1. ohaiguise's Avatar
    BlackBerry is still using weak encryption standards?-2016-07-25_07-12-56.jpg

    Hey ... this isn't good.

    I thought security was Chen's number one? I think they are too busy playing with Android and forgetting the fundamentals ...
    07-25-16 01:14 AM
  2. Dunt Dunt Dunt's Avatar
    Click image for larger version. 

Name:	2016-07-25_07-12-56.jpg 
Views:	1205 
Size:	20.7 KB 
ID:	404731

    Hey ... this isn't good.

    I thought security was Chen's number one? I think they are too busy playing with Android and forgetting the fundamentals ...
    Think it's a matter of BlackBerry being a smaller company, that has to prioritize what they can, and cannot do. Bet that right now BBID login info isn't their focus... But then you would think that as part of their website "update", they would have implemented some of the newer standards...
    07-25-16 08:11 AM
  3. Alain_A's Avatar
    Click image for larger version. 

Name:	2016-07-25_07-12-56.jpg 
Views:	1205 
Size:	20.7 KB 
ID:	404731

    Hey ... this isn't good.

    I thought security was Chen's number one? I think they are too busy playing with Android and forgetting the fundamentals ...
    Cannot have to hard of an encryption otherwise How the government will spy on you?....Lol
    07-25-16 08:51 AM
  4. ohaiguise's Avatar
    Think it's a matter of BlackBerry being a smaller company, that has to prioritize what they can, and cannot do. Bet that right now BBID login info isn't their focus... But then you would think that as part of their website "update", they would have implemented some of the newer standards...
    It should definitely be at the top of their priority. If someone can eavesdrop on my BBID login details, and take my password, I am screwed.

    Upgrading to SHA-256 certificates is not rocket science. This is embarrassing.
    07-25-16 10:44 AM
  5. Dunt Dunt Dunt's Avatar
    It should definitely be at the top of their priority. If someone can eavesdrop on my BBID login details, and take my password, I am screwed.

    Upgrading to SHA-256 certificates is not rocket science. This is embarrassing.
    How do you pull the batteries on a rocket?
    07-25-16 10:51 AM
  6. app_Developer's Avatar
    It should definitely be at the top of their priority. If someone can eavesdrop on my BBID login details, and take my password, I am screwed.

    Upgrading to SHA-256 certificates is not rocket science. This is embarrassing.
    It's sort of an unlikely attack, though.

    In some countries it *might* be worth the effort if a government wanted to impersonate the login to collect all the BBID's and passwords in the country or something.

    But the appearance is bad for BB. Nobody wants to see that pop up when they are about to login with a company that prides itself on security and privacy. Chen should have their security services team do a full audit on BB itself. It might uncover other loose ends like this one.
    07-25-16 11:31 AM
  7. Prem WatsApp's Avatar
    I always thought of the BlackBerry website(s) as the weak spot in the whole setup...

    Looks like I've been right. :-(

      There's a Crack in the Berry right now...  
    07-25-16 04:26 PM
  8. Alain_A's Avatar
    BB=security=what ever people wants to hear
    07-25-16 05:35 PM
  9. 1khalid's Avatar
    Click image for larger version. 

Name:	2016-07-25_07-12-56.jpg 
Views:	1205 
Size:	20.7 KB 
ID:	404731
    I thought Slackberry was a software company now? Jokers!

    But don't worry Slackberry, all your fanboys that blindly follow you and see you as the most perfect company in the world will surely come to your defense. Just waiting for the responses below...
    07-25-16 06:51 PM
  10. sorinv's Avatar
    Cannot have to hard of an encryption otherwise How the government will spy on you?....Lol
    Yep and the Russians couldn't leak the democrats' emails...
    07-25-16 08:10 PM
  11. rthonpm's Avatar
    Chrome has been very aggressive in noting SHA-1 certificates since the end of 2014 (https://www.ssl.com/article/google-p...ificates-soon/), in some cases overly aggressive since SHA-1 is still a valid encryption method since there has been no proven collision attack, or breaking of the encryption scheme, outside of the theoretical possibility of it coming soon. SHA-1 on the general internet is set to be retired at the end of this year and certificate authorities will not be issuing replacement certs at the SHA-1 level anymore. Also, if you use any other browser besides Chrome, you won't get a similar warning: Google is just trying to flex their muscles on this more than anything.

    As for the SHA-256 idea: the certificate already has a SHA-256 hash in it, the underlying issue is just the age of the underlying SHA-1 hash that generates the the 256 key... https://www.entrust.com/lp/sha-1-sha-2-faq/


    If you look at the *.blackberry.com cert, it's expiring in October anyway and at that time they'll be replaced with SHA-2 certificates. Occam's razor, after all...
    07-26-16 08:58 AM
  12. ohaiguise's Avatar
    Chrome has been very aggressive in noting SHA-1 certificates since the end of 2014 (https://www.ssl.com/article/google-p...ificates-soon/), in some cases overly aggressive since SHA-1 is still a valid encryption method since there has been no proven collision attack, or breaking of the encryption scheme, outside of the theoretical possibility of it coming soon. SHA-1 on the general internet is set to be retired at the end of this year and certificate authorities will not be issuing replacement certs at the SHA-1 level anymore. Also, if you use any other browser besides Chrome, you won't get a similar warning: Google is just trying to flex their muscles on this more than anything.

    As for the SHA-256 idea: the certificate already has a SHA-256 hash in it, the underlying issue is just the age of the underlying SHA-1 hash that generates the the 256 key... https://www.entrust.com/lp/sha-1-sha-2-faq/


    If you look at the *.blackberry.com cert, it's expiring in October anyway and at that time they'll be replaced with SHA-2 certificates. Occam's razor, after all...
    Bottom line: in theory, my password could be stolen when I log in to BlackBerry's website because they have not updated their certificate yet.

    If they cared they would have replaced the certificate already.
    07-26-16 10:51 AM
  13. Superfly_FR's Avatar
    Chrome has been very aggressive in noting SHA-1 certificates since the end of 2014 (https://www.ssl.com/article/google-p...ificates-soon/), in some cases overly aggressive since SHA-1 is still a valid encryption method since there has been no proven collision attack, or breaking of the encryption scheme, outside of the theoretical possibility of it coming soon. SHA-1 on the general internet is set to be retired at the end of this year and certificate authorities will not be issuing replacement certs at the SHA-1 level anymore. Also, if you use any other browser besides Chrome, you won't get a similar warning: Google is just trying to flex their muscles on this more than anything.

    As for the SHA-256 idea: the certificate already has a SHA-256 hash in it, the underlying issue is just the age of the underlying SHA-1 hash that generates the the 256 key... https://www.entrust.com/lp/sha-1-sha-2-faq/


    If you look at the *.blackberry.com cert, it's expiring in October anyway and at that time they'll be replaced with SHA-2 certificates. Occam's razor, after all...
    Thx.
    BlackBerry is still using weak encryption standards?-capture.png

    If they cared they would have replaced the certificate already.
    Funny thing is ... the threat almost vanished since SHA-1 EOL forecast. No one is going to try to turn theory into reality knowing by the day they succeed (if any) no one will be concerned by their exploit. As fairly mentioned above, certificates are due to expire next October and I'm not even sure you can ask Thawte for SHA-1anymore. So ...
    rthonpm likes this.
    07-26-16 11:23 AM
  14. rthonpm's Avatar
    Bottom line: in theory, my password could be stolen when I log in to BlackBerry's website because they have not updated their certificate yet.

    If they cared they would have replaced the certificate already.
    In theory, you could also get struck by lightning, win the lottery, or find the lost city of Atlantis and at this point they're all just about as likely as getting your password stolen by visiting the BlackBerry website. In the realm of possibility, this is so ridiculously low of a risk.

