Positive: Delphi 10.1 Berlin is out; negative all Embarcadero HTTPS sites still vulnerable to DROWN attack
Posted by jpluimers on 2016/04/19
The good news: Delphi 10.1 Berlin is out and released in Berlin (note: you might want to rename Delphi 10 Seattle into Delphi 10.0 Seattle).
Some links:
- Bug fix list.
- What’s New – RAD Studio.
- From the 10.1 What’s New (thanks David Heffernan):
- To enforce visibility semantics, class and record helpers cannot access private members of the classes or records that they extend.
- Lots of Berlin downloads:
- 30507 RAD Studio 10.1 Berlin Web Install.
- 30522 BDE Installer for RAD Studio, Delphi, C++Builder 10.1 Berlin.
- 30521 RAD Studio 10.1 Berlin FireMonkey Accessibility Pack.
- 30515 GSA accounts: RAD Studio 10.1 Berlin ISO.
- 30514 Delphi and C++Builder 10.1 Berlin ISO:
- 30491 FireMonkey Premium Styles Pack for RAD Studio 10.1 Berlin.
- 30492 VCL Premium Styles Pack for RAD Studio 10.1 Berlin.
- 30510 RAD Studio 10.1 Berlin ISO (incl. Delphi and C++Builder) (same ISOs as above).
- 30509 RAD Studio 10.1 Berlin (incl. Delphi, C++Builder)-30 day trial.
- 30499 IP*Works for C++Builder 10.1 Berlin.
- 30498 IP*Works for Delphi 10.1 Berlin.
- 30500 FastReport VCL 5 for RAD Studio, Delphi, C++Builder 10.1 Berlin.
- 30507 RAD Studio 10.1 Berlin Web Install.
- 30501 FastReport FMX for RAD Studio, Delphi and C++Builder 10.1 Berlin.
The not so good thing: I won’t be using it for a while as now for like 6 weeks or so, all the embarcadero HTTPS sites have been vulnerable to the DROWN man-in-the-middle attack that has been discovered 20160301.
Which means that even without going around the non-HTTPS partner site, I won’t be able to make a secure connection and install it.
Which gives me more time to play with the Xamarin Visual Studio 2015 integration, the cool stuff that MvvmCross offers and some of the other .NET Goodness at BUILD 2016 – .NET ALL THE THINGS! | Beth Massi
| F (DROWN attack) | members.embarcadero.com | the logon site for regular users |
| No HTTPS at all | tp.embarcadero.com | the partner logon site for MVPs and TPs |
| F (DROWN attack) | quality.embarcadero.com | the site where to post bug reports and enhancement requests, replacing qc which had no https as all |
| F (DROWN attack) | community.embarcadero.com | the replacement of the forums server which like the original is down a lot of the time) which for a long time defaulted to http login at http://community.embarcadero.com/login hopefully it doesn’t do that any more). |
| F (DROWN attack) | forums.embarcadero.com | which has been revived after the old forums server was down more often than it was up |
| F (DROWN attack) | edn.embarcadero.com | the developers network server containing articles and information |
| F (DROWN attack) | store.embarcadero.com | buying products |
| F (DROWN attack) | www.embarcadero.com | the main site |
| No TLS on main server; Google Servers have weak cyphers |
embarcadero.com | the mail servers;via ssl-tools.net as SSL labs doesn’t support MX |
–jeroen
Sources:
The Wiert Corner - irregular stream of stuff 
Positive: Delphi 10.1 Berlin Update 2 is out – ISO links « The Wiert Corner – irregular stream of stuff said
[…] Reference: Positive: Delphi 10.1 Berlin is out; negative all Embarcadero HTTPS sites still vulnerable to DROWN … […]
Jeff Dyer said
“Which means that even without going around the non-HTTPS partner site, I won’t be able to make a secure connection and install it.”
Tin foil hat time?
jpluimers said
I wish. After witnessing the aftermath of identity theft and the causes (broken https and plain credentials over http), I’ve become a lot stricter in what I do.
Paul Dunn said
That’s lovely and all, but have they fixed the 64bit codegen issues? Have they added 64bit OSX codegen?
jpluimers said
I’ve no idea. I won’t be running it for a while for the security reasons I mentioned.
zxdunny said
Looks like they’ve fixed our issues (64bit codegen) but still no OSX 64bit support. And besides, none of our sources will build in it so it’s back to D10/Seattle for the time being. Nice one, Emba.