[Smitty13]

Hey all,

I just thought I would post this tidbit of information that I came across today. To preface this, this post is not about BlackBerry Link the program, but rather the website where one downloads BlackBerry Link.

I was in the process of going to download BlackBerry Link again on a new PC when I came across a warning in Firefox. It appears as though the area where one downloads BlackBerry Link is using the outdated SSL 3.0 protocol which has been shown to be vulnerable to the POODLE attack. For more information on this, please visit here.

Just to be sure this was not a false positive I scanned BlackBerry's SSL certificate for the download site, and sure enough, the SSL 3.0 protocol was still in use: SSL Labs Test Results.

Websites are being encouraged at the bare minimum to at least mitigate the SSL 3.0 protocol, with a recommendation to totally disable it.

Now why does this all matter?

All security explanations aside (and believe me, the implications of this can be major), one of the most damning problems with this is that Firefox and Chrome users will no longer be able to access the website as Mozilla and Google have totally disabled accessing websites that utilize SSL 3.0 still. This affects those using Firefox version 34 and above as well as those using Chrome version 40 and above. Those using the latest IE, version 11, appear to be unaffected (at least in my testing using a completely updated machine).

One will see a warning similar to this in Firefox:


I do hope BlackBerry looks into renewing their certificates very soon, as this problem could have some potentially large implications.

[just_luc]

Updating the certificate was likely an oversight, i'm sure they got it resolved quite quickly.

[Smitty13]

Unfortunately it looks as though this problem still exists. See here for the SSL Labs scan of the BB Link download site.

I know one of the prime reasons most website admins were not disabling SSL 3 was due to the fact it would essentially bar those using IE6 from entering the site. IE6 was the mainstay of Windows XP and came in all stock systems.

With XP now having been phased out, I am left wondering why this shift has not happened yet on a wider scale, BlackBerry included. Disabling it would not require a certificate update really, so again, I am left wondering why a weak protocol is being used.

That warning I posted in my initial post is received by users who have also disabled the RC4 cipher which, as pointed out in the SSL Labs link, is also a notoriously weak cipher. With no alternative cipher being offered, those who do not wish to connect using those protocols cannot access the download site.

This would not be a monumental fix, really. BlackBerry will have to update that certificate this year anyhow as SHA-1 hashes are also being phased out. I really wish they would be proactive here.

[just_luc]

I admit to not being that versed in this, but I'm having no issues accessing the site form the latest version of Firefox.

Posted via CB10

[Smitty13]

I admit to not being that versed in this, but I'm having no issues accessing the site form the latest version of Firefox.

Posted via CB10

Hey, you'd be right in not having issues right now as that particular warning is only delivered to those who have gone into their settings and purposely disabled the RC4 cipher. With that disabled and SSL 3 no longer being supported, you would not be able to access the site. You should be able to if you have not disabled RC4.

Posted via CB10

[BCITMike]

Ciphers are set by web server, not the certificate.

Also, because the cipher is supported doesn't mean it'll be used in your connection. Better ciphers should be picked first, which is what will happen on any modern browser.

Posted via CB10

[Smitty13]

Ciphers are set by web server, not the certificate.

Also, because the cipher is supported doesn't mean it'll be used in your connection. Better ciphers should be picked first, which is what will happen on any modern browser.

Posted via CB10

Correct on all fronts. I should have said the cipher used depends on the client and server's SSL handshake; it is not dictated by the certificate itself per se.

In terms of server preference, in this case for BlackBerry it is:

TLS_RSA_WITH_RC4_128_MD5 (0x4)
TLS_RSA_WITH_RC4_128_SHA (0x5)

Both are considered weak and no alternatives exist.

Unfortunately if one is using Firefox 34+ or Chrome 40+ and has disabled connecting to RC4, they will not be able to proceed. In some cases (such as some banking websites) the use of RC4 is preferred first but also supports other ciphers which are considered to be stronger (AES, etc.), hence me disabling it so I can utilize the stronger cipher. I have not come across a way to pick and choose what ciphers to use on a site-by-site basis yet or I wouldn't be facing this problem.

Suffice to say, BlackBerry will need to update these certificates before the expiration, as the SHA-1 hash expires in 2016. A lot of this could be a relatively straight forward fix.

[jimoates014]

Might this explain why I was unable to download from Mega last week via Waterfox yet Chrome downloaded. Waterfox is my go to browser and bang up to date and Chrome less so

Passport or Z10, whichever is nearest

[BCITMike]

It's probably not considered top priority since the downloads will be validated before install anyways.

Also, the simulation at the bottom shows only IE6 would have selected SSLv3, which is kind of needed to support it in default IE6. Also, it indicates Poodle is mitigated.

My understanding is that it would have gotten a Grade "C" if it was actually vulnerable. It's just strong warnings.

That being said, I've updated any ssl sites I manage back in October, but I didn't have to support anything legacy, just current browsers and win 7+.

[Smitty13]

It's probably not considered top priority since the downloads will be validated before install anyways.

Also, the simulation at the bottom shows only IE6 would have selected SSLv3, which is kind of needed to support it in default IE6. Also, it indicates Poodle is mitigated.

My understanding is that it would have gotten a Grade "C" if it was actually vulnerable. It's just strong warnings.

