10-24-16 04:33 PM
31 12
tools
  1. ValdikSS's Avatar
    As you may know, there are now two certificate authorities who issue X.509 certificates for free, which many HTTPS websites use. They work in all major browsers and operating systems, but unfortunately not on Blackberry.
    By installing attached certificates you'll get rid of "Site Blocked" message on some websites.
    Attached Files
    02-16-16 11:54 PM
  2. Richard Buckley's Avatar
    Thank you very the tip, and I'm sure you are well meaning. But it is a very bad security practice to accept any Certificate Authority certificate from an unknown source such as an anonymous poster on a forum site. People should really go to the source. If you want to help, you should describe how they can get the certificate for themselves from the original source.

    LeapSTR100-2/10.3.2.2876
    polytan02 likes this.
    02-17-16 06:39 AM
  3. ValdikSS's Avatar
    Yes, I perfectly understand you and had a thought if I should upload it or give a links.
    The problem is that you can't download IdenTrust (which is used by Let's Encrypt) certificate in PEM format on their website (that one that's in the archive had been extracted from browser while accessing helloworld.letsencrypt.org) and WoSign certificates are in PEM format but with .crt extension, which won't be imported by BlackBerry.

    WoSign certificates are the same as on the page
    wosign dot com/english/root.htm
    (can't post links yet)
    02-17-16 07:22 AM
  4. gariac's Avatar
    I'm lost here. Isn't Let's Encrypt for servers?



    Posted via CB10
    02-18-16 08:25 PM
  5. Richard Buckley's Avatar
    Yes.

    But just as a passport has security features so that border guards can authenticate them, a client needs some way to authenticate the server certificate. If your device doesn't have the certificate that matches the identity of the organisation that signed the server certificate, it can not authenticate the server.

    LeapSTR100-2/10.3.2.2876
    02-19-16 04:29 AM
  6. gariac's Avatar
    Yes.

    But just as a passport has security features so that border guards can authenticate them, a client needs some way to authenticate the server certificate. If your device doesn't have the certificate that matches the identity of the organisation that signed the server certificate, it can not authenticate the server.

    LeapSTR100-2/10.3.2.2876
    Eh, that is like dealing with the military websites without having the DoD root store. For most of the stuff on Let's Encrypt, you can just trust the cert when you first encounter the website, right?

    Given that virus peddlers are using Let's Encrypt certs, I'm not so keen to upload their root store.

    I run a few websites and have no plans on using Let's Encrypt. I have a self signed cert for email and that is all I need.



    Posted via CB10
    02-19-16 09:22 AM
  7. Richard Buckley's Avatar
    Eh, that is like dealing with the military websites without having the DoD root store. For most of the stuff on Let's Encrypt, you can just trust the cert when you first encounter the website, right?
    You can, but how do you know that you are accepting the certificate that is actually from the site? The answer is you don't. Just like if you download the certificate from the link in the OP. How do you know if it is legitimate? You don't.

    Given that virus peddlers are using Let's Encrypt certs, I'm not so keen to upload their root store.

    I run a few websites and have no plans on using Let's Encrypt. I have a self signed cert for email and that is all I need.


    Posted via CB10
    Indeed, if you make the certificate, then you can validate it. But you would have a more difficult time validating a self signed certificate I made. That is the issue let's encrypt was set up to solve. Unfortunately the EFF has to some degree let their zeal for ubiquitous encryption blind them to the problem that automatically generated certificates would suffer from similar problems to automatically generated email accounts that have all but disappeared.

    Using self signed certificates for personal sights and keeping your list of Root CAs small are both wise choices.


    LeapSTR100-2/10.3.2.2876
    02-19-16 04:33 PM
  8. gariac's Avatar
    When you have CAs like the Hong Kong Post Office, the whole system is a little shady.

    But aren't we mixing information assurance and encryption? Even a self signed cert provides encryption. But you don't know for sure who you are talking to.

    I set up DKIM for email. That seems like a great way to authenticate yourself. I suppose DNSSEC is the same thing for websites, though I haven't used it.

    Posted via CB10
    02-19-16 10:58 PM
  9. Richard Buckley's Avatar
    When you have CAs like the Hong Kong Post Office, the whole system is a little shady.

    But aren't we mixing information assurance and encryption? Even a self signed cert provides encryption. But you don't know for sure who you are talking to.

    I set up DKIM for email. That seems like a great way to authenticate yourself. I suppose DNSSEC is the same thing for websites, though I haven't used it.

    Posted via CB10
    I'm not. The reason I raised the issue is that by downloading the CA certificate from an unauthenticated source breaks site validation.

