03-09-15 04:53 PM
27 12
tools
  1. jamesp614's Avatar
    I just ran the FREAK client check URL.

    https://freakattack.com/clienttest.html

    My Z10 is deemed vulnerable. Disappointed.

    Posted via CB10
    03-05-15 05:23 PM
  2. paulwallace1234's Avatar
    Disappointed about something which was only announced a few days ago? BlackBerry might be good at security but they don't have a crystal ball.
    03-05-15 05:24 PM
  3. jpvj's Avatar
    BlackBerry 10 is built on QNX + a lot of OSS and 3. party code.

    BlackBerry is no better than others of writing bug free code and I doubt BlackBerry 10 is much more secure than iOS or WP8 with regards to vulnerabilities in the OS.

    It's just not an interesting target for the majority of hackers with a market share well below 1%.

    Posted via CB10
    03-05-15 05:27 PM
  4. paulwallace1234's Avatar
    BlackBerry 10 is built on QNX + a lot of OSS and 3. party code.

    BlackBerry is no better than others of writing bug free code and I doubt BlackBerry 10 is much more secure than iOS or WP8 with regards to vulnerabilities in the OS.

    It's just not an interesting target for the majority of hackers with a market share well below 1%.

    Posted via CB10
    There's no such thing as bug free code, or even a fully secure OS.
    03-05-15 05:29 PM
  5. jamesp614's Avatar
    Firefox on Android passes. I am disappointed in the BB10 browser. I expected it would be at least on par with Firefox.
    03-05-15 08:13 PM
  6. BCITMike's Avatar
    Disappointed about something which was only announced a few days ago? BlackBerry might be good at security but they don't have a crystal ball.
    They should have been notified in January. Public disclosures are generally done 60 days or something to allow time for vendors to make a fix. Unless someone violates the embargo (it happens) for click bait sensationalism.

    https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-0204
    Original release date: 01/08/2015
    Last revised: 03/05/2015

    But I don't know if that is only for openssl, or if other major vendors were told before March.
    03-05-15 09:13 PM
  7. LazyEvul's Avatar
    They should have been notified in January. Public disclosures are generally done 60 days or something to allow time for vendors to make a fix. Unless someone violates the embargo (it happens) for click bait sensationalism.

    https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-0204
    Original release date: 01/08/2015
    Last revised: 03/05/2015

    But I don't know if that is only for openssl, or if other major vendors were told before March.
    Well Apple is rolling out their patch next week, and Google claims they've distributed theirs to partners already. So it seems that they didn't have quite enough notice to be ready, but they are acting fast - now let's see when BlackBerry gets a fix out.
    03-05-15 09:50 PM
  8. Prem WatsApp's Avatar
    It's patched on 10.3.1, ask Dave Bourque.... ;-)

    .
    FREAK vulnerability with Z10 10.2.1-img_20150304_100206.png

    10.3.0 ^ is still vulnerable. This issue has been out for a decade pretty much, afaik. Forcing your software to transmit using weak encryption. Finally someone's taking notice...

      "Oh Classic, you are the fairest here so true. But Passport is a thousand times more powerful than you..." (no offense, Classic is a great device, when it's charged)  
    03-06-15 02:07 AM
  9. muindor's Avatar
    It's not, Official 10.3.1.2243 on Z30


    FREAK vulnerability with Z10 10.2.1-img_20150306_101811.png

    03-06-15 03:19 AM
  10. LazyEvul's Avatar
    The automatic test isn't working on 10.3.1.2480 on my Passport. However, there's no sign of the export-grade cipher suites that are causing this issue when testing the browser on howsmyssl.com, so from my limited understanding of the issue it seems that 2480 should be unaffected. Can anyone whose BB10 browser is showing as vulnerable get me a list of cipher suites from howsmyssl.com to compare with?
    03-06-15 09:02 AM
  11. anon(8080272)'s Avatar
    The automatic test isn't working on 10.3.1.2480 on my Passport. However, there's no sign of the export-grade cipher suites that are causing this issue when testing the browser on howsmyssl.com, so from my limited understanding of the issue it seems that 2480 should be unaffected. Can anyone whose BB10 browser is showing as vulnerable get me a list of cipher suites from howsmyssl.com to compare with?
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    TLS_ECDH_RSA_WITH_RC4_128_SHA
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_MD5
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_EMPTY_RENEGOTIATION_INFO_SCSV

    Q10 SQN100-1- OS 10.2.1 ... on its 3rd keyboard.
    LazyEvul likes this.
    03-06-15 09:09 AM
  12. LazyEvul's Avatar
    Thanks for that. I'm not seeing any suspect ciphers there either, so if I'm understanding this correctly, it is possible that 2480 is also vulnerable - although my list of ciphers appears to be a lot longer for some reason.

    Edit: Just noticed the test screenshot above from 10.3.0 that mentions the lack of RSA EXPORT ciphers but is still vulnerable. Seems likely at this point that 2480 is much the same, just unable to run the automatic test.
    Last edited by LazyEvul; 03-06-15 at 09:34 AM.
    03-06-15 09:14 AM
  13. jdesignz's Avatar
    10.3.1.52 browser is vulnerable!

