03-14-17 04:17 PM
51 123
tools
  1. santoshwins's Avatar
    I have been trying to get a native solution (non android) as an alternative to Open Whisper System's Signal Messenger on my blackberry.

    I was recommended BBM Protected. But according to EFF.org, the service has a lot of issues. It is not open source and the encryption method is not open to third party audits.

    But my greater concern is BlackBerry's policy when it comes to state surveillance. I am from India and I know that about half a decade ago BlackBerry agreed to share its encryption keys with the Indian Government. That was for bbm PIN messages.

    I wonder if BBM Protected is any different and if BlackBerry would just as happily give away my bbm protected data to the government should they ask for it. Not that I am upto something sinister. But I take my privacy seriously and dont want both third parties and the state not peeping into my conversations.

    Any help or suggestions are welcome! Thanks in advance :-)
    03-06-17 09:25 PM
  2. thurask's Avatar
    If you're on a BES and the BES admin has BAAS enabled then message contents are fair game even with Protected. Thing is, it reportedly doesn't break end to end, rather generating and sending an unencrypted copy to the BES. However, one does not need a BES to use Protected, although from my experience you're better off with some other end to end service. Admittedly, finding something that works with BB10 is a challenge, but such is life in the slow lane.
    03-06-17 09:35 PM
  3. santoshwins's Avatar
    Thanks @thurask. I am not on BES so thats nice. Im just not sure of BlackBerry's stance on sharing encryption keys. As for life in the slow lane, tell me about it! Other non native apps arent good enough - so much so that I am willing to shell out money for protect if it can guarantee some sort of protection against state surveillance.

    Hoping for more ideas :-)
    03-07-17 04:09 AM
  4. crackbb10's Avatar
    I don't know if BlackBerry shares encryption keys by default. I do know they comply with lawful requests from governments.

    Posted via CB10
    03-07-17 05:42 AM
  5. santoshwins's Avatar
    That's right. I find the term 'lawful' very suspect since it is the state that decides what is and isnt legal - for example slavery was, a few decades ago, legal So was the caste system in my country about 60 odd years ago and homosexuality still is.

    But I digress. The point is - there are companies that do protect their users from even lawful requests by intimating the user that such a request has come to them so that the user can react appropriately (lavamail comes to mind). And then there are zero-knowledge companies as well who cannot share anything even if they wanted to.

    So the question is - is there any option like that available for us in the slow lane - read BB10?
    app_Developer likes this.
    03-07-17 06:54 AM
  6. itsyaboy's Avatar
    I have been trying to get a native solution (non android) as an alternative to Open Whisper System's Signal Messenger on my blackberry.

    I was recommended BBM Protected. But according to EFF.org, the service has a lot of issues. It is not open source and the encryption method is not open to third party audits.

    But my greater concern is BlackBerry's policy when it comes to state surveillance. I am from India and I know that about half a decade ago BlackBerry agreed to share its encryption keys with the Indian Government. That was for bbm PIN messages.

    I wonder if BBM Protected is any different and if BlackBerry would just as happily give away my bbm protected data to the government should they ask for it. Not that I am upto something sinister. But I take my privacy seriously and dont want both third parties and the state not peeping into my conversations.

    Any help or suggestions are welcome! Thanks in advance :-)
    Keys are saved in your BlackBerry deviceand nowhere else. So BlackBerry has no way to share your keys with anyone, as they do not have access to it. Or so they say. Have you taken a look at their BBM Protected notes?

    Posted via CB10
    David Tyler likes this.
    03-07-17 07:44 AM
  7. santoshwins's Avatar
    Keys are saved in your BlackBerry deviceand nowhere else. So BlackBerry has no way to share your keys with anyone, as they do not have access to it. Or so they say. Have you taken a look at their BBM Protected notes?

    Posted via CB10
    I have taken a cursory look. A sales page sort of. Could you point me to it (I know it is a lame request!).

    On a github discussion I was told that BB has the same key stored on all devices (or so I inferred) which sounds wrong in all sorts of ways. The trouble BBM had, as I mentioned before, in India was with their PIN messages which are end to end encrypted (which the Indian government fantasized were being used by terrorirsts, whatever that means). And after a bit of a resistance, blackberry shared the keys with Indian authorities effectively allowing them to decrypt any PIN message they deemed fit.

    Any help is appreciated and I do want BBM to win! Thanks a bunch, @itsyaboy :-)
    03-07-17 07:49 AM
  8. crackbb10's Avatar
    BlackBerry does make up its own mind as to what they feel is lawful. I believe there was a post on the homepage about this a while ago.

    Posted via CB10
    03-07-17 07:51 AM
  9. itsyaboy's Avatar
    I have taken a cursory look. A sales page sort of. Could you point me to it (I know it is a lame request!).

    On a github discussion I was told that BB has the same key stored on all devices (or so I inferred) which sounds wrong in all sorts of ways. The trouble BBM had, as I mentioned before, in India was with their PIN messages which are end to end encrypted (which the Indian government fantasized were being used by terrorirsts, whatever that means). And after a bit of a resistance, blackberry shared the keys with Indian authorities effectively allowing them to decrypt any PIN message they deemed fit.

    Any help is appreciated and I do want BBM to win! Thanks a bunch, @itsyaboy :-)
    Read this: http://help.blackberry.com/en/bbm-pr...183785242.html

    It should answer your questions sufficiently. Whether you believe BlackBerry is truthful is another matter entirely.

    First things first: BBM is different than BBM Protected (known as BBM Enteprise on Android and iOS).

    BBM messages are NOT encrypted. They are scrambled. There is a global key with which the messages are scrambled. BlackBerry has access to this key (and some others were rumoured to have had access in the past) Therefore, you should not rely on BBM for encrypted communications.

    BBM Protected offers true end-to-end encryption, by generating unique keys on your device. These keys, or probably better said, your private key never leaves your BlackBerry 10 device, so you control your keys.

    The big caveat is whether you trust that BBM Protected works as advertised, because it is close-sourced and as far as I am aware, there have been no external security audits. Maybe with the release of the BBM Protected SDK, there might be more enterprise interest for their product and thus incentive a security audit.

    Depending on your threat model (commercial surveillance) BBM Protected is good enough.

    Posted via CB10
    santoshwins likes this.
    03-07-17 09:02 AM
  10. santoshwins's Avatar
    Read this: Document revision history - BBM Enterprise security - latest

    It should answer your questions sufficiently. Whether you believe BlackBerry is truthful is another matter entirely.

    First things first: BBM is different than BBM Protected (known as BBM Enteprise on Android and iOS).

    BBM messages are NOT encrypted. They are scrambled. There is a global key with which the messages are scrambled. BlackBerry has access to this key (and some others were rumoured to have had access in the past) Therefore, you should not rely on BBM for encrypted communications.

    BBM Protected offers true end-to-end encryption, by generating unique keys on your device. These keys, or probably better said, your private key never leaves your BlackBerry 10 device, so you control your keys.

    The big caveat is whether you trust that BBM Protected works as advertised, because it is close-sourced and as far as I am aware, there have been no external security audits. Maybe with the release of the BBM Protected SDK, there might be more enterprise interest for their product and thus incentive a security audit.

    Depending on your threat model (commercial surveillance) BBM Protected is good enough.

    Posted via CB10
    Thank you, really, @itsyaboy. This is greatly helpful. I will study the document and properly evaluate the service for my use. Before I get to the document, I do understand that BBM messages are not end to end encrypted. But are the PIN messages the ones that are scrambled? Or were they supposed to be end-to-end encrypted at lease - the encryption that BB gave away?

    Thanks!
    03-07-17 09:37 AM
  11. techhatesme's Avatar
    Thank you, really, @itsyaboy. This is greatly helpful. I will study the document and properly evaluate the service for my use. Before I get to the document, I do understand that BBM messages are not end to end encrypted. But are the PIN messages the ones that are scrambled? Or were they supposed to be end-to-end encrypted at lease - the encryption that BB gave away?

    Thanks!
    BBM is at its basic level pin to pin messaging with a nice fancy UI. I'm sure it has evolved into something different now, but it started off as pin-pin.

    The only end to end encryption BlackBerry offers with trough BBM Enterprise and/or BES12 also known as BB UEM. Both require a subscription.

    -- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.
    03-07-17 09:49 AM
  12. techhatesme's Avatar
    If I could contribute by paraphrasing fellow crackberry poster Richard Buckley;12712083

    To start with, let's assume that your device and OS have not and will be compromised, that your data at rest is encrypted using a method that cannot be circumvented.

    In my opinion, BBM Enterprise (also known as BBM Protected on BB10) is the best method of encrypting data in transit that balances security, privacy and convenience.

    The weakest link in BBM Protected, and every other end to end encrypted messenger, is the method you use to share the conversation key between the two participating devices.

    Best if you can begin the chat between two devices standing side by side, thus sharing the key visually.

    Second best is to have both devices in the chat managed by the same BES12 (or BlackBerry UEM as it's now known) server. This is second best because BBM Enterprise autopass exchange of keys is managed through the Enterprise Management Console, which is a trusted method to share codes between known team members, if all the trusted devices are connected through BES12/UEM.

    It's the BES the ensures encrypted communications between the devices within the server's network, hiding the BBM Protected autophrase key. BES encrypts the key sharing, the keys encrypt the entire BBM Protected conversation.

    The caveat here is that you would need to manage your own personal BES server, on your own infrastructure so that you are the admin and thus control the BES encryption key. BES Cloud does not give the admin exclusive control over the key.

    In comparison, the Signal protocol has the ability to authenticate keys if you can come up with a secure side channel, but that is not always possible or convenient. So you end up trusting WhatsApp (Facebook), which has key signal protocol features turned off by default. Trusting Apple is really your only choice with iMessage, or any iProduct really.

    If what you seek is high end security and can't meet everyone you want to chat with in person, BBM Enterprise and a self managed BES is, in techhatesme's opinion, the best solution.

    (BTW, there is a BBM Enterprise subscription option that encrypts BBM voice calls and video calls which is pretty nifty)

    -- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.
    santoshwins likes this.
    03-07-17 09:52 AM
  13. santoshwins's Avatar
    BBM is at its basic level pin to pin messaging with a nice fancy UI. I'm sure it has evolved into something different now, but it started off as pin-pin.
    I'm not sure I follow - since encryption keys were once actually handed over to the state by Blackberry (and this was pre BB10 era) - something was encrypted and also compromised thereafter. What am I missing here?

    On a side note - I am right now reading the documentation @itsyaboy posted a link to and have shot a request to BB sales regarding the BBM Protected.

    Thanks!
    Last edited by santoshwins; 03-07-17 at 09:54 AM. Reason: typo!
    03-07-17 09:53 AM
  14. santoshwins's Avatar
    If I could contribute by paraphrasing fellow crackberry poster Richard Buckley;12712083

    To start with, let's assume that your device and OS have not and will be compromised, that your data at rest is encrypted using a method that cannot be circumvented.

    In my opinion, BBM Enterprise (also known as BBM Protected on BB10) is the best method of encrypting data in transit that balances security, privacy and convenience.

    The weakest link in BBM Protected, and every other end to end encrypted messenger, is the method you use to share the conversation key between the two participating devices.

    Best if you can begin the chat between two devices standing side by side, thus sharing the key visually.

    Second best is to have both devices in the chat managed by the same BES12 (or BlackBerry UEM as it's now known) server. This is second best because BBM Enterprise autopass exchange of keys is managed through the Enterprise Management Console, which is a trusted method to share codes between known team members, if all the trusted devices are connected through BES12/UEM.

    It's the BES the ensures encrypted communications between the devices within the server's network, hiding the BBM Protected autophrase key. BES encrypts the key sharing, the keys encrypt the entire BBM Protected conversation.

    The caveat here is that you would need to manage your own personal BES server, on your own infrastructure so that you are the admin and thus control the BES encryption key. BES Cloud does not give the admin exclusive control over the key.

    In comparison, the Signal protocol has the ability to authenticate keys if you can come up with a secure side channel, but that is not always possible or convenient. So you end up trusting WhatsApp (Facebook), which has key signal protocol features turned off by default. Trusting Apple is really your only choice with iMessage, or any iProduct really.

    If what you seek is high end security and can't meet everyone you want to chat with in person, BBM Enterprise and a self managed BES is, in techhatesme's opinion, the best solution.

