use OpenVPN.
    If you get tired of waiting for native OpenVPN support you can follow the instructions in this thread to set up an IPSEC server on Amason EC2, then add OpenVPN tunnelling to the server of your choice. I can now tunnel from my BB10 devices, via IPSEC then OpenVPN to home.
    southlander likes this.
    05-19-14 07:52 AM
  5. ofutur's Avatar
    I've read somewhere that 10.3 will support OpenVPN.
    Would be cool if you could find the source of that rumour

    If you get tired of waiting for native OpenVPN support you can follow the instructions in this thread to set up an IPSEC server on Amason EC2, then add OpenVPN tunnelling to the server of your choice. I can now tunnel from my BB10 devices, via IPSEC then OpenVPN to home.
    It's the most secure option, but the costs are high (Instance + traffic + admin fees) ocmpared to an out of the box solution.
    05-19-14 08:09 AM
  6. Omnitech's Avatar
    You get the exact same page as on the desktop version "Secure Connection Failed"
    BB10 10.3? Not on mine. Loads the page.

    10.3.0.296.

    Or do you mean the Android browser or Firefox?
    05-19-14 08:19 AM
  7. ofutur's Avatar
    BB10 10.3? Not on mine. Loads the page.

    10.3.0.296.

    Or do you mean the Android browser or Firefox?
    Firefox on 10.3
    05-19-14 08:28 AM
  8. ofutur's Avatar
    If you do a quick google search, then yep, you find probably only 10-15 VPN providers and only 3-4 of them support BlackBerry.
    And out of these 3-4, you should check which of their servers support connections from BlackBerry. Witopia seems OK, but PureVPN would not be a good option.
    And for some people, there is the problem of where the company is located. Witopia is US based.
    05-19-14 09:26 AM
  9. Superdupont 2_0's Avatar
    And out of these 3-4, you should check which of their servers support connections from BlackBerry. Witopia seems OK, but PureVPN would not be a good option.
    And for some people, there is the problem of where the company is located. Witopia is US based.
    It's funny that you say that, because I chose Purevpn.

    Purevpn supports Blackberry (over IKEv2) with servers in the USA, Canada and Romania.
    If you comment is aiming at the problem with the 5-Eyes (NSA, CSEC...), Witopia is a no-no, because of this problem:

    U.S. VPN provider shuts consumer service in response to Lavabit case | PCWorld

    But to be honest, I chose Purevpn over Witopia for other reasons (service packages, prices, etc etc....)
    My first concerns are criminals and insecure hotspots, while Purevpn appears to be neither criminal nor insecure.
    Actually, Playbook and Q5 are running smoothly over Purevpn and instead of dozens of localsysAdmins, I have to keep an eye only on Purevpn.

    If one really wants to hide information from agencies, you have to run your own servers (BES, VPN) and vote for other politicians.
    Or even better: Don't use smartphones. Really.


    Did some very, very unobstrusive tiny ping probes yesterday to check the (server side) firewall for my assigned IP (it's filtered).
    And while connected to Purevpn, I can still see the green lock on sites like this https://www.grc.com/fingerprints.htm

    Tried to find some stuff about hacking "IKEv2" "EAP-MS CHAPv2", but didn't find anything significant.
    Last edited by Superdupont 2_0; 05-19-14 at 11:47 AM. Reason: Corrected server location of Purevpn
    ofutur likes this.
    05-19-14 10:19 AM
  10. Ragbert's Avatar
    Great thread. I've been a fan of Steve Gibson since I first dialed up to the internet on a Windows 3.1 machine.

    Running 10.2.1, the Evolution Browser passes the test and blocks the revoked page. But the built-in BlackBerry browser fails and gets the red warning on that page.

    Evolution screenshot: Attachment 271934

    Ups, Firefox on Android 4.2.2 does indeed pass the test on https://revoked.grc.com/
    Posted with my Q10, SQN100-2, 10.2.1.2947/2274 Radio
    05-19-14 10:28 AM
  11. ofutur's Avatar
    It's funny that you say that, because I chose Purevpn.

    Purevpn supports Blackberry (over IKEv2) with servers in the USA, UK and Canada.
    If you comment is aiming at the problem with the 5-Eyes (NSA, GCHQ, CSEC...), Witopia is a no-no, because of this problem:

    U.S. VPN provider shuts consumer service in response to Lavabit case | PCWorld

    But to be honest, I chose Purevpn over Witopia for other reasons (service packages, prices, etc etc....)
    My first concerns are criminals and insecure hotspots, while Purevpn appears to be neither criminal nor insecure.
    Actually, Playbook and Q5 are running smoothly over Purevpn and instead of dozens of localsysAdmins, I have to keep an eye only on Purevpn.

    If one really wants to hide information from agencies, you have to run your own servers (BES, VPN) and vote for other politicians.
    Or even better: Don't use smartphones. Really.


