[berry1977]

Despite installing the latest update, this certificate shows that it expired in 2016!

Settings --> Security and Privacy --> Certificates --> thawte Extended Validation SSL CA
This certificate can:
-authenticate a client
-authenticate a server
-sign code
-protect email
-sign a time stamp message
-sign an OSCP message

Not Valid After
Nov 17, 2016 11:00:00 AM

Anyone else have this problem?

[Richard Buckley]

Not sure why you think this is a problem. My FireFox browser has the same certificate:



This is why certificates have expiration dates, so they won't be used after they expire and can then be removed from the pack at leisure without causing problems.

[to boldly go]

It seems there is a problem with expired certificates. Are we supposed to go find them ourselves, or will they update later? Specifically I can't go to the Startmail website from my phone no matter how I try, and I do get Startmail fine on the phone itself. This is a relatively new problem, it used to work. Completely blocked.

[Richard Buckley]

It seems there is a problem with expired certificates. Are we supposed to go find them ourselves, or will they update later? Specifically I can't go to the Startmail website from my phone no matter how I try, and I do get Startmail fine on the phone itself. This is a relatively new problem, it used to work. Completely blocked.

Your problem is probably not due to expired certificates. The startmail certificate is signed by Buypass which is not a trusted CA in the default BlackBerry CA pack. You can either just accept the startmail certificate or import and trust the Buypass certificate chain. The first option is the easiest, click Expand to Continue, check I understand the risk, and click add exception.




LeapSTR100-2/10.3.3.2205

[to boldly go]

You can either just accept the startmail certificate or import and trust the Buypass certificate chain. The first option is the easiest, click Expand to Continue, check I understand the risk, and click add exception.

I would have to learn how to import, the option to expand and accept, which I frequently do when I know where I am going, is not given here. Just plain BLOCKED. Awhile back I talked to atnt bout it thinking it was them, and they tried to send me to BlackBerry which i declined.

For now I have to go to a laptop or desktop just to get to my account if I need to change anything or check my spam folder.

[Richard Buckley]

I would have to learn how to import, the option to expand and accept, which I frequently do when I know where I am going, is not given here. Just plain BLOCKED. Awhile back I talked to atnt bout it thinking it was them, and they tried to send me to BlackBerry which i declined.

For now I have to go to a laptop or desktop just to get to my account if I need to change anything or check my spam folder.

That's interesting, because I have no problem connecting to their site following the procedure I outlined.




However because the site uses strict transport security if you do follow that procedure and the revoke trust you will be blocked.

Importing the Buypass certificate chain is quite easy, go to their download site.
https://www.buypass.com/support/download-center

Select Root Certificates SSL



Download Certificate Chain SSL, save the file the open the file when the download is complete. Trust the certificates, don't limit them. You should be set.

[Emaderton3]

I believe there is an app in BlackBerry World that contains updated certificates.

Posted via CB10

[Richard Buckley]

If you've come here from this other thread: http://forums.crackberry.com/blackbe.../#post12816094 and don't see any assistance for your problem, don't worry they are different issues. I've asked moderator who locked that thread to unlock it so we can discuss that issue separately from this one.

[Emaderton3]

Did you download the certificates from BBW?

Posted via CB10

[nhatanh181]

If you've come here from this other thread: http://forums.crackberry.com/blackbe.../#post12816094 and don't see any assistance for your problem, don't worry they are different issues. I've asked moderator who locked that thread to unlock it so we can discuss that issue separately from this one.

Yes, thanks. The site is blocked because the way Google redirect search result, even a legit site like blackberry.com

Posted from BlackBerry Passport.

[Richard Buckley]

Did you download the certificates from BBW?

Posted via CB10

Do you refer to this app? https://appworld.blackberry.com/webs...countrycode=CA

If so, that is only for Let's Encrypt, it is not needed for 10.3.3 which includes the Let's Encrypt CA certificates. Finally it is a really bad idea to get certificates from a third party. You are opening yourself to all kinds of trouble if the source has malicious intent.

[Richard Buckley]

Yes, thanks. The site is blocked because the way Google redirect search result, even a legit site like blackberry.com

Posted from BlackBerry Passport.

I don't want to get too deep into the issue here because it could confuse people, but it has to do with a badly configure content delivery network, and may also be related to an old HSTS configuration that may no longer be valid for us.blackberry.com.

[Emaderton3]

Do you refer to this app? https://appworld.blackberry.com/webs...countrycode=CA

If so, that is only for Let's Encrypt, it is not needed for 10.3.3 which includes the Let's Encrypt CA certificates. Finally it is a really bad idea to get certificates from a third party. You are opening yourself to all kinds of trouble if the source has malicious intent.

Link doesn't work for me. I know others had solved some problems downloading a package of new certificates from BBW. I was merely suggesting a potential solution.

Posted via CB10

[dbq10]

I get the same Site Identity Not Verifiable screen occasionally and accept it for sites I know are OK, but I don't know if there's something in settings for 10.3.2 that I'm supposed to change. The above posts just reminded me of the issue but I'm in the dark about a solution.

[1122334455667788]

I get the same Site Identity Not Verifiable screen occasionally and accept it for sites I know are OK, but I don't know if there's something in settings for 10.3.2 that I'm supposed to change. The above posts just reminded me of the issue but I'm in the dark about a solution.

Accepting isn't necessarily a good idea.
It isn't a question of the site being "OK".
One of the main reasons for using security certificates is to attempt to confirm that you have actually connected to the site you think you are on. Unless you put in a lot of effort and manually research the security certificate, you have no way of knowing whether you are actually on the correct site.

Of course, you probably don't need to worry to much for some site (chances are no one is bothering to interfere with a weather site), but you should be careful with sites that matter (a bank for example).

[Richard Buckley]

Where the problem is that the CA certificates are out of date, which should only affect those still on 10.3.2, the solution is to install the certificates for the Certificate Authority (CA) . Usually the CA will have a PKCS12 file on their site and you just need to download it to the BlackBerry, open and trust it. I have described this above.

The other problem from the other thread is different. Now that the thread is unlocked again I will talk about it over there when I have some time later today.

LeapSTR100-2/10.3.3.2205

[dbq10]

Richard, I tried the buypass link from your post and it wouldn't open, and typing it in the address bar also didn't work. When I typed www.buypass.com/support I got the Site Identity Not Verifiable screen.

[Richard Buckley]

Richard, I tried the buypass link from your post and it wouldn't open, and typing it in the address bar also didn't work. When I typed www.buypass.com/support I got the Site Identity Not Verifiable screen.

This is because they signed the site certificate with their own CA. Which indicates that they aren't really thinking very clearly about being a CA. If you can access the page without special steps then you don't need to access the site. If you need to get their certificates, they have made it difficult to do in a secure way. Chicken and egg. People who don't think of these issues shouldn't really be running CAs. But there is money to be made,

The easiest way is to manually trust the site where you get the untrusted dialogue. But that isn't secure. The secure way is to download the certificates on a machine with a browser that already trusts their CA then transfer the file to the BlackBerry and open it. Firefox seems to trust them, Chrome probably does too.

LeapSTR100-2/10.3.3.2205

[dbq10]

Thank you for that explanation, it's very helpful.

[dbq10]

The buypass download Center has changed the appearance of their site. I went to the site using Firefox on my laptop and they've added more choices to select. I followed the instructions for "Buypass Root Certificates on mobile" and sent an SMS to +47 417 16 009 with the message 'SSL'. Their return text asked me to choose between Class 2 and Class 3 (PEM) so I went with 3 and installed it. The new certificates are good thread thru October 2040.

[Richard Buckley]

The buypass download Center has changed the appearance of their site. I went to the site using Firefox on my laptop and they've added more choices to select. I followed the instructions for "Buypass Root Certificates on mobile" and sent an SMS to +47 417 16 009 with the message 'SSL'. Their return text asked me to choose between Class 2 and Class 3 (PEM) so I went with 3 and installed it. The new certificates are good thread thru October 2040.

First and foremost i'm glad you got that sorted out.

On the other hand my IT security persona is cringing right now. It seems we must make a fetish out of end to end encryption and companies that fight law enforcement but we will use something as insecure as SMS to enable two factor authentication and boots strap a chain of trust. Security, like a chain is only as strong as the weakest link. It is easy to see each hop from end-to-end as a link. But the delivery of critical parts of the communication system are also links in the chain. I'm not saying you did anything wrong, the CA should know better. Sadly they don't, as we are finding out as Semantic is schooled by Google. Unfortunately Google, or I guess Alphabet, has their own problems as we are seeing with Nest. Not a great week for security news.

https://www.engadget.com/2017/03/28/...rnet-security/

http://gizmodo.com/this-nest-securit...umb-1793524264

LeapSTR100-2/10.3.3.2205

[dbq10]

Buypass also had a web link for mobile users but nothing happened when I clicked on it so I went the SMS route. I don't trust any of the IoT gadget makers; I cringe when watching This Old House on PBS because they're installing every kind of software controlled gimmick on vital systems in people's homes.