    The point of having a domain validation certificate is two fold, site authenticity and encryption. If you only want encryption you don't even need self signed certificates. The browser generates a random key pair each time it connects to a server. A server could do the same thing, generate a new key pair for each connection. Browsers would complain, but there are ways around that, and they complain about self signed certificates if you don't take appropriate steps. The net result is that having secure encryption to the wrong entity isn't much use.

    DNSSEC can ensure you get the right IP address for a domain name, but it can't ensure you are actually connected to that IP address. In situations where DNSSEC is necessary, site authentication is also necessary to prevent a number of attacks. Domain validation is assurance that the service you are talking to is the one associated with the domain name, not a MiM.

    DKIM is only to provide assurance that an email message found in the wild is from where it says it is from. It doesn't validate the server you are talking to to get the email.

    You are entitled to do what ever you want, but setting up encryption systems is very difficult. The smallest mistake can allow an attacker the completely nullify your work.

    LeapSTR100-2/10.3.2.2876
    02-20-16 06:16 AM
  10. gariac's Avatar
    I'm not. The reason I raised the issue is that by downloading the CA certificate from an unauthenticated source breaks site validation.

    The point of having a domain validation certificate is two fold, site authenticity and encryption. If you only want encryption you don't even need self signed certificates. The browser generates a random key pair each time it connects to a server. A server could do the same thing, generate a new key pair for each connection. Browsers would complain, but there are ways around that, and they complain about self signed certificates if you don't take appropriate steps. The net result is that having secure encryption to the wrong entity isn't much use.

    DNSSEC can ensure you get the right IP address for a domain name, but it can't ensure you are actually connected to that IP address. In situations where DNSSEC is necessary, site authentication is also necessary to prevent a number of attacks. Domain validation is assurance that the service you are talking to is the one associated with the domain name, not a MiM.

    DKIM is only to provide assurance that an email message found in the wild is from where it says it is from. It doesn't validate the server you are talking to to get the email.

    You are entitled to do what ever you want, but setting up encryption systems is very difficult. The smallest mistake can allow an attacker the completely nullify your work.

    LeapSTR100-2/10.3.2.2876
    DKIM is on my DNS server, but my mail server also has the key. Sure looks locked to me. I have run my mail server through a number of verification services. Other than DANE, I'm running as much security ad possible, plus I have no port 80 means to access my mail. Trust me, any email with port 80 access is not secure.

    I'm really not sure why you repeated what I said about certs, but uh thanks I guess.


    Posted via CB10
    02-20-16 10:40 AM
  11. albertinik's Avatar
    Might I ask you where and who would give you a certificate for free.

    Do you trust and sleep peacefully at night?


    As you may know, there are now two certificate authorities who issue X.509 certificates for free, which many HTTPS websites use. They work in all major browsers and operating systems, but unfortunately not on Blackberry.
    By installing attached certificates you'll get rid of "Site Blocked" message on some websites.


    Posted via CB10
    02-20-16 11:11 AM
  12. Richard Buckley's Avatar
    Might I ask you where and who would give you a certificate for free.

    Do you trust and sleep peacefully at night?






    Posted via CB10
    https://www.startssl.com/

    LeapSTR100-2/10.3.2.2876
    02-20-16 04:12 PM
  13. Richard Buckley's Avatar
    DKIM is on my DNS server, but my mail server also has the key. Sure looks locked to me. I have run my mail server through a number of verification services. Other than DANE, I'm running as much security ad possible, plus I have no port 80 means to access my mail. Trust me, any email with port 80 access is not secure.

    I'm really not sure why you repeated what I said about certs, but uh thanks I guess.


    Posted via CB10
    Well then don't let me stop you, you seem to be an expert.

    But remember that this started with you replying:

    I'm lost here. Isn't Let's Encrypt for servers?

    And you brought up DKIM and the rest. I just don't want people thinking that downloading a CA certificate from an unauthenticated source is a good idea.


    Posted via CB10
    LeapSTR100-2/10.3.2.2876
    02-20-16 04:23 PM
  14. gariac's Avatar
    Well then don't let me stop you, you seem to be an expert.

    But remember that this started with you replying:



    LeapSTR100-2/10.3.2.2876
    I know the proper way of doing things. Let's Encrypt is anything but standard. You would have to be an ***** to use it since they have some daemon you need to run to automatically get the cert updated. I call that a back door into my server. I use no 3rd party services. I minimize vectors.

    So yeah, I know what I'm doing. Have a nice day.


    Posted via CB10
    02-20-16 07:43 PM
  15. Richard Buckley's Avatar
    I know the proper way of doing things. Let's Encrypt is anything but standard. You would have to be an ***** to use it since they have some daemon you need to run to automatically get the cert updated. I call that a back door into my server. I use no 3rd party services. I minimize vectors.

    So yeah, I know what I'm doing. Have a nice day.


    Posted via CB10
    You seem to be laboring under the impression that I am a fan of let's encrypt, I'm not.

    You also seem to be less than impressed by the system, why then do you suggest trusting a certificate from a site provisioned by let's encrypt without even using the CA, since as you suggest that could lead to trusting a certificate from a site that has been "back doored".

    LeapSTR100-2/10.3.2.2876
    02-21-16 08:27 AM
  16. WiredMatt's Avatar
    Back to topic: can someone explain how to export the LE CA (e.g. from a common browser), convert, and import into BBQ10?

    gesendet von meinem $smartphone mit tapatalk
    06-08-16 01:16 AM
  17. polytan02's Avatar
    I just hope that BlackBerry will do its job and add the let's encrypt certificates with the 10.3.3 update.

    There are quite a few sites using them and these are completely rejected by my phone.

    Posted via CB10
    06-08-16 03:32 AM
  18. Richard Buckley's Avatar
    You should not have to extract the certificate from a browser. You just need to know which Certificate Authority is signing them. The CA will have a way to get their certificate in all standard formats in a secure way, probably by downloading them from an HTTPS server.

    For all the popularity and hype surrounding Let's Encrypt I have yet to come across a site using it so I'm not sure which CA they are using.

    LeapSTR100-2/10.3.2.2876
    06-08-16 03:58 AM
  19. jd smithers's Avatar
    Hi,

    One of the bigger rollouts is related to wordpress.com; they have started to use Let's Encrypt certificates for the hosted domains (https://en.blog.wordpress.com/2016/0...ess-com-sites/) in an automatic way.

    Let's Encrypt's intermediate is currently being cross signed with the one from IdenTrust (CN=DST Root CA X3, O=Digital Signature Trust Co.) until their own will be incorporated into the major trust stores (ms, apple, nss,...). There were some critical acclaims in advance concerning the compliance audit and report but this has been resolved. In addition they submit all issued certificates to CT logs and anyone can take a look at it via https://crt.sh/

    Whichever way you look at it, Let's Encrypt does provide certificates in an easy way for people who are either not that familiar with certificate administration or are in need for automated processing or for whatever other reason. Not for nothing they have issued almost 3m certificates since their official launch in April 2016.

    Edit: wrong wording. 4.4m overall including beta phase since nov/dec 2015 (https://plot.ly/~letsencrypt/9/daily-activity/)
    Last edited by jd smithers; 06-08-16 at 01:32 PM.
    06-08-16 12:47 PM
  20. jd smithers's Avatar
    Hi,

    Back to topic: can someone explain how to export the LE CA (e.g. from a common browser), convert, and import into BBQ10?
    just browse to the linked info page from IdenTrust https://www.identrust.com/certificat...wnload-x3.html ( mentioned on the Let's Encrypt page https://letsencrypt.org/certificates/)

    1. Copy the content of the text box into a new textfile
    2. Insert at the beginning "-----BEGIN CERTIFICATE-----" (without the quotes)
    3. Insert at the ending "-----END CERTIFICATE-----" (without the quotes)
    4. Shoud look like WoSign and Let's Encrypt CA certificates for Blackberry-identrust_root.png
    5. Save it as identrust-root.pem (or whatever name you like - but with .pem ending)
    6. Copy over to the mobile phone
    7. Open it in the File Manager and click Import on the top right corner
    8. Open Browser on the phone and got to helloworld.letsencrypt.org; should open and provide a lock-icon; you may verify with the site information, that the correct certificate chain is being used.


    That should cover the necessary steps.
    WiredMatt likes this.
    06-08-16 01:27 PM
  21. Richard Buckley's Avatar
    JD Smithers did some excellent work there. Most of it should be unnecessary though. Since Let's Encrypt created their own Root and Intermediate certificates, which are available in PEM format, it should be sufficient to download one, or all of them, open with the file manager and install.

    The cross signing is only used until the Let's Encrypt certificates are accepted. If you accept them directly, then you are done.

    Edit:

    The first certificate on the page is the Let's Encrypt Root, also called ISRG. Importing that should be all you need to do.


    LeapSTR100-2/10.3.2.2876
    Attachment 401754
    06-08-16 05:29 PM
  22. jd smithers's Avatar
    JD Smithers did some excellent work there. Most of it should be unnecessary though. Since Let's Encrypt created their own Root and Intermediate certificates, which are available in PEM format, it should be sufficient to download one, or all of them, open with the file manager and install.

    The cross signing is only used until the Let's Encrypt certificates are accepted. If you accept them directly, then you are done.