    Pasaporte Pilipinas | SQW100-1/10.3.1.2480
    03-06-15 09:34 AM
  14. kumarsanjeev82's Avatar
    Browser 10.3.1.46 is vulnerable
    Fix needed at the earliest...

    with refreshed Z10 10.3.1.1565
    03-06-15 10:23 AM
  15. anon(8080272)'s Avatar
    Thanks for that. I'm not seeing any suspect ciphers there either, so if I'm understanding this correctly, it is possible that 2480 is also vulnerable - although my list of ciphers appears to be a lot longer for some reason.

    Edit: Just noticed the test screenshot above from 10.3.0 that mentions the lack of RSA EXPORT ciphers but is still vulnerable. Seems likely at this point that 2480 is much the same, just unable to run the automatic test.
    There is mention that the browsers employ v 1.0 of TLS, which is considered old.

    Q10 SQN100-1- OS 10.2.1 ... on its 3rd keyboard.
    03-06-15 10:25 AM
  16. LazyEvul's Avatar
    There is mention that the browsers employ v 1.0 of TLS, which is considered old.

    Q10 SQN100-1- OS 10.2.1 ... on its 3rd keyboard.
    That particular issue appears to be fixed in 10.3.1, according to howsmyssl.com.
    03-06-15 10:32 AM
  17. tmichaelchurch's Avatar
    Note Evolution Browser not vulnerable to Freakattack under 10.2, just tested.

    Posted via CB10
    03-06-15 11:03 AM
  18. DickDorf's Avatar
    I just tried all browsers I have installed on my Passport, Evolution was listed as vulnerable! As was Alpha browser and the Blackberry browser. The only one I have that is safe is Firefox, but I didn't try other Android browsers.

    Rockin a Passport and Z30! Two devices are better than 1!
    03-06-15 11:35 AM
  19. DickDorf's Avatar
    I went to https://freakattack.com and the test worked on 10.3.1.2267 on my PP.

    Rockin a Passport and Z30! Two devices are better than 1!
    03-06-15 11:35 AM
  20. LazyEvul's Avatar
    Finally got the test to work on 2480. Most definitely vulnerable, as I suspected:

    FREAK vulnerability with Z10 10.2.1-img_20150306_135202.png

    Posted via CB10
    anon(8080272) likes this.
    03-06-15 12:52 PM
  21. anon(8080272)'s Avatar
    Finally got the test to work on 2480. Most definitely vulnerable, as I suspected:

    Click image for larger version. 

Name:	IMG_20150306_135202.png 
Views:	217 
Size:	269.8 KB 
ID:	339316

    Posted via CB10
    What are the real-world implications? Could this affect, for example, online banking?
    03-06-15 02:17 PM
  22. LazyEvul's Avatar
    What are the real-world implications? Could this affect, for example, online banking?
    It depends on the exact security measures taken by the website you're visiting, but in theory yes, online banking could be affected if both the device and the website have this vulnerability. FREAK allows a man-in-the-middle attack that can grant a hacker access to any data you're sending to or receiving from the affected website - usernames, passwords, credit card numbers, etc.
    anon(8080272) likes this.
    03-06-15 02:53 PM
  23. TheScionicMan's Avatar
    What are the real-world implications? Could this affect, for example, online banking?
    They would first need to find a bank whose website is using weakened encryption, crack the weakened encryption key and and then wait for a person whose device/browser is also using the weakened encryption to connect to it. Then they could attempt to use MitM attacks to try and intercept your credentials. It's not a trivial exploit, but is exploitable given the right conditions.
    anon(8080272) likes this.
    03-06-15 04:45 PM
  24. anon(8080272)'s Avatar
    They would first need to find a bank whose website is using weakened encryption, crack the weakened encryption key and and then wait for a person whose device/browser is also using the weakened encryption to connect to it. Then they could attempt to use MitM attacks to try and intercept your credentials. It's not a trivial exploit, but is exploitable given the right conditions.
    It depends on the exact security measures taken by the website you're visiting, but in theory yes, online banking could be affected if both the device and the website have this vulnerability. FREAK allows a man-in-the-middle attack that can grant a hacker access to any data you're sending to or receiving from the affected website - usernames, passwords, credit card numbers, etc.
    Thanks very much for the insight, gents. Real world, end-user, impact makes it much easier to relate.
    03-06-15 05:36 PM
  25. Prem WatsApp's Avatar
    It's not, Official 10.3.1.2243 on Z30


    Click image for larger version. 

Name:	IMG_20150306_101811.png 
Views:	714 
Size:	202.0 KB 
ID:	339258

    Dave's device showed it was secured. I believe it is running a version of 10.3.1

    Looks like my standard 10.3.0.908 is more secure than your recent official 10.3.1. What's happening?

    :-)

      "Oh Classic, you are the fairest here so true. But Passport is a thousand times more powerful than you..." (no offense, Classic is a great device, when it's charged)  
    03-08-15 07:38 PM
27 12

Similar Threads

  1. Replies: 27
    Last Post: 04-10-15, 12:01 PM
  2. My z10 battery is gone after update
    By AUSTINGAD in forum BlackBerry Z10
    Replies: 12
    Last Post: 04-09-15, 09:29 PM
  3. Drop Android and Merge with Apple
    By Tatwi in forum Armchair CEO
    Replies: 32
    Last Post: 03-22-15, 02:21 PM
  4. Need help with 10.3.1 update
    By blaykurda in forum Ask a Question
    Replies: 5
    Last Post: 03-06-15, 02:31 PM
  5. Replies: 3
    Last Post: 03-05-15, 07:47 PM
LINK TO POST COPIED TO CLIPBOARD