[tbb-bugs] #26982 [Applications/Tor Browser]: TBA - httpclientandroidlib leaks information about Android version
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 30 14:32:39 UTC 2018
#26982: TBA - httpclientandroidlib leaks information about Android version
-------------------------------------+-------------------------------------
Reporter: sysrqb | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor | Version:
Browser | Keywords: tbb-mobile,
Severity: Normal | TorBrowserTeam201807
Actual Points: | Parent ID: #25703
Points: | Reviewer:
Sponsor: |
-------------------------------------+-------------------------------------
While reviewing #22170, I noticed Fennec decides which TLS ciphers it
supports[0] based on a lower-bound of the Android SDK version, and it
chooses a TLS cipher within that list. This is another example of why we
should use Necko (via GeckoView) instead of the Android SDK for
networking.
This is used by the Java networking in the Sync code[1].
In the short term, we can always return the `else` clause:
{{{
} else {
DEFAULT_CIPHER_SUITES = new String[]
{
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // 11+
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", // 11+
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", // 11+
// For Sync 1.1.
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA", // 9+
"TLS_RSA_WITH_AES_128_CBC_SHA", // 9+
};
}
}}}
But that sure is sad. We need ciphers for 16+.
[0] https://gitweb.torproject.org/tor-
browser.git/tree/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java?h
=tor-browser-60.1.0esr-8.0-1#n47
[1] https://gitweb.torproject.org/tor-
browser.git/tree/mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java?h
=tor-browser-60.1.0esr-8.0-1#n261
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26982>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list