    LeapSTR100-2/10.3.2.2876
    Thanks for the vote of confidence. It seems I missed the possibility on my device to import it by opening the website. As soon as I open the helloworld page it is being blocked. It's stated that it is not possible to verify against a trusted source; Is there any (other) way to import a certificate or certificate chain on the device itself? Besides that, this dodges - imho - the intrinsic meaning of a PKI where I should be able to trust something/someone trustworthy beforehand as you wrote earlier concerning information (domain) assurance & encryption.
    06-08-16 05:59 PM
  23. WiredMatt's Avatar
    Hi,


    just browse to the linked info page from IdenTrust https://www.identrust.com/certificat...wnload-x3.html ( mentioned on the Let's Encrypt page https://letsencrypt.org/certificates/)

    1. Copy the content of the text box into a new textfile
    2. Insert at the beginning "-----BEGIN CERTIFICATE-----" (without the quotes)
    3. Insert at the ending "-----END CERTIFICATE-----" (without the quotes)
    4. Shoud look like Click image for larger version. 

Name:	identrust_root.png 
Views:	632 
Size:	86.0 KB 
ID:	401745
    5. Save it as identrust-root.pem (or whatever name you like - but with .pem ending)
    6. Copy over to the mobile phone
    7. Open it in the File Manager and click Import on the top right corner
    8. Open Browser on the phone and got to helloworld.letsencrypt.org; should open and provide a lock-icon; you may verify with the site information, that the correct certificate chain is being used.


    That should cover the necessary steps.
    That's it, thanks! :-)

    gesendet von meinem $smartphone mit tapatalk
    06-09-16 01:14 AM
  24. Martin Green's Avatar
    "they have some daemon"... yeah... you really have no idea how Let's Encrypt certificate renewal works, do you? And yet you claim you know what you are doing. For one thing you aren't forced to use their renewal tool at all, feel free to write your own, I did.

    Secondly, the automated certificate issuance uses a very secure technique (ACME) to ensure you actually own the site you are requesting a certificate for. The method used would only allow someone else to obtain a cert in your name if your site was already compromised anyway. The ACME protocol is open source and anybody can write a client. If you ACTUALLY knew what you were talking about you would know that.

    https://letsencrypt.org/how-it-works/

    Finally, Let's Encrypt is EXPLODING in popularity among small, medium, and large sites and services. If it is so dodgy why do the latest versions of ALL popular browsers include ISRG (Let's Encrypt) certificate trust?

    So yeah, you only THINK you know what you are doing. Have a nice day.

    I know the proper way of doing things. Let's Encrypt is anything but standard. You would have to be an ***** to use it since they have some daemon you need to run to automatically get the cert updated. I call that a back door into my server. I use no 3rd party services. I minimize vectors.

    So yeah, I know what I'm doing. Have a nice day.


    Posted via CB10
    10-08-16 01:39 PM
  25. Martin Green's Avatar
    Until BlackBerry 10.3.3 rolls out which will have Let's Encrypt trust built in, to get full support of all possible ways a site might be signed with a LE certificate you actually need to import seven certs from Let's Encrypt and one from IdenTrust. You can get away with less for 90% of sites but several of them provide redundancy in case some of the trust chain goes down.

    If you are running BlackBerry 10.3 - 10.3.2 you can import all eight certs with just two clicks using my totally free multiCERT app from BlackBerry World. https://appworld.blackberry.com/webs...tent/59999147/

    Cheers

    JD Smithers did some excellent work there. Most of it should be unnecessary though. Since Let's Encrypt created their own Root and Intermediate certificates, which are available in PEM format, it should be sufficient to download one, or all of them, open with the file manager and install.

    The cross signing is only used until the Let's Encrypt certificates are accepted. If you accept them directly, then you are done.

    Edit:

    The first certificate on the page is the Let's Encrypt Root, also called ISRG. Importing that should be all you need to do.


    LeapSTR100-2/10.3.2.2876
    Attachment 401754
    Rustybronco and melander like this.
    10-08-16 01:47 PM
31 12

Similar Threads

  1. It's a good battery day for me!
    By blackbirdy in forum BlackBerry Priv
    Replies: 37
    Last Post: 05-09-16, 08:20 AM
  2. BlackBerry v Jolla or: How Can a Company Fail?
    By ominaxe in forum Armchair CEO
    Replies: 12
    Last Post: 03-01-16, 04:24 PM
  3. What is the best Bluetooth device for the Classic?
    By CrackBerry Question in forum Ask a Question
    Replies: 2
    Last Post: 02-19-16, 01:51 AM
  4. WTB: Red BlackBerry Passport
    By krugbot in forum Buy, Sell, Trade - Sold / Archived
    Replies: 2
    Last Post: 02-17-16, 07:16 AM
LINK TO POST COPIED TO CLIPBOARD