    Also, renewal for a new certificate isn't generally done this far in advance. Many providers won't even let you begin the process until you're closer to the deadline for expiration:

    https://www.entrust.com/get-support/...e-renewal-faq/

    https://forums.crackberry.com/e?link...token=I4mFL97-

    https://www.instantssl.com/ssl-certi...-renewals.html
    Last edited by rthonpm; 07-26-16 at 11:51 AM. Reason: More ammunition against FUD
    07-26-16 11:41 AM
  15. ohaiguise's Avatar
    In theory, you could also get struck by lightning, win the lottery, or find the lost city of Atlantis]


    Totally irrelevant ... are you making excuses for a supposedly security-focused company not keeping up with industry standards on security and if so, why?
    07-26-16 12:04 PM
  16. rthonpm's Avatar
    Primarily, because SHA-1 is still a perfectly legitimate form of encryption, close to 90% of all websites are still using SHA-1 certificates. That would make it a standard I would presume?

    There's also the fact that these are certificates issued by a third-party, which likely wants to keep as much compatibility as possible with older systems as possible as there are still devices accessing the internet that do not support SHA-2.

    Further evidence: examine pages 15-25 of this transcript which discusses the move by Google to advance the retirement of SHA-1.
    https://www.grc.com/sn/sn-473.pdf

    I can keep hammering you with facts, but this is the internet so arguing in the face of them has never stopped anyone.
    07-26-16 12:25 PM
  17. LazyEvul's Avatar
    Primarily, because SHA-1 is still a perfectly legitimate form of encryption, close to 90% of all websites are still using SHA-1 certificates. That would make it a standard I would presume?
    Source? Google kick-started the move away from SHA1 over two years ago, with most major companies following suit. Most TLS certificates aren't even valid for much longer than that, and by the end of this year, none of the major browsers will accept it as secure. I have a hard time believing that only 10 per cent of TLS-secured websites are worried about appearing insecure.

    There's also the fact that these are certificates issued by a third-party, which likely wants to keep as much compatibility as possible with older systems as possible as there are still devices accessing the internet that do not support SHA-2.
    You have to go over 6 years back to find clients that don't support SHA2 - we're talking the likes of iPhone OS 2, Android 1.5, and Windows Mobile 6, devices which were updated and/or never gained enough popularity to still be relevant today. Most desktop browsers have supported it even longer than that. This isn't likely to be a concern. You can find a detailed compatibility list here: https://support.globalsign.com/custo...-compatibility

    Edit: In actual fact, Certificate Authorities aren't even allowed to issue SHA1 certificates as of this year, per Section 1.2.2 of the Baseline Requirements for SSL (PDF warning): https://cabforum.org/wp-content/uplo...m-BR-1.3.6.pdf
    Last edited by LazyEvul; 07-26-16 at 01:49 PM.
    app_Developer likes this.
    07-26-16 01:13 PM
  18. ohaiguise's Avatar
    I can keep hammering you with facts, but this is the internet so arguing in the face of them has never stopped anyone.
    Those 'facts' (in your own eyes) mean nothing when the most popular browser in the world tells me BlackBerry's website is using an insecure security protocol.

    Nice try, but no cigar.
    07-26-16 02:03 PM
  19. ADGrant's Avatar
    Click image for larger version. 

Name:	2016-07-25_07-12-56.jpg 
Views:	1205 
Size:	20.7 KB 
ID:	404731

    Hey ... this isn't good.

    I thought security was Chen's number one? I think they are too busy playing with Android and forgetting the fundamentals ...
    I think you must be confusing him with someone else, Tim Cook perhaps?
    07-26-16 03:58 PM

Similar Threads

  1. Snapchat for BlackBerry Passport
    By YilmzYilmz in forum BlackBerry Passport
    Replies: 16
    Last Post: 11-19-16, 04:06 PM
  2. Missing core apps on used Z30 (HELP! )
    By ilikebacon in forum BlackBerry Z30
    Replies: 3
    Last Post: 07-27-16, 09:30 AM
  3. Replies: 6
    Last Post: 07-25-16, 11:56 PM
  4. Replies: 1
    Last Post: 07-25-16, 09:37 AM
  5. Frustrations on BlackBerry Passport in General
    By asaladik in forum BlackBerry Passport
    Replies: 1
    Last Post: 07-24-16, 03:21 PM
LINK TO POST COPIED TO CLIPBOARD