Shared publicly  - 
 
Android SSL Downgraded in Late 2010

For some reason, Android's SSL cryptographic preference was downgraded in 2010.

https://android.googlesource.com/platform/libcore/+/9acacc36bafda869c6e9cc63786cdddd995ca96a%5E!
54
21
Joe Feise's profile photoItamar Landsman's profile photoFrank Mankel's profile photoKoushik Dutta's profile photo
17 comments
 
I'm certaiN there iS a very good explAnation...
 
They wanted to protect users from BEAST etc. most likely. Until we can use TLS 1.2 without issues this likely makes people slightly better off than before. That article misses some important things. See the hacker news comments for details.
 
Let's change the cipher order then?
 
Panic! If you care about any this stuff, don't use the system defaults? Maybe open https://www.ssllabs.com/ssltest/viewMyClient.html with Chrome on Android to see how weak it is?
Also sorted in priority order as specified in JSSE documentation probably means just that, not deliberately weakened because haxor pwn!
 
+Jason Telford I don't use iOS, etc. but you should get the same results for a given version of Chrome. Unless there are some OS-related restrictions, but unlikely.
 
Ah not to worry, the post wasn't even about iOS or anything anyway, it was just me being curious that made me do it
 
BTW, most servers don't really care about client config. Try this: 

URL url = new URL("https://google.com");
URLConnection conn = url.openConnection();
HttpsURLConnection urlConnection = (HttpsURLConnection) conn;
urlConnection.connect();
Log.d(TAG,"Cipher suite: " + urlConnection.getCipherSuite());

> D/MainActivity(14760): Cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
 
+Ryan M. Tillotson Thats not the point. The NSA's MO is to knock out a few of the supports on encryption to give them a ledge to stand on to break it in a reasonable, human time frame by throwing iron/math/exploits at it. They need not-so-easy but breakable crypto to allow them to secretly and undetectable influence things in their favor.
 
+Joe Feise Ever heard of advance copies of research? It happens all the time.

What would be really interesting would be to know what that internal bug ticket contained.
 
+Björn Lundén Not months before the research is made public. And yes, I have done security research. You inform the vendor in advance, but don't wait months for the vendor to fix things.
This had nothing to do with BEAST.
 
+Joe Feise Considering the theoretical vulnerability was known in 2002 you can't say that with certainty. This is not like a normal security finding where you are informing a single vendor so I wouldn't compare that to attacks such as BEAST and CRIME that affect most internet users.

Without knowing what the original bug was about, we can't really say anything with certainty other than that Google is using an old cipher priority list (which is bad of course).
Add a comment...