    Did some very, very unobstrusive tiny ping probes yesterday to check the (server side) firewall for my assigned IP (it's filtered).
    And while connected to Purevpn, I can still see the green lock on sites like this https://www.grc.com/fingerprints.htm

    Tried to find some stuff about hacking "IKEv2" "EAP-MS CHAPv2", but didn't find anything significant.
    Do you have access to UK servers over IKE2? Their list is unclear on that. Still it's only a handful of countries and not the ones with stronger data privacy rules such as Switzerland, but you're absolutely right about the fact that the use of a VPN on a smartphone is mainly to prevent local thugs to steal too much info. We're pretty powerless against a large government agency, even with BES and VPNs don't prevent the heavy tracking and profiling going on at the other end of the tunnel, but there is Tor for that (10.3 only).
    Superdupont 2_0 likes this.
    05-19-14 10:44 AM
  12. Superdupont 2_0's Avatar
    Great thread. I've been a fan of Steve Gibson since I first dialed up to the internet on a Windows 3.1 machine.

    Running 10.2.1, the Evolution Browser passes the test and blocks the revoked page. But the built-in BlackBerry browser fails and gets the red warning on that page.

    Evolution screenshot: Attachment 271934
    Yeah, his website could become my new startpage!
    I have problems to view your screenshot.

    Actually, when I visit https://revoked.grc.com/ with Evolution Browser (OS 10.2.1) it doesn't pass the test.


    The "secure" BB10 OS is not great at establishing secure connections because it uses dated protocols-grc_-evolution-browser.png
    05-19-14 11:42 AM
  13. Superdupont 2_0's Avatar
    Do you have access to UK servers over IKE2? Their list is unclear on that. Still it's only a handful of countries and not the ones with stronger data privacy rules such as Switzerland, ...
    Sorry, I checked it again and actually I don't have access to UK servers over IKEv2.
    The third server location is Romania!

    Will correct my post on this.
    05-19-14 11:45 AM
  14. Ragbert's Avatar
    That's strange - I can't see the screenshot in your original post either, but it shows up in the quote now; silly CB10. *sigh*

    I wonder if the settings in the Evolution browser affect how it reacts to that page.
    Yeah, his website could become my new startpage!
    I have problems to view your screenshot.

    Actually, when I visit https://revoked.grc.com/ with Evolution Browser (OS 10.2.1) it doesn't pass the test.

    Click image for larger version. 

Name:	GRC_ Evolution Browser.png 
Views:	742 
Size:	141.3 KB 
ID:	271947
    Posted with my Q10, SQN100-2, 10.2.1.2947/2274 Radio
    05-19-14 02:05 PM
  15. whatever-berry's Avatar
    use the ssh to company server, forward ports what you need (tunnels) to localhost from remote network, and enjoy da secure whatever ;-)
    05-19-14 04:17 PM
  16. Omnitech's Avatar
    I wonder if the settings in the Evolution browser affect how it reacts to that page.

    I can't see any obviously relevant settings, the only things that seem remotely possible are "Ad Blocker", "Lightning browsing", "Enable Javascript" or perhaps "Private browsing".
    05-19-14 06:44 PM
  17. Ragbert's Avatar
    Same here, Omni. I have all of those enabled, except "Lightning Browsing" because frankly, I don't know what it is, lol.
    The rest of the settings are cosmetic only, as far as I can tell.

    I can't see any obviously relevant settings, the only things that seem remotely possible are "Ad Blocker", "Lightning browsing", "Enable Javascript" or perhaps "Private browsing".


    Posted with my Q10, SQN100-2, 10.2.1.2947/2274 Radio
    05-19-14 07:12 PM
  18. Omnitech's Avatar
    Same here, Omni. I have all of those enabled, except "Lightning Browsing" because frankly, I don't know what it is, lol.

    IIRC it has to do with replacing some of the current page's script code with pre-compiled things to make it load faster. (With the tradeoff that sometimes it may not exactly mimic the raw code.)
    05-19-14 09:59 PM
  19. Ragbert's Avatar
    That's about what I was guessing, too. I think I'll leave it off. I prefer to see the results of actual code on a web page, esp. if testing my own code.

    IIRC it has to do with replacing some of the current page's script code with pre-compiled things to make it load faster. (With the tradeoff that sometimes it may not exactly mimic the raw code.)
    Posted with my Q10, SQN100-2, 10.2.1.2947/2274 Radio
    05-20-14 01:26 PM
  20. Superdupont 2_0's Avatar
    ...even with BES and VPNs don't prevent the heavy tracking and profiling going on at the other end of the tunnel, but there is Tor for that (10.3 only).

    Never gets old: What's your score on https://panopticlick.eff.org/ with Tor on 10.3?

    My Q5 (10.2.) native browser's fingerprint is unique among the 4,152,566 tested so far!
    Get the same result with Evolution Browser (js and cookies disabled).
    05-25-14 02:08 PM
  21. ofutur's Avatar
    Never gets old: What's your score on https://panopticlick.eff.org/ with Tor on 10.3?

