Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010
Nasty: http://op-co.de/blog/posts/android_ssl_downgrade/ Looks like ignorance rather than malice, but that's a pretty fucking bone-headed maneuver. Normally the Android guys are quite sharp, so a mistake like this actually strikes me as a little bit fishy. Here's the guy responsible for the commit: http://carlstrom.com/ http://www.linkedin.com/in/carlstrom Worth a follow-up? R
On 15.10.2013, at 0:26, Rich Jones <rich@openwatch.net> wrote:
Nasty: http://op-co.de/blog/posts/android_ssl_downgrade/
Looks like ignorance rather than malice, but that's a pretty fucking bone-headed maneuver. Normally the Android guys are quite sharp, so a mistake like this actually strikes me as a little bit fishy.
Here's the guy responsible for the commit: http://carlstrom.com/ http://www.linkedin.com/in/carlstrom
Well, good news is, that: 1. browser (chrome) keeps its own better set of ciphers. 2. a lot of servers ignore client's preferences of ciphers these days still stupid, though. -- Alexey Zakhlestin CTO at Grids.by/you https://github.com/indeyets PGP key: http://indeyets.ru/alexey.zakhlestin.pgp.asc
participants (2)
-
Alexey Zakhlestin
-
Rich Jones