- certs.zip (5.3 KB, 247 views)
WoSign and Let's Encrypt CA certificates for Blackberry
- As you may know, there are now two certificate authorities who issue X.509 certificates for free, which many HTTPS websites use. They work in all major browsers and operating systems, but unfortunately not on Blackberry.
By installing attached certificates you'll get rid of "Site Blocked" message on some websites.Attached Files02-16-16 11:54 PMLike 0 - Thank you very the tip, and I'm sure you are well meaning. But it is a very bad security practice to accept any Certificate Authority certificate from an unknown source such as an anonymous poster on a forum site. People should really go to the source. If you want to help, you should describe how they can get the certificate for themselves from the original source.
LeapSTR100-2/10.3.2.2876polytan02 likes this.02-17-16 06:39 AMLike 1 - Yes, I perfectly understand you and had a thought if I should upload it or give a links.
The problem is that you can't download IdenTrust (which is used by Let's Encrypt) certificate in PEM format on their website (that one that's in the archive had been extracted from browser while accessing helloworld.letsencrypt.org) and WoSign certificates are in PEM format but with .crt extension, which won't be imported by BlackBerry.
WoSign certificates are the same as on the page
wosign dot com/english/root.htm
(can't post links yet)02-17-16 07:22 AMLike 0 - Yes.
But just as a passport has security features so that border guards can authenticate them, a client needs some way to authenticate the server certificate. If your device doesn't have the certificate that matches the identity of the organisation that signed the server certificate, it can not authenticate the server.
LeapSTR100-2/10.3.2.287602-19-16 04:29 AMLike 0 - Yes.
But just as a passport has security features so that border guards can authenticate them, a client needs some way to authenticate the server certificate. If your device doesn't have the certificate that matches the identity of the organisation that signed the server certificate, it can not authenticate the server.
LeapSTR100-2/10.3.2.2876
Given that virus peddlers are using Let's Encrypt certs, I'm not so keen to upload their root store.
I run a few websites and have no plans on using Let's Encrypt. I have a self signed cert for email and that is all I need.
Posted via CB1002-19-16 09:22 AMLike 0 -
Given that virus peddlers are using Let's Encrypt certs, I'm not so keen to upload their root store.
I run a few websites and have no plans on using Let's Encrypt. I have a self signed cert for email and that is all I need.
Posted via CB10
Using self signed certificates for personal sights and keeping your list of Root CAs small are both wise choices.
LeapSTR100-2/10.3.2.287602-19-16 04:33 PMLike 0 - When you have CAs like the Hong Kong Post Office, the whole system is a little shady.
But aren't we mixing information assurance and encryption? Even a self signed cert provides encryption. But you don't know for sure who you are talking to.
I set up DKIM for email. That seems like a great way to authenticate yourself. I suppose DNSSEC is the same thing for websites, though I haven't used it.
Posted via CB1002-19-16 10:58 PMLike 0 - When you have CAs like the Hong Kong Post Office, the whole system is a little shady.
But aren't we mixing information assurance and encryption? Even a self signed cert provides encryption. But you don't know for sure who you are talking to.
I set up DKIM for email. That seems like a great way to authenticate yourself. I suppose DNSSEC is the same thing for websites, though I haven't used it.
Posted via CB10
The point of having a domain validation certificate is two fold, site authenticity and encryption. If you only want encryption you don't even need self signed certificates. The browser generates a random key pair each time it connects to a server. A server could do the same thing, generate a new key pair for each connection. Browsers would complain, but there are ways around that, and they complain about self signed certificates if you don't take appropriate steps. The net result is that having secure encryption to the wrong entity isn't much use.
DNSSEC can ensure you get the right IP address for a domain name, but it can't ensure you are actually connected to that IP address. In situations where DNSSEC is necessary, site authentication is also necessary to prevent a number of attacks. Domain validation is assurance that the service you are talking to is the one associated with the domain name, not a MiM.
DKIM is only to provide assurance that an email message found in the wild is from where it says it is from. It doesn't validate the server you are talking to to get the email.
You are entitled to do what ever you want, but setting up encryption systems is very difficult. The smallest mistake can allow an attacker the completely nullify your work.
LeapSTR100-2/10.3.2.287602-20-16 06:16 AMLike 0 - I'm not. The reason I raised the issue is that by downloading the CA certificate from an unauthenticated source breaks site validation.
The point of having a domain validation certificate is two fold, site authenticity and encryption. If you only want encryption you don't even need self signed certificates. The browser generates a random key pair each time it connects to a server. A server could do the same thing, generate a new key pair for each connection. Browsers would complain, but there are ways around that, and they complain about self signed certificates if you don't take appropriate steps. The net result is that having secure encryption to the wrong entity isn't much use.
DNSSEC can ensure you get the right IP address for a domain name, but it can't ensure you are actually connected to that IP address. In situations where DNSSEC is necessary, site authentication is also necessary to prevent a number of attacks. Domain validation is assurance that the service you are talking to is the one associated with the domain name, not a MiM.
DKIM is only to provide assurance that an email message found in the wild is from where it says it is from. It doesn't validate the server you are talking to to get the email.
You are entitled to do what ever you want, but setting up encryption systems is very difficult. The smallest mistake can allow an attacker the completely nullify your work.
LeapSTR100-2/10.3.2.2876
I'm really not sure why you repeated what I said about certs, but uh thanks I guess.
Posted via CB1002-20-16 10:40 AMLike 0 - Might I ask you where and who would give you a certificate for free.
Do you trust and sleep peacefully at night?
As you may know, there are now two certificate authorities who issue X.509 certificates for free, which many HTTPS websites use. They work in all major browsers and operating systems, but unfortunately not on Blackberry.
By installing attached certificates you'll get rid of "Site Blocked" message on some websites.
Posted via CB1002-20-16 11:11 AMLike 0 -
- DKIM is on my DNS server, but my mail server also has the key. Sure looks locked to me. I have run my mail server through a number of verification services. Other than DANE, I'm running as much security ad possible, plus I have no port 80 means to access my mail. Trust me, any email with port 80 access is not secure.
I'm really not sure why you repeated what I said about certs, but uh thanks I guess.
Posted via CB10
But remember that this started with you replying:
LeapSTR100-2/10.3.2.287602-20-16 04:23 PMLike 0 -
So yeah, I know what I'm doing. Have a nice day.
Posted via CB1002-20-16 07:43 PMLike 0 - I know the proper way of doing things. Let's Encrypt is anything but standard. You would have to be an ***** to use it since they have some daemon you need to run to automatically get the cert updated. I call that a back door into my server. I use no 3rd party services. I minimize vectors.
So yeah, I know what I'm doing. Have a nice day.
Posted via CB10
You also seem to be less than impressed by the system, why then do you suggest trusting a certificate from a site provisioned by let's encrypt without even using the CA, since as you suggest that could lead to trusting a certificate from a site that has been "back doored".
LeapSTR100-2/10.3.2.287602-21-16 08:27 AMLike 0 - You should not have to extract the certificate from a browser. You just need to know which Certificate Authority is signing them. The CA will have a way to get their certificate in all standard formats in a secure way, probably by downloading them from an HTTPS server.
For all the popularity and hype surrounding Let's Encrypt I have yet to come across a site using it so I'm not sure which CA they are using.
LeapSTR100-2/10.3.2.287606-08-16 03:58 AMLike 0 - Hi,
One of the bigger rollouts is related to wordpress.com; they have started to use Let's Encrypt certificates for the hosted domains (https://en.blog.wordpress.com/2016/0...ess-com-sites/) in an automatic way.
Let's Encrypt's intermediate is currently being cross signed with the one from IdenTrust (CN=DST Root CA X3, O=Digital Signature Trust Co.) until their own will be incorporated into the major trust stores (ms, apple, nss,...). There were some critical acclaims in advance concerning the compliance audit and report but this has been resolved. In addition they submit all issued certificates to CT logs and anyone can take a look at it via https://crt.sh/
Whichever way you look at it, Let's Encrypt does provide certificates in an easy way for people who are either not that familiar with certificate administration or are in need for automated processing or for whatever other reason. Not for nothing they have issued almost 3m certificates since their official launch in April 2016.
Edit: wrong wording. 4.4m overall including beta phase since nov/dec 2015 (https://plot.ly/~letsencrypt/9/daily-activity/)Last edited by jd smithers; 06-08-16 at 01:32 PM.
06-08-16 12:47 PMLike 0 - Hi,
Back to topic: can someone explain how to export the LE CA (e.g. from a common browser), convert, and import into BBQ10?
- Copy the content of the text box into a new textfile
- Insert at the beginning "-----BEGIN CERTIFICATE-----" (without the quotes)
- Insert at the ending "-----END CERTIFICATE-----" (without the quotes)
- Shoud look like
- Save it as identrust-root.pem (or whatever name you like - but with .pem ending)
- Copy over to the mobile phone
- Open it in the File Manager and click Import on the top right corner
- Open Browser on the phone and got to helloworld.letsencrypt.org; should open and provide a lock-icon; you may verify with the site information, that the correct certificate chain is being used.
That should cover the necessary steps.WiredMatt likes this.06-08-16 01:27 PMLike 1 - JD Smithers did some excellent work there. Most of it should be unnecessary though. Since Let's Encrypt created their own Root and Intermediate certificates, which are available in PEM format, it should be sufficient to download one, or all of them, open with the file manager and install.
The cross signing is only used until the Let's Encrypt certificates are accepted. If you accept them directly, then you are done.
Edit:
The first certificate on the page is the Let's Encrypt Root, also called ISRG. Importing that should be all you need to do.
LeapSTR100-2/10.3.2.2876
Attachment 40175406-08-16 05:29 PMLike 0 - JD Smithers did some excellent work there. Most of it should be unnecessary though. Since Let's Encrypt created their own Root and Intermediate certificates, which are available in PEM format, it should be sufficient to download one, or all of them, open with the file manager and install.
The cross signing is only used until the Let's Encrypt certificates are accepted. If you accept them directly, then you are done.
LeapSTR100-2/10.3.2.287606-08-16 05:59 PMLike 0 - Hi,
just browse to the linked info page from IdenTrust https://www.identrust.com/certificat...wnload-x3.html ( mentioned on the Let's Encrypt page https://letsencrypt.org/certificates/)
- Copy the content of the text box into a new textfile
- Insert at the beginning "-----BEGIN CERTIFICATE-----" (without the quotes)
- Insert at the ending "-----END CERTIFICATE-----" (without the quotes)
- Shoud look like
- Save it as identrust-root.pem (or whatever name you like - but with .pem ending)
- Copy over to the mobile phone
- Open it in the File Manager and click Import on the top right corner
- Open Browser on the phone and got to helloworld.letsencrypt.org; should open and provide a lock-icon; you may verify with the site information, that the correct certificate chain is being used.
That should cover the necessary steps.
gesendet von meinem $smartphone mit tapatalk06-09-16 01:14 AMLike 0 - "they have some daemon"... yeah... you really have no idea how Let's Encrypt certificate renewal works, do you? And yet you claim you know what you are doing. For one thing you aren't forced to use their renewal tool at all, feel free to write your own, I did.
Secondly, the automated certificate issuance uses a very secure technique (ACME) to ensure you actually own the site you are requesting a certificate for. The method used would only allow someone else to obtain a cert in your name if your site was already compromised anyway. The ACME protocol is open source and anybody can write a client. If you ACTUALLY knew what you were talking about you would know that.
https://letsencrypt.org/how-it-works/
Finally, Let's Encrypt is EXPLODING in popularity among small, medium, and large sites and services. If it is so dodgy why do the latest versions of ALL popular browsers include ISRG (Let's Encrypt) certificate trust?
So yeah, you only THINK you know what you are doing. Have a nice day.
I know the proper way of doing things. Let's Encrypt is anything but standard. You would have to be an ***** to use it since they have some daemon you need to run to automatically get the cert updated. I call that a back door into my server. I use no 3rd party services. I minimize vectors.
So yeah, I know what I'm doing. Have a nice day.
Posted via CB1010-08-16 01:39 PMLike 0 - Until BlackBerry 10.3.3 rolls out which will have Let's Encrypt trust built in, to get full support of all possible ways a site might be signed with a LE certificate you actually need to import seven certs from Let's Encrypt and one from IdenTrust. You can get away with less for 90% of sites but several of them provide redundancy in case some of the trust chain goes down.
If you are running BlackBerry 10.3 - 10.3.2 you can import all eight certs with just two clicks using my totally free multiCERT app from BlackBerry World. https://appworld.blackberry.com/webs...tent/59999147/
Cheers
JD Smithers did some excellent work there. Most of it should be unnecessary though. Since Let's Encrypt created their own Root and Intermediate certificates, which are available in PEM format, it should be sufficient to download one, or all of them, open with the file manager and install.
The cross signing is only used until the Let's Encrypt certificates are accepted. If you accept them directly, then you are done.
Edit:
The first certificate on the page is the Let's Encrypt Root, also called ISRG. Importing that should be all you need to do.
LeapSTR100-2/10.3.2.2876
Attachment 401754Rustybronco and melander like this.10-08-16 01:47 PMLike 2
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
WoSign and Let's Encrypt CA certificates for Blackberry
Similar Threads
-
It's a good battery day for me!
By blackbirdy in forum BlackBerry PrivReplies: 37Last Post: 05-09-16, 08:20 AM -
BlackBerry v Jolla or: How Can a Company Fail?
By ominaxe in forum Armchair CEOReplies: 12Last Post: 03-01-16, 04:24 PM -
What is the best Bluetooth device for the Classic?
By CrackBerry Question in forum Ask a QuestionReplies: 2Last Post: 02-19-16, 01:51 AM -
WTB: Red BlackBerry Passport
By krugbot in forum Buy, Sell, Trade - Sold / ArchivedReplies: 2Last Post: 02-17-16, 07:16 AM
LINK TO POST COPIED TO CLIPBOARD