[jamesp614]

I just ran the FREAK client check URL.

https://freakattack.com/clienttest.html

My Z10 is deemed vulnerable. Disappointed.

Posted via CB10

[paulwallace1234]

Disappointed about something which was only announced a few days ago? BlackBerry might be good at security but they don't have a crystal ball.

[jpvj]

BlackBerry 10 is built on QNX + a lot of OSS and 3. party code.

BlackBerry is no better than others of writing bug free code and I doubt BlackBerry 10 is much more secure than iOS or WP8 with regards to vulnerabilities in the OS.

It's just not an interesting target for the majority of hackers with a market share well below 1%.

Posted via CB10

[paulwallace1234]

BlackBerry 10 is built on QNX + a lot of OSS and 3. party code.

BlackBerry is no better than others of writing bug free code and I doubt BlackBerry 10 is much more secure than iOS or WP8 with regards to vulnerabilities in the OS.

It's just not an interesting target for the majority of hackers with a market share well below 1%.

Posted via CB10

There's no such thing as bug free code, or even a fully secure OS.

[jamesp614]

Firefox on Android passes. I am disappointed in the BB10 browser. I expected it would be at least on par with Firefox.

[BCITMike]

Disappointed about something which was only announced a few days ago? BlackBerry might be good at security but they don't have a crystal ball.

They should have been notified in January. Public disclosures are generally done 60 days or something to allow time for vendors to make a fix. Unless someone violates the embargo (it happens) for click bait sensationalism.

https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-0204
Original release date: 01/08/2015
Last revised: 03/05/2015

But I don't know if that is only for openssl, or if other major vendors were told before March.

[LazyEvul]

They should have been notified in January. Public disclosures are generally done 60 days or something to allow time for vendors to make a fix. Unless someone violates the embargo (it happens) for click bait sensationalism.

https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-0204
Original release date: 01/08/2015
Last revised: 03/05/2015

But I don't know if that is only for openssl, or if other major vendors were told before March.

Well Apple is rolling out their patch next week, and Google claims they've distributed theirs to partners already. So it seems that they didn't have quite enough notice to be ready, but they are acting fast - now let's see when BlackBerry gets a fix out.

[Prem WatsApp]

It's patched on 10.3.1, ask Dave Bourque.... ;-)

.


10.3.0 ^ is still vulnerable. This issue has been out for a decade pretty much, afaik. Forcing your software to transmit using weak encryption. Finally someone's taking notice...

�   "Oh Classic, you are the fairest here so true. But Passport is a thousand times more powerful than you..." (no offense, Classic is a great device, when it's charged)   �

[muindor]

It's not, Official 10.3.1.2243 on Z30






[LazyEvul]

The automatic test isn't working on 10.3.1.2480 on my Passport. However, there's no sign of the export-grade cipher suites that are causing this issue when testing the browser on howsmyssl.com, so from my limited understanding of the issue it seems that 2480 should be unaffected. Can anyone whose BB10 browser is showing as vulnerable get me a list of cipher suites from howsmyssl.com to compare with?

[anon(8080272)]

The automatic test isn't working on 10.3.1.2480 on my Passport. However, there's no sign of the export-grade cipher suites that are causing this issue when testing the browser on howsmyssl.com, so from my limited understanding of the issue it seems that 2480 should be unaffected. Can anyone whose BB10 browser is showing as vulnerable get me a list of cipher suites from howsmyssl.com to compare with?

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Q10 SQN100-1- OS 10.2.1 ... on its 3rd keyboard.

[LazyEvul]

Thanks for that. I'm not seeing any suspect ciphers there either, so if I'm understanding this correctly, it is possible that 2480 is also vulnerable - although my list of ciphers appears to be a lot longer for some reason.

Edit: Just noticed the test screenshot above from 10.3.0 that mentions the lack of RSA EXPORT ciphers but is still vulnerable. Seems likely at this point that 2480 is much the same, just unable to run the automatic test.

