BBM one of the least secure messaging platforms, based on this EFF report
-
Why shouldn't BlackBerry be a choice for someone in the "persecuted minority"? BlackBerry's reputation in these areas is one of a highly secure, trustworthy company (whether or not it's totally deserved - that's what we all are debating now). If anything, it's a naive view on their part and one that has led to some bad consequences. After all it was called the "BlackBerry Revolutuon".
One of the reasons I'm so passionate about coming clean with just how secure BlackBerry is and what others offer is the fact that misinformation can lead to imprisonment or worse if someeone in a less than democratic, lawful country is mistaken in just what is really secure and what is not.
I'm not sure if everyone understands just what using a globally shared crypto key in BBM means. It means that if your messages are redirected to another BlackBerry device they can be read as if it was the original phone. This is a big deal. This capability is not difficult for those who understand this stuff. Am I a likely target? Probably not. But others are.
Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF11-06-14 10:56 PMLike 0 -
- Why isn't PGP the defacto standard everyone loves and uses? The problem is in key management. If a middleman is involved in storing and providing keys, you're vulnerable to them. Otherwise, you have to handle passwords and keys off channel, and that is just a pain in the ***.
Everyone is, "trust me, we won't do harm". Out of BB, Google and Apple, my personal trust is in BlackBerry. It's been shown time and time again, Apple TRIES really, really, hard, but epic fails over and over.
There are better write ups including the one by the initial researcher who counterpoints Apples response. This isn't it, this is just the first google hit. Unbreakable Apple's iMessage encryption is vulnerable to eavesdropping attack
BlackBerry should give us S/MIME and PGP capabilities!eyesopen1111 likes this.11-07-14 03:06 AMLike 1 -
Please take a look at page 15 of this paper and read under point 5.5
"However, the BBM app used certificate pinning for communication with the SIP server, meaning it has its own built-in list of trusted certificates. Because the signing certificate was not in there, and could not be imported in there without modifying the APK file, the app would not accept the wrong certificates."
Certificate pinning in combination with a robust TLS protocol and cipher suite is bulletproof.
I am convinced, if any LEA wants to read BBM traffic in 2014, they need the help from BBRY.
Only exception is BBOS devices when connected to a mobile network, that's the only scenario when TLS isn't used (and only the 3DES encryption key is used).
So you should either upgrade to BB 10 or buy an Android/Apple phone.
Finally:
iMessage and WhatsApp are lacking certificate pinning.
iMessage Privacy
Crypto weaknesses in WhatsApp ?the kind of stuff the NSA would love? | Ars TechnicaLast edited by Superdupont 2_0; 11-07-14 at 04:00 AM.
jefbeard911 and Bluenoser63 like this.11-07-14 03:17 AMLike 2 -
From their email:
"TorGuard has recently engineered new ?Stealth? VPN connections that are guaranteed to bypass Deep Packet Inspection (DPI) firewalls or VPN blocks and provide invisible VPN access anywhere in the world. Stealth VPN options are provided to all clients at no additional charge and can be accessed by selecting a Stealth enabled server option on the TorGuard VPN app.
Unlike normal VPN traffic which can be filtered or blocked by an Internet Service Provider, TorGuard Stealth VPN service will appear as regular HTTP traffic making it virtually impossible to block or detect. This is accomplished with OpenVPN by wrapping the tunnel in a layer of obfuscation, which then transforms all data back into normal looking traffic. In this way, strict network admins or draconian ISP?s won?t be able to detect or even block VPN usage."
I don't have a preference either way who people choose, just sharing..
Cheers
Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF11-07-14 05:38 AMLike 0 - Actually it is not a big deal.
Please take a look at page 15 of this paper and read under point 5.5
"However, the BBM app used certificate pinning for communication with the SIP server, meaning it has its own built-in list of trusted certificates. Because the signing certificate was not in there, and could not be imported in there without modifying the APK file, the app would not accept the wrong certificates."
Certificate pinning in combination with a robust TLS protocol and cipher suite is bulletproof.
I am convinced, if any LEA wants to read BBM traffic in 2014, they need the help from BBRY.
Only exception is BBOS devices when connected to a mobile network, that's the only scenario when TLS isn't used (and only the 3DES encryption key is used).
So you should either upgrade to BB 10 or buy an Android/Apple phone.
Finally:
iMessage and WhatsApp are lacking certificate pinning.
iMessage Privacy
Crypto weaknesses in WhatsApp ?the kind of stuff the NSA would love? | Ars Technica
Thanks!
Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF11-07-14 05:40 AMLike 0 -
I don't think, honestly, any of us would have any clue about what Apple, Google or anyone else discuss with governments in this capacity. it would be pretty high ranking discussions on both sides.11-07-14 06:19 AMLike 0 -
What you want is NAT-Firewall and here is why:
https://www.bestvpn.com/blog/4246/wh...-nat-firewall/11-07-14 06:24 AMLike 0 -
- Thanks! I was unaware of this.
I did some checking on Torguard's website and found that they support pfsense. I am not an expert but it seems their config guide allows you to set up a NAT firewall using pfsense.
How to Setup pfsense with TorGuard OpenVPN | TorGuard Anonymous VPN & Proxy.
Is this what you mean?11-07-14 06:58 AMLike 0 - Thanks! I was unaware of this.
I did some checking on Torguard's website and found that they support pfsense. I am not an expert but it seems their config guide allows you to set up a NAT firewall using pfsense.
How to Setup pfsense with TorGuard OpenVPN | TorGuard Anonymous VPN & Proxy.
Is this what you mean?
I think you should contact TorGuard.
If they wouldn't be able to say straight: "Yes, a NAT Firwall is enabled"...then you know that all ports on their server are open and will forward all request unfiltered to your Berry.
If you want to check your own router at home:
https://pentest-tools.com/discovery-...r-online-nmap#
https://www.grc.com/x/ne.dll?rh1dkyd2
... you hopefully find that all ports of your router are closed, but that doesn't help you if your computer/smartphone/tablet is connected to a VPN server, because your router cannot check the encrypted VPN traffic .11-07-14 07:20 AMLike 0 - This set-up guide for devices with OpenVPN won't help you.
I think you should contact TorGuard.
If they wouldn't be able to say straight: "Yes, a NAT Firwall is enabled"...then you know that all ports on their server are open and will forward all request unfiltered to your Berry.
If you want to check your own router at home:
https://pentest-tools.com/discovery-...r-online-nmap#
https://www.grc.com/x/ne.dll?rh1dkyd2
... you hopefully find that all ports of your router are closed, but that doesn't help you if your computer/smartphone/tablet is connected to a VPN server, because your router cannot check the encrypted VPN traffic .
Thanks!
Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF11-07-14 07:25 AMLike 0 - By the way. One of the reasons (besides the fact they offer IKEv2) that I selected TorGuard is the fact that they don't keep logs and take privacy seriously. Of course anyone can say that but Torrentfreak was pretty favorable to them, as well as PureVPN.
Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF11-07-14 07:29 AMLike 0 - This stuff is off-topic, please keep this thread on track.
BlackBerry should give us S/MIME and PGP capabilities!11-07-14 07:50 AMLike 0 -
- I like the EFF and the issues they raise should be important to one degree or another to everyone.
It's interesting that they rate Facetime and iMessage the most secure of the big corporate messaging services, Google the worst and Berry in between. But a few of the areas that the Apple products do well in (Is the code open to independent review? Is security design properly documented? Has the code been audited?) is pretty subjective.jefbeard911 likes this.11-07-14 08:38 AMLike 1 - I like the EFF and the issues they raise should be important to one degree or another to everyone.
It's interesting that they rate Facetime and iMessage the most secure of the big corporate messaging services, Google the worst and Berry in between. But a few of the areas that the Apple products do well in (Is the code open to independent review? Is security design properly documented? Has the code been audited?) is pretty subjective.
EFF is OK, but they are a black and white and the world isn't. EFF is against laws that punish people for for actions revenge porn. They want privacy to be absolute, even if it protected criminals and terrorists. That is black and white.11-07-14 08:46 AMLike 0 -
"Blablabla....As such, the results in the scorecard below should not be read as endorsements of individual tools or guarantees of their security; they are merely indications that the projects are on the right track."
BBM Protected is definitely on the right track, and I hope EFF will revise their rating.
BBM for consumers is perhaps not on the right track ( I don't know if Forward Secrecy is used, perhaps EFF doesn't know either), though such points could be easily improved by BlackBerry.
However, it will be interesting to watch phases 2,3.. of this project..11-07-14 09:21 AMLike 0 - The lack of responses in this thread shows how much the new Blackberry user base cares about security...11-07-14 02:29 PMLike 0
- I think that is actually referring to providing an out of band method of verifying the key fingerprints to know that you aren't being man-in-the-middled. With Threema, for example, a QR code representation of the fingerprint can be displayed which is then scanned by your contact's phone when you are in physical proximity to the contact. So identity verification really means "verify that the key that I am encrypting to really belongs to the contact I am sending to" in this context, I think11-07-14 02:34 PMLike 0
-
To me it appears that when a BBM is sent, the message is sent via TLS to a server where it passes in unencrypted form (and perhaps waits in unencrypted form to be relayed to the target device, where it is then once again sent from sever to target device via TLS.
I think the goal of the EFF scorecard is to inform where the weaknesses are - BlackBerry Messenger does do an adequate job (based on your link) of providing assurance that the BlackBerry Messenger device is talking to the server it's intending to talk to and that is reflected in the scorecard that messages are encrypted in transit.
also, thanks for posting that analysis of BlackBerry Messenger (on android), interesting reading.11-07-14 02:52 PMLike 0 -
Please read page 13 of the whitepaper
[...]
"2. The initiator chooses or autogenerates a secret password and sends this out-of-band to the recipient using an SMS text
message, email, phone call, or in person"
[...]
"4. The recipient responds to the invitation and provides the highest version of BBM Protected that the recipient supports, proof that they know the secret password, and the recipient's long-lived public encryption and signing keys."
I think your understanding of the EFF criterion is correct.
Nevertheless, I don't understand why BBM Protected should fail here.11-07-14 03:58 PMLike 0 -
- Reading material for the clan.
BlackBerry Ltd (BBRY): BBM is Security that Can be TrustedSuperdupont 2_0 likes this.11-07-14 04:51 PMLike 1 -
Last time when I switched my BB 10 device all my BBM messages were lost (I didn't back up on my pc).
Afaik, BBM messages are never stored on the server.
The server is just forwarding traffic between the two clients.
Of course, we all know that BlackBerry has the perfect MITM position and could read this traffic, however, nobody else can read this traffic!
That's the point. So it all comes down to the question:
Do you think that BBRY will respect your privacy and defend your human rights against shameless requests from all these spying agencies all over the globe?
I am afraid that the Security Note on consumer grade BBM wasn't detailed enough, so BBRY lost categories "Forward Secrecy" and "Proper Documentation"...if they just would have added a few more words on the applied crypto.Bluenoser63 likes this.11-07-14 04:52 PMLike 1
- Forum
- BBM Central
- General BBM Chat
BBM one of the least secure messaging platforms, based on this EFF report
Similar Threads
-
Why won't my BB Bold 9900 turn on?
By CrackBerry Question in forum Ask a QuestionReplies: 1Last Post: 12-05-14, 03:15 PM -
Financial Post Article on Chen's one year at BlackBerry
By Grafic111 in forum General BlackBerry News, Discussion & RumorsReplies: 13Last Post: 11-08-14, 12:35 AM -
New bbm force close
By Hendri kusliawan in forum General BBM ChatReplies: 3Last Post: 11-04-14, 09:02 PM -
My blackberry internet service is not connected how to connect on bold 9700?
By CrackBerry Question in forum Ask a QuestionReplies: 2Last Post: 11-04-14, 12:04 PM
LINK TO POST COPIED TO CLIPBOARD