    My Q5 (10.2.) native browser's fingerprint is unique among the 4,152,566 tested so far!
    Get the same result with Evolution Browser (js and cookies disabled).
    Yeah, that site is scary, but I can't load it on 10.3 as it uses an invalid certificate

    "Snap" is the best stop-gap solution for Android apps while we wait for BlackBerry to get its act together...
    05-25-14 06:25 PM
  22. Richard Buckley's Avatar
    Yeah, that site is scary, but I can't load it on 10.3 as it uses an invalid certificate

    "Snap" is the best stop-gap solution for Android apps while we wait for BlackBerry to get its act together...
    The certificate is not invalid. it is signed by StartCom Ltd, but their CA certificate is not in the BB10 trusted list. Firefox and Chrome on Windows 7 accept it.

    One thing that is scary is that it has a Java plug in. When you try to load that on Chrome/Win7 it does say that the certificate is invalid, but under more information the reason is that the Root CA is not trusted.

    This is one of the beg problems with the current system, who decides which CAs should be trusted?

    Posted via CB10
    05-25-14 07:26 PM
  23. Superdupont 2_0's Avatar
    The certificate is not invalid. it is signed by StartCom Ltd, but their CA certificate is not in the BB10 trusted list. Firefox and Chrome on Windows 7 accept it.

    One thing that is scary is that it has a Java plug in. When you try to load that on Chrome/Win7 it does say that the certificate is invalid, but under more information the reason is that the Root CA is not trusted.

    This is one of the beg problems with the current system, who decides which CAs should be trusted?

    Posted via CB10
    May I suggest...

    Option 1: One starts with the man in the mirror and untrusts certificates in the settings.

    Option 2: Approach the industry with suggestions, e.g. these people here https://cabforum.org/ca-practices/


    By the way, in the BB 10 browser one can click "site Info" > "More Info" > "Learn more"where icons are explained. It seems that BlackBerry is not totally unaware of the problem.

    The "secure" BB10 OS is not great at establishing secure connections because it uses dated protocols-bb-10_site-info_more-info_learn-more.png


    However, when I visit https://test-sspev.verisign.com:2443...-verisign.html I get that green lock in my browser???


    The "secure" BB10 OS is not great at establishing secure connections because it uses dated protocols-another-revoked-cert-test.png



    Uhm, they are still working on 10.3, so no pressure.

    I will probably move to Firefox on 10.3, although I speculate this move won't be necessarily the best solution, when I compare the number of CVE records Firefox alone vs. BlackBerry Ecosystem.
    05-27-14 10:57 AM
  24. Richard Buckley's Avatar
    May I suggest...

    Option 1: One starts with the man in the mirror and untrusts certificates in the settings.

    Option 2: Approach the industry with suggestions, e.g. these people here https://cabforum.org/ca-practices/


    By the way, in the BB 10 browser one can click "site Info" > "More Info" > "Learn more"…where icons are explained. It seems that BlackBerry is not totally unaware of the problem.

    Click image for larger version. 

Name:	BB 10_site Info_More Info_Learn more.png 
Views:	730 
Size:	94.7 KB 
ID:	274143


    However, when I visit https://test-sspev.verisign.com:2443...-verisign.html I get that green lock in my browser???


    Click image for larger version. 

Name:	Another revoked cert test.png 
Views:	732 
Size:	40.0 KB 
ID:	274144



    Uhm, they are still working on 10.3, so …no pressure.

    I will probably move to Firefox on 10.3, although I speculate this move won't be necessarily the best solution, when I compare the number of CVE records “Firefox alone” vs. “BlackBerry Ecosystem”.
    My question was rhetorical, but good points.

    Revocation checking by mobile browsers is not widespread, primarily it seems because the certificate revocation lists are very large. There are tens of thousands of certificates revoked on a daily basis. What we really need is OCSP Stapling. For now Firefox really is the leading browser in the mobile space for this issue.
    Last edited by Richard Buckley; 05-27-14 at 11:48 AM. Reason: s
    05-27-14 11:47 AM
  25. Superdupont 2_0's Avatar
    While bbm is using only TLS1.0, its actually not as bad as I thought.

    Interesting read here: https://os3.nl/_media/2013-2014/cour...bbm_report.pdf

    One of the reasons their MITM attack failed was "(Un)fortunately, the client forces the use of TLS 1.0, which makes downgrading of the cipher suite impossible by including a hash over the handshake and key-material".


    Which seems to be in good match with the whitepaper from BlackBerry.


    For non-bes users who desperately want end-to-end encryption for bbm there is an app (that I have not tested yet): PGpgp - BlackBerry World
    06-02-14 06:03 AM
227 ... 56789 ...

Similar Threads

  1. Not Taking a Step Back
    By JAS0NB0URNE in forum BlackBerry Classic
    Replies: 11
    Last Post: 02-28-14, 03:05 PM
  2. BlackBerry ahead of Android 2 years back , hope we had the same thing now.
    By rave1090 in forum General BlackBerry Discussion
    Replies: 4
    Last Post: 02-25-14, 12:43 PM
  3. It's business as usual with app development on the BlackBerry Q20
    By CrackBerry News in forum CrackBerry.com News Discussion
    Replies: 1
    Last Post: 02-25-14, 12:12 PM
LINK TO POST COPIED TO CLIPBOARD