[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #26982 [Applications/Tor Browser]: TBA - httpclientandroidlib leaks information about Android version

To: undisclosed-recipients: ;
Subject: [tor-bugs] #26982 [Applications/Tor Browser]: TBA - httpclientandroidlib leaks information about Android version
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 30 Jul 2018 14:32:39 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 30 Jul 2018 10:32:50 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#26982: TBA - httpclientandroidlib leaks information about Android version
-------------------------------------+-------------------------------------
     Reporter:  sysrqb               |      Owner:  tbb-team
         Type:  defect               |     Status:  new
     Priority:  High                 |  Milestone:
    Component:  Applications/Tor     |    Version:
  Browser                            |   Keywords:  tbb-mobile,
     Severity:  Normal               |  TorBrowserTeam201807
Actual Points:                       |  Parent ID:  #25703
       Points:                       |   Reviewer:
      Sponsor:                       |
-------------------------------------+-------------------------------------
 While reviewing #22170, I noticed Fennec decides which TLS ciphers it
 supports[0] based on a lower-bound of the Android SDK version, and it
 chooses a TLS cipher within that list. This is another example of why we
 should use Necko (via GeckoView) instead of the Android SDK for
 networking.

 This is used by the Java networking in the Sync code[1].

 In the short term, we can always return the `else` clause:
 {{{
     } else {
       DEFAULT_CIPHER_SUITES = new String[]
           {
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",        // 11+
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",      // 11+
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",        // 11+

            // For Sync 1.1.
            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",  // 9+
            "TLS_RSA_WITH_AES_128_CBC_SHA",      // 9+
           };
     }
 }}}

 But that sure is sad. We need ciphers for 16+.

 [0] https://gitweb.torproject.org/tor-
 browser.git/tree/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java?h
 =tor-browser-60.1.0esr-8.0-1#n47
 [1] https://gitweb.torproject.org/tor-
 browser.git/tree/mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java?h
 =tor-browser-60.1.0esr-8.0-1#n261

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26982>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #26237 [Applications/Tor Browser]: Back and Forward button should be on the left side of the toolbar
Next by Author: Re: [tor-bugs] #26593 [Core Tor/Tor]: Split even more things out of or.h
Previous by thread: [tor-bugs] #26980 [Core Tor/Tor]: HSv3 descriptors rejected because of bad SRV start time computation
Next by thread: [tor-bugs] #26983 [Metrics/Relay Search]: Add support for 6 months graphs in the plotting functions
Index(es):
- Author
- Thread