    (BTW, there is a BBM Enterprise subscription option that encrypts BBM voice calls and video calls which is pretty nifty)

    -- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.
    Ah my bad, I replied to your previous post before reading your next, much more detailed one. I understand that running a BES and exchanging keys in person are the best possible options for a reasonably secured communication channel.

    But I do not see myself being able to run a BES server and while I do think I can exchange keys with some people I communicate with, I cannot with some others.

    I wonder where the Blackberry Protected Plus stands in the middle of all this - BlackBerry claims that with this encryption, you chats, calls and video calls are all encrypted end-to-end regardless of whether or not the other person has the same service enabled (aka a regular BBM user). What sort of encryption/protection does this service provide?

    The documentation I was reading talks about BBM enterprise but that looks and sounds like a BES sever and not a subscription that an individual could purchase.

    Help?
    03-07-17 10:01 AM
  15. techhatesme's Avatar
    I'm not sure I follow - since encryption keys were once actually handed over to the state by Blackberry (and this was pre BB10 era) - something was encrypted and also compromised thereafter. What am I missing here?
    ...
    Standard BBM since the time of BIS on BBOS has been sent between devices using what's best described as a 'scramble' method, a single key that BlackBerry controls and changed at their whim. When BlackBerry received a lawful request or court order to provide law enforcement, notably the Canadian police, with the ability to decrypt intercepted data from wire taps BlackBerry gave out this single key.

    This means that in terms of government access, standard BBM provides the same level of security as SMS (law enforcement can request access to SMS from your telecommunications provider)

    Compromised is not the right word to apply to BBM, simply because BlackBerry must comply with legal court orders. The key hasn't been hacked for example. Yes it has been shared with branches of the Canadian government, US government, UK government, Indian government and others, but given it wasn't end to end encrypted to begin with it is hardly surprising to learn.

    After all that, having standard BBM encrypted with the single key still makes it more secure then standard email.

    -- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.
    santoshwins likes this.
    03-07-17 10:12 AM
  16. byex's Avatar
    If I could contribute by paraphrasing fellow crackberry poster Richard Buckley;12712083

    To start with, let's assume that your device and OS have not and will be compromised, that your data at rest is encrypted using a method that cannot be circumvented.

    In my opinion, BBM Enterprise (also known as BBM Protected on BB10) is the best method of encrypting data in transit that balances security, privacy and convenience.

    The weakest link in BBM Protected, and every other end to end encrypted messenger, is the method you use to share the conversation key between the two participating devices.

    Best if you can begin the chat between two devices standing side by side, thus sharing the key visually.

    Second best is to have both devices in the chat managed by the same BES12 (or BlackBerry UEM as it's now known) server. This is second best because BBM Enterprise autopass exchange of keys is managed through the Enterprise Management Console, which is a trusted method to share codes between known team members, if all the trusted devices are connected through BES12/UEM.

    It's the BES the ensures encrypted communications between the devices within the server's network, hiding the BBM Protected autophrase key. BES encrypts the key sharing, the keys encrypt the entire BBM Protected conversation.

    The caveat here is that you would need to manage your own personal BES server, on your own infrastructure so that you are the admin and thus control the BES encryption key. BES Cloud does not give the admin exclusive control over the key.

    In comparison, the Signal protocol has the ability to authenticate keys if you can come up with a secure side channel, but that is not always possible or convenient. So you end up trusting WhatsApp (Facebook), which has key signal protocol features turned off by default. Trusting Apple is really your only choice with iMessage, or any iProduct really.

    If what you seek is high end security and can't meet everyone you want to chat with in person, BBM Enterprise and a self managed BES is, in techhatesme's opinion, the best solution.

    (BTW, there is a BBM Enterprise subscription option that encrypts BBM voice calls and video calls which is pretty nifty)

    -- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.
    BBM protected pasphrases are shared automatically when you start a chat. There's no passphrase exchange in plaintext or need to communicate it by any other means.



    Posted via CB10
    03-07-17 10:15 AM
  17. santoshwins's Avatar
    Standard BBM since the time of BIS on BBOS has been sent between devices using what's best described as a 'scramble' method, a single key that BlackBerry controls and changed at their whim. When BlackBerry received a lawful request or court order to provide law enforcement, notably the Canadian police, with the ability to decrypt intercepted data from wire taps BlackBerry gave out this single key.

    This means that in terms of government access, standard BBM provides the same level of security as SMS (law enforcement can request access to SMS from your telecommunications provider)

    Compromised is not the right word to apply to BBM, simply because BlackBerry must comply with legal court orders. The key hasn't been hacked for example. Yes it has been shared with branches of the Canadian government, US government, UK government, Indian government and others, but given it wasn't end to end encrypted to begin with it is hardly surprising to learn.

    After all that, having standard BBM encrypted with the single key still makes it more secure then standard email.

    -- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.
    Thank you, @techhatesme, I think I understand this perfectly now.
    @byex, what you said about Protected - are you saying that exchanging keys in private would not be required? How would the keys/passphrases be exchanged? And would they be encrypted themselves when they are traveling? How does this compare with the Signal protocol?
    Last edited by santoshwins; 03-07-17 at 10:21 AM. Reason: Saw a post too late! Grrr!
    03-07-17 10:16 AM
  18. byex's Avatar
    Ah my bad, I replied to your previous post before reading your next, much more detailed one. I understand that running a BES and exchanging keys in person are the best possible options for a reasonably secured communication channel.

    But I do not see myself being able to run a BES server and while I do think I can exchange keys with some people I communicate with, I cannot with some others.

    I wonder where the Blackberry Protected Plus stands in the middle of all this - BlackBerry claims that with this encryption, you chats, calls and video calls are all encrypted end-to-end regardless of whether or not the other person has the same service enabled (aka a regular BBM user). What sort of encryption/protection does this service provide?

    The documentation I was reading talks about BBM enterprise but that looks and sounds like a BES sever and not a subscription that an individual could purchase.

    Help?
    You don't need BES to run protected.
    BBM protected does not share your keys. They can't. The keys are stored are on your device. Only one end of the conversation needs a protected user to protect the complete chat. Same with voice calls.

    Posted via CB10
    santoshwins likes this.
    03-07-17 10:26 AM
  19. techhatesme's Avatar
    Ah my bad, I replied to your previous post before reading your next, much more detailed one. I understand that running a BES and exchanging keys in person are the best possible options for a reasonably secured communication channel.

    But I do not see myself being able to run a BES server and while I do think I can exchange keys with some people I communicate with, I cannot with some others.

    I wonder where the Blackberry Protected Plus stands in the middle of all this - BlackBerry claims that with this encryption, you chats, calls and video calls are all encrypted end-to-end regardless of whether or not the other person has the same service enabled (aka a regular BBM user). What sort of encryption/protection does this service provide?

    The documentation I was reading talks about BBM enterprise but that looks and sounds like a BES sever and not a subscription that an individual could purchase.

    Help?
    I guess it's time you conducted a threat assessment upon yourself and those whom you are in contact with.

    If no one is watching you currently, then sharing a passphrase using an ephemeral yet unencrypted method is not going to ruin your end to end encryption if you come under scrutiny later.

    I use BBM Protected without a BES to encrypt my messaging data in transit, as I'm honestly not concerned about being under current intensive surveillance so much that the passphrase sharing stage will leak out and ruin the whole encryption.

    Why do I use BBM Protected then? Because I'm well aware of the passive data surveillance program of the 5 eye intelligence services and have no intention of making it easy on them to intrude, yet at the same time knowing full well there is little I can do to protect against intrusion as an active surveillance target without making communication over the internet completely inconvenient.

    -- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.
    santoshwins likes this.
    03-07-17 10:28 AM
  20. techhatesme's Avatar
    BBM protected pasphrases are shared automatically when you start a chat. There's no passphrase exchange in plaintext or need to communicate it by any other means.
    Posted via CB10
    BBM Protected 'Plus', an optional feature, allows for the automatic key exchange if you chose to. However, if both devices are not connected to the same BES12 server then this key exchange is the weak link in the encryption chain, as it is performed using, from my memory, TLS. The same encryption as used for your bank passwords when logging in online. Also known as SSL.

    Without this feature enabled, the device which begins the BBM Protected chat produces a random set of letters, sometimes distinct words sometimes gibberish. It's up to the person using the first device to share that passphrase with the second user, and the method of doing so can introduce risk if shared for example by email.

    -- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.
    santoshwins likes this.
    03-07-17 10:34 AM
  21. techhatesme's Avatar
    You don't need BES to run protected.
    BBM protected does not share your keys. They can't. The keys are stored are on your device. Only one end of the conversation needs a protected user to protect the complete chat. Same with voice calls.

    Posted via CB10
    Correct, once the random passphrase has been generated (which I assume you can alter yourself or create your own), and shared between two devices, BlackBerry cannot decrypt the conversation for anyone.

    Even if law enforcement had captured the data exchanged between two devices in the BBM Protected conversation, without one of the owners giving them access to their device there is no feasible method of decrypting the conversation. I say feasible because if they wanted to governments could task a supercomputer to the challenge and check back on it's progress after 100 years.

    -- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.
    santoshwins likes this.
    03-07-17 10:39 AM
  22. byex's Avatar
    Thank you, @techhatesme, I think I understand this perfectly now.
    @byex, what you said about Protected - are you saying that exchanging keys in private would not be required? How would the keys/passphrases be exchanged? And would they be encrypted themselves when they are traveling? How does this compare with the Signal protocol?
    No you do not need to exchange the passphrase in private or through email or messaging.
    If you are a protected user and you start a chat with a non protected user, you will see a notification in the chat stating something like starting BBM protected chat. BBM is exchanging the passphrase automatically through the chat in protected mode. Once it's done it then states this chat is now BBM protected and will allow you to communicate.
    Whatsapp which uses the Signal protocol was found to have a serious vulnerability in last year which still hasn't been resolved. This vulnerability is not part of the Signal app but only whatsapp. They have the ability to change the keys without sender and receiver knowing. If this happens in Signal app the sender and receiver are notified. This is bad because whatsapp can change keys and get access to messages.
    Without scrutinising or auditing BBM protected encryption we won't know for sure of the vulnerabilities .

    Posted via CB10
    santoshwins likes this.
    03-07-17 10:40 AM
  23. techhatesme's Avatar
    BBM Protected 'Plus', an optional feature, allows for the automatic key exchange if you chose to. However, if both devices are not connected to the same BES12 server then this key exchange is the weak link in the encryption chain, as it is performed using, from my memory, TLS. The same encryption as used for your bank passwords when logging in online. Also known as SSL.

    Without this feature enabled, the device which begins the BBM Protected chat produces a random set of letters, sometimes distinct words sometimes gibberish. It's up to the person using the first device to share that passphrase with the second user, and the method of doing so can introduce risk if shared for example by email.

    -- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.
    I just realised I made an error above.

    Enabling the option of BBM Protected Plus is different from enabling the option of auto passphrase [exchange].

    BBM Protected Plus is a feature that enables every chat initiated by the subscription associated device to be encrypted. Aka, all your BBM chats get Protected.
    If it's not enabled then only your chats between other BBM Protected subscribers are encrypted.

    My above answer relates to the option of auto passphrase

    -- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.
    03-07-17 10:43 AM
  24. santoshwins's Avatar
    Thank you, both @techhatesme and @byex for these extremely valuable inputs. I do not want to use Android and so Signal is ruled out for now. Besides, I am told Android in itself is a buggy (threat prone) platform hence I want to steer clear from it.

    BB10 being almost obsolete actually works in our favour since it makes us a smaller target and hence less resources, hopefully, would be allocated to say penetrating BB10 devices. So I think BB Protect would work in my case.
    @techhatesme, I do not believe I am under active surveillance right now. I agree, if a person is under active surveillance, they would not risk communicating via smartphone. Or at least should not. I do agree, again, that I do not want to make it easy for anyone to look inside my phone.
    @byex, I also agree that without an independent audit, we just have to take Blackberry's word for everything. But we pretty much have been doing that, including major corporate and government agencies, with Blackberry for a long time and I do not think a company that prides itself in being ahead of the security game would compromise what is left of their brand value in any way. Hope - being the operative word here.
    @techhatesme, I am now confused what the 'plus' part is. Do I need to sign up for that? I must mention here that I do believe that I can easily share the passphrase with my contacts outside of BBM (say using a one time signal chat) and be done with it. Which brings me to my other question - do we need to exchange a passphrase everytime we start a chat or is that a one time thing before starting a conversation that stays active? and now that I have seen your post regarding 'plus' I reckon, plus needs to be active for me to be able to have encrypted chats with BBM users who do NOT have Protected. Correct? Are you on plus as well? Does it cost extra?