[jdesignz]

10.3.1.52 browser is vulnerable!

Pasaporte Pilipinas | SQW100-1/10.3.1.2480

[kumarsanjeev82]

Browser 10.3.1.46 is vulnerable
Fix needed at the earliest...

with refreshed Z10 10.3.1.1565

[anon(8080272)]

Thanks for that. I'm not seeing any suspect ciphers there either, so if I'm understanding this correctly, it is possible that 2480 is also vulnerable - although my list of ciphers appears to be a lot longer for some reason.

Edit: Just noticed the test screenshot above from 10.3.0 that mentions the lack of RSA EXPORT ciphers but is still vulnerable. Seems likely at this point that 2480 is much the same, just unable to run the automatic test.

There is mention that the browsers employ v 1.0 of TLS, which is considered old.

Q10 SQN100-1- OS 10.2.1 ... on its 3rd keyboard.

[LazyEvul]

There is mention that the browsers employ v 1.0 of TLS, which is considered old.

Q10 SQN100-1- OS 10.2.1 ... on its 3rd keyboard.

That particular issue appears to be fixed in 10.3.1, according to howsmyssl.com.

[tmichaelchurch]

Note Evolution Browser not vulnerable to Freakattack under 10.2, just tested.

Posted via CB10

[DickDorf]

I just tried all browsers I have installed on my Passport, Evolution was listed as vulnerable! As was Alpha browser and the Blackberry browser. The only one I have that is safe is Firefox, but I didn't try other Android browsers.

Rockin a Passport and Z30! Two devices are better than 1!

[DickDorf]

I went to https://freakattack.com and the test worked on 10.3.1.2267 on my PP.

Rockin a Passport and Z30! Two devices are better than 1!

[LazyEvul]

Finally got the test to work on 2480. Most definitely vulnerable, as I suspected:



Posted via CB10

[anon(8080272)]

Finally got the test to work on 2480. Most definitely vulnerable, as I suspected:



Posted via CB10

What are the real-world implications? Could this affect, for example, online banking?

[LazyEvul]

What are the real-world implications? Could this affect, for example, online banking?

It depends on the exact security measures taken by the website you're visiting, but in theory yes, online banking could be affected if both the device and the website have this vulnerability. FREAK allows a man-in-the-middle attack that can grant a hacker access to any data you're sending to or receiving from the affected website - usernames, passwords, credit card numbers, etc.

[TheScionicMan]

What are the real-world implications? Could this affect, for example, online banking?

They would first need to find a bank whose website is using weakened encryption, crack the weakened encryption key and and then wait for a person whose device/browser is also using the weakened encryption to connect to it. Then they could attempt to use MitM attacks to try and intercept your credentials. It's not a trivial exploit, but is exploitable given the right conditions.

[anon(8080272)]

They would first need to find a bank whose website is using weakened encryption, crack the weakened encryption key and and then wait for a person whose device/browser is also using the weakened encryption to connect to it. Then they could attempt to use MitM attacks to try and intercept your credentials. It's not a trivial exploit, but is exploitable given the right conditions.

It depends on the exact security measures taken by the website you're visiting, but in theory yes, online banking could be affected if both the device and the website have this vulnerability. FREAK allows a man-in-the-middle attack that can grant a hacker access to any data you're sending to or receiving from the affected website - usernames, passwords, credit card numbers, etc.

Thanks very much for the insight, gents. Real world, end-user, impact makes it much easier to relate.

[Prem WatsApp]

It's not, Official 10.3.1.2243 on Z30






Dave's device showed it was secured. I believe it is running a version of 10.3.1

Looks like my standard 10.3.0.908 is more secure than your recent official 10.3.1. What's happening?

:-)

�   "Oh Classic, you are the fairest here so true. But Passport is a thousand times more powerful than you..." (no offense, Classic is a great device, when it's charged)   