A new security measure when creating SSL connection.

by BlackBerry Development Advisor on ‎03-16-2012 10:32 AM (9,392 Views)

A new attack was recently discovered that allows an adversary to decrypt TLS 1.0 and SSL 3.0 traffic using a combination of eavesdropping and chosen plaintext attack when CBC chaining mode is used.

 

To combat this, we implemented a change that was compliant with SSL specifications and was widely

adopted by most browsers such as Mozilla® Firefox® and Google Chrome™.  We have implemented a counter measure where we split TLS records into two records: the first record containing a single byte of the data and the second records containing the rest of the data, which stops an attacker from exploiting this vulnerability.

 

The same change was implemented in Google Chrome browser. Our fix should work fine with any server

compliant with the SSL spec. However, we encountered problems in the past in cases where a server

does not properly implement the spec.  If you encounter any issues which are related to SSL or TLS,

here are two ways that you can fix the issue.  We strongly recommend the first solution.

 

  1. Update your servers to be SSL or TLS compliant and accept records with one byte of data. This is the best  way to fix any server related problems.

 

  1. In an effort to reduce incompatibility issues with older servers, we added the ability for third party  applications to disable this security countermeasure when creating SSL connections. In order to disable any CBC security countermeasures that are currently being utilized in BlackBerry® 7.1, you need to add a parameter to the URL being connected to. The parameter to be added is: 

 "DisableCbcSecurity=true".

 

 Example: 

https://www.server.com/index.html;DisableCbcSecurity=true

 

 

We introduced this work around in BlackBerry 7.1.0.288 so please try it on this version or higher.