    Again - thanks a bunch guys!
    03-07-17 11:08 AM
  25. techhatesme's Avatar
    Thank you, both @techhatesme and @byex for these extremely valuable inputs. I do not want to use Android and so Signal is ruled out for now. Besides, I am told Android in itself is a buggy (threat prone) platform hence I want to steer clear from it.

    BB10 being almost obsolete actually works in our favour since it makes us a smaller target and hence less resources, hopefully, would be allocated to say penetrating BB10 devices. So I think BB Protect would work in my case.
    @techhatesme, I do not believe I am under active surveillance right now. I agree, if a person is under active surveillance, they would not risk communicating via smartphone. Or at least should not. I do agree, again, that I do not want to make it easy for anyone to look inside my phone.
    @byex, I also agree that without an independent audit, we just have to take Blackberry's word for everything. But we pretty much have been doing that, including major corporate and government agencies, with Blackberry for a long time and I do not think a company that prides itself in being ahead of the security game would compromise what is left of their brand value in any way. Hope - being the operative word here.
    @techhatesme, I am now confused what the 'plus' part is. Do I need to sign up for that? I must mention here that I do believe that I can easily share the passphrase with my contacts outside of BBM (say using a one time signal chat) and be done with it. Which brings me to my other question - do we need to exchange a passphrase everytime we start a chat or is that a one time thing before starting a conversation that stays active? and now that I have seen your post regarding 'plus' I reckon, plus needs to be active for me to be able to have encrypted chats with BBM users who do NOT have Protected. Correct? Are you on plus as well? Does it cost extra?

    Again - thanks a bunch guys!
    Sorry for the confusion, it's past 4am here and I stuffed up.
    BBM protected subscription comes with a few options you can toggle on and off within the management online console. They don't cost any extra, all included in the price.
    Two of these are
    Protected Plus, and
    Auto passphrase

    Protected Plus when enabled allows for encrypted chats with any BBM user regardless of whether they have a Protected subscription of their own. Anyone who starts a chat with you, or anyone you start a chat with will be prompted to input the encryption key or one will be generated for them to share. Once shared the chat stays protected. End the chat and a new passphrase will be needed to start again. I recommend enabling this option.

    Auto passphrase when enabled facilitates the exchange of the encryption key between the two devices without needing them to manually input the key. It is a highly convenient method of sharing the keys to the chat using TLS encryption, same as https websites. It is however the weakest link in the chain in my opinion unless both devices are connected to the same BES12 server. Honestly it's better to share the key using a one time Signal chat then to use TLS.

    If you consider the threat against you to be high (But not high enough to stop using a smartphone) then I do not recommend enabling this feature. Better to see the key, better to be involved in the sharing, better to exchange in person.

    If you're simply wanting to make life harder for the 'security' intelligence agencies then Autopassphrase is acceptable.

    -- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.
    santoshwins likes this.
    03-07-17 11:28 AM
51 123

Similar Threads

  1. Gym life on BBM
    By BB10Clifton in forum Discover BBM Groups
    Replies: 18
    Last Post: 10-16-17, 02:08 PM
  2. Replies: 80
    Last Post: 07-30-17, 10:56 AM
  3. Priv vs Keyone video?
    By Toni_1990 in forum BlackBerry KEYone
    Replies: 22
    Last Post: 05-20-17, 04:05 PM
  4. Issue with BBM
    By Zmain in forum Ask Bla1ze
    Replies: 9
    Last Post: 03-06-17, 08:49 PM
  5. Bbm for BlackBerry 10
    By ABHILASH NAGANATHAN in forum BlackBerry 10 OS
    Replies: 10
    Last Post: 03-06-17, 01:08 PM
LINK TO POST COPIED TO CLIPBOARD