Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010
Alexey Zakhlestin
indeyets at gmail.com
Wed Oct 16 03:49:23 PDT 2013
On 15.10.2013, at 0:26, Rich Jones <rich at openwatch.net> wrote:
> Nasty: http://op-co.de/blog/posts/android_ssl_downgrade/
>
> Looks like ignorance rather than malice, but that's a pretty fucking bone-headed maneuver. Normally the Android guys are quite sharp, so a mistake like this actually strikes me as a little bit fishy.
>
> Here's the guy responsible for the commit: http://carlstrom.com/ http://www.linkedin.com/in/carlstrom
Well, good news is, that:
1. browser (chrome) keeps its own better set of ciphers.
2. a lot of servers ignore client's preferences of ciphers these days
still stupid, though.
--
Alexey Zakhlestin
CTO at Grids.by/you
https://github.com/indeyets
PGP key: http://indeyets.ru/alexey.zakhlestin.pgp.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20131016/c9683dc6/attachment-0001.sig>
More information about the cypherpunks
mailing list