Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Java Development

A new security measure when creating SSL connection.

by Retired on ‎03-16-2012 10:32 AM (10,043 Views)

A new attack was recently discovered that allows an adversary to decrypt TLS 1.0 and SSL 3.0 traffic using a combination of eavesdropping and chosen plaintext attack when CBC chaining mode is used.

 

To combat this, we implemented a change that was compliant with SSL specifications and was widely

adopted by most browsers such as Mozilla® Firefox® and Google Chrome™.  We have implemented a counter measure where we split TLS records into two records: the first record containing a single byte of the data and the second records containing the rest of the data, which stops an attacker from exploiting this vulnerability.

 

The same change was implemented in Google Chrome browser. Our fix should work fine with any server

compliant with the SSL spec. However, we encountered problems in the past in cases where a server

does not properly implement the spec.  If you encounter any issues which are related to SSL or TLS,

here are two ways that you can fix the issue.  We strongly recommend the first solution.

 

  1. Update your servers to be SSL or TLS compliant and accept records with one byte of data. This is the best  way to fix any server related problems.

 

  1. In an effort to reduce incompatibility issues with older servers, we added the ability for third party  applications to disable this security countermeasure when creating SSL connections. In order to disable any CBC security countermeasures that are currently being utilized in BlackBerry® 7.1, you need to add a parameter to the URL being connected to. The parameter to be added is: 

 "DisableCbcSecurity=true".

 

 Example: 

https://www.server.com/index.html;DisableCbcSecurity=true

 

 

We introduced this work around in BlackBerry 7.1.0.288 so please try it on this version or higher.

Comments
by Developer
on ‎04-18-2012 06:38 PM

Which was the first device OS, or platform, with this security countermeasure in it?

by BlackBerry Development Advisor
on ‎04-19-2012 09:48 AM

Refer to the last line of the article for that answer.

by Developer
on ‎04-19-2012 11:28 AM

Oh sorry, I thought you had introduced the  "DisableCbcSecurity=true" parameter in 7.1.0.288

Users Online
Currently online: 21 members 3,558 guests
Please welcome our newest community members: