back to article BB10's 'dated' crypto lets snoops squeeze the juice from your BlackBerry – researcher

BlackBerry BB10 OS uses dated protocols that leave users at risk of cryptographic attacks, according to a security researcher. The latest version of the smartphone maker's operating system, BlackBerry 10, uses TLS 1.0, while competitors use TLS 1.2. The post on the CrackBerry forum contains a screenshot from the howsmyssl.com …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Copy / Paste

    They forgot:

    Our customers data is the most important thing, blah,, blah, blah.....

  2. Anonymous Coward
    Anonymous Coward

    Surprise!

    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

    People need to give themselves a shake and stop using MS products!

    1. A Non e-mouse Silver badge
      WTF?

      Re: Surprise!

      Er, where in the article did it mention Microsoft?

    2. Anonymous Coward
      Anonymous Coward

      Re: Surprise!

      What has this article got to do with Microsoft? Was the spring so coiled and ready to launch a rabid attack upon them that you just couldn't hold back?

    3. Anonymous Coward
      Anonymous Coward

      Re: Surprise!

      Nice one! it's like watching lemmings run off a cliff ;-)

  3. Anonymous Coward
    Anonymous Coward

    And that ..

    kills off one of the main arguments why people still bought Blackberry. Disappointing - they started so well with QNX, but it was a sign on the wall they were not all THAT bothered about their perceived edge in security when they announced they would support Android apps on the platform.

    What's left is the keyboard, I think.

    1. Big_Ted
      Mushroom

      Re: And that ..

      And this is why Blackberry are getting such negative press.

      Idiots posting as facts total rubbish. If you had half a brain you would check what you are going to post and find that the "Android" apps are "sandboxed" and so are no problem to run unless you enter data directly.

      And don't forget that BB10 also seperates work from peronal so Android can be restricted to the personal side only leaving a safe phone for work purposes.

      Now go away and read data to correct your "opinion" so you can start to post facts instead.

      1. sabroni Silver badge
        Meh

        Re: the "Android" apps are "sandboxed"

        Oh well that's absolutely fine then! While they may have fucked up their encryption software I'm sure they can build a bug free sandbox.

        1. Anonymous Coward
          Anonymous Coward

          Re: the "Android" apps are "sandboxed"

          I mean, isn't Java supposed to run in a sandbox, too? Thing is, sandboxes have proven notoriously difficult to harden against escape attacks.

    2. Captain Scarlet Silver badge
      Happy

      Re: And that ..

      I would still get another Blackberry, last update added a torch which was the only app I required so I'm all set.

  4. Anonymous Coward
    Anonymous Coward

    Client says "Your client is not vulnerable to the BEAST attack. While it's using TLS 1.0 in conjunction with Cipher-Block Chaining cipher suites, it has implememted the 1/n-1 record splitting mitigation" - https://howsmyssl.com

    1. This post has been deleted by its author

    2. RAMChYLD

      Mixed result

      From my Q5:

      Version: Bad blah blah blah susecptible to the BEAST attack blah blah blah

      BEAST Vulnerability: Good blah blah blah Cipher-Block Chaining blah blah blah

      Seriously, please make up your bloody mind! Is it good or bad?!?

  5. Anonymous Coward
    Anonymous Coward

    FreeBSD 10 (released 2014-01-20) has no better scoring than BB10 OS, unless one was to install OpenSSL from ports.

    1. ofutur

      True, but it's not like we can install our own libraries on non-rooted phones ;)

  6. Ribblethrop

    Great! Someone who knows what they are talking about who can explain security to us.

    So, we all know the 'BEAST' attack leverages client side web-browser right( correct me whenever you can)?

    And BB10 uses webkit based browser similar to Apple, OS X, Google, and Nokia, which was presumably patched 3 years ago by client side browser update.

    So, how is it vulnerable to the attack? Just tested my browser and it seemed ok.

  7. Binnacle

    conservative

    One must remember that RIM takes an extremely conservative approach to crypto--by design. Their primary customers are now governments that require this. For example FIPS is dated and some of the ciphers compromised, but the overall FIPS approach and framework is highly secure and that's what the customer demands.

    BEAST is for the most-part mitigated on the server side by all significant web sites. The case against RC4 is far from convincing, as the very-pointy-headed folks at Google have discerned--Google continues to prefer it.

    http://googleonlinesecurity.blogspot.com/2013/11/a-roster-of-tls-cipher-suites-weaknesses.html

    "Better the devil you know than the one you don't" as the saying goes. No doubt the latest EC crypto is great stuff, but it's still relatively young and not enough rocks have been thrown yet for utter confidence.

    1. ofutur

      Re: conservative

      Thanks for the link! Very informative :)

  8. Anonymous Coward
    Anonymous Coward

    BlackBerry

    They still around?

  9. c:\boot.ini
    Boffin

    Great, let's see if the 10.3 update comes with new encryption protocols, really looking forward to it.

    As for the rest here, I know why I use a blackberry z30 and most of you do not, as I have written repeatedly in the past. Look up my comments before you down vote, might learn something.

This topic is closed for new posts.