That being said, I've updated any ssl sites I manage back in October, but I didn't have to support anything legacy, just current browsers and win 7+.

I do see they have mitigated POODLE at this point. At the time of my initial posting it was not mitigated. Perhaps someone saw this thread or was tipped off to it? No idea really.

Keeping SSL 3 ensures proper legacy usage of the site, but as I said above, with XP being phased out, that decision seems kind of odd at this point.

Again, this post was not to cause alarm with anyone but to shed light on a potential security issue. You sound like you have done some web work as well, so you know the push these days toward security.

I am very much interested to see where DNS-based Authentication of Named Entities (DANE) will go, as I see a lot of sites starting to adopt it. BlackBerry could really cement their security stance by being ahead of the curve on all aspects of security.

[BCITMike]

I do see they have mitigated POODLE at this point. At the time of my initial posting it was not mitigated. Perhaps someone saw this thread or was tipped off to it? No idea really.

Keeping SSL 3 ensures proper legacy usage of the site, but as I said above, with XP being phased out, that decision seems kind of odd at this point.

Again, this post was not to cause alarm with anyone but to shed light on a potential security issue. You sound like you have done some web work as well, so you know the push these days toward security.

I am very much interested to see where DNS-based Authentication of Named Entities (DANE) will go, as I see a lot of sites starting to adopt it. BlackBerry could really cement their security stance by being ahead of the curve on all aspects of security.

I doubt that, unless you screengrabbed your first result. Did you ever notice it being a grade "C"? I'm sure it was patched back in October like most of the world.

Windows 2003 still has V3 enabled by default. I'm sure there are some BES servers on 2003. I've logged into a few servers that are like 8 years old, click on a hyper link and find that IE6 was never clicked past that initial screen. Could be from installing firefox and never using IE6, but it is the OOB browser for 2003, still supported til April 2015.

[Smitty13]

I doubt that, unless you screengrabbed your first result. Did you ever notice it being a grade "C"? I'm sure it was patched back in October like most of the world.

Windows 2003 still has V3 enabled by default. I'm sure there are some BES servers on 2003. I've logged into a few servers that are like 8 years old, click on a hyper link and find that IE6 was never clicked past that initial screen. Could be from installing firefox and never using IE6, but it is the OOB browser for 2003, still supported til April 2015.

Yes, I made this entire thread based on a lie. Good call.

Why is the burden of proof on me when I clearly posted the link to said result? This thread was started well over a month ago and you had the opportunity to check that. Why would I have screenshot the results when the link was available to all? That really makes no sense. You are literally getting to this thread over a month and a half late. Surely even you must know that things can change over time?

Sure, you could argue that when the POODLE attack information was released to the public everyone hopped on patching it. I could also argue that many VPN providers, for instance, did not hop on patching the OpenSSL Heartbleed Bug immediately. Patching ranged from a few days to over a couple of months for some. Not everyone is as quick as others to mitigate security issues.

Whatever the case is, I am not in this thread to argue. You are free to not believe me and I will not lose any sleep over it. I merely like pointing out potential security issues when I come across them. I can however say, I am not going to come back and argue if you wish to put doubts on something that I posted a long time ago.

Happy posting!

[thurask]

Does this apply to all BlackBerry software downloads?

The version of Link bundled with Blend is newer than what's in question here.

Posted via CB10

[BCITMike]

Yes, I made this entire thread based on a lie. Good call.

Why is the burden of proof on me when I clearly posted the link to said result? This thread was started well over a month ago and you had the opportunity to check that. Why would I have screenshot the results when the link was available to all? That really makes no sense. You are literally getting to this thread over a month and a half late. Surely even you must know that things can change over time?

Sure, you could argue that when the POODLE attack information was released to the public everyone hopped on patching it. I could also argue that many VPN providers, for instance, did not hop on patching the OpenSSL Heartbleed Bug immediately. Patching ranged from a few days to over a couple of months for some. Not everyone is as quick as others to mitigate security issues.

Whatever the case is, I am not in this thread to argue. You are free to not believe me and I will not lose any sleep over it. I merely like pointing out potential security issues when I come across them. I can however say, I am not going to come back and argue if you wish to put doubts on something that I posted a long time ago.

Happy posting!

Chill. People make mistakes, I never said you lied. I've been debugging a problem the last 24 hours, and I just found out I was logged into the wrong server than the one having the issue!

I would have expected the "Grade C" to be a major point of your OP but that site also changes its grading criteria from time to time as well. But a copy and paste of the major warning would have been helpful in the OP for historical reasons. "the SSL 3.0 protocol was still in use" is still true in December and now, the salient point being when it was vulnerable, not in use.

But no, when I replied I was operating like you opened the thread in the last week. I only noticed it this week when the thread was bumped on 01/21, I didn't see that this thread was opened 1.5 months ago until you mentioned it in your last reply. When clicking on the link, it doesn't display previous results, it takes a new scan. So there is no way to know without asking if you still had the original results.

[Superdupont 2_0]

OT: Here is another "insecure" website that always forces me to switch to another firefox profile.

https://www.ssllabs.com/ssltest/anal....microsoft.com

While I am not so much concerned about attacks, it is just annoying, because it interrupts my browser sessions.