Opened 17 months ago

Last modified 12 months ago

#26982 new defect

TBA - httpclientandroidlib leaks information about Android version

Reported by: sysrqb Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile, tbb-fingerprinting
Cc: sysrqb, igt0 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

While reviewing #22170, I noticed Fennec decides which TLS ciphers it supports[0] based on a lower-bound of the Android SDK version, and it chooses a TLS cipher within that list. This is another example of why we should use Necko (via GeckoView) instead of the Android SDK for networking.

This is used by the Java networking in the Sync code[1].

In the short term, we can always return the else clause:

    } else {
      DEFAULT_CIPHER_SUITES = new String[]
          {
           "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",        // 11+
           "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",      // 11+
           "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",        // 11+

           // For Sync 1.1.
           "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",  // 9+
           "TLS_RSA_WITH_AES_128_CBC_SHA",      // 9+
          };
    }

But that sure is sad. We need ciphers for 16+.

[0] https://gitweb.torproject.org/tor-browser.git/tree/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java?h=tor-browser-60.1.0esr-8.0-1#n47
[1] https://gitweb.torproject.org/tor-browser.git/tree/mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java?h=tor-browser-60.1.0esr-8.0-1#n261

Child Tickets

Change History (14)

comment:1 Changed 17 months ago by gk

Keywords: TorBrowserTeam201808 added; TorBrowserTeam201807 removed

Move our tickets to August.

comment:2 Changed 15 months ago by gk

Parent ID: #25703

comment:3 Changed 15 months ago by gk

Keywords: TorBrowserTeam201809 added; TorBrowserTeam201808 removed

Moving our tickets to September 2018

comment:4 Changed 15 months ago by gk

Keywords: TorBrowserTeam201810 added; TorBrowserTeam201809 removed

Moving tickets to October

comment:5 Changed 13 months ago by gk

Keywords: TorBrowserTeam201811 added; TorBrowserTeam201810 removed

Moving our tickets to November.

comment:6 Changed 12 months ago by gk

Keywords: tbb-fingerprinting added

comment:7 Changed 12 months ago by gk

Keywords: TorBrowserTeam201812 added; TorBrowserTeam201811 removed

Moving our tickets to December.

comment:8 Changed 12 months ago by gk

Keywords: TBA-a3 added
Status: newneeds_information

Marking this for TBA-a3. sysrqb, is that only used in the Sync case? If so, I think we can postpone working on that one given that we don't support Sync.

comment:9 Changed 12 months ago by gk

Sponsor: Sponsor8

Adding Sponsor8 tag.

comment:10 in reply to:  8 Changed 12 months ago by sysrqb

Replying to gk:

Marking this for TBA-a3. sysrqb, is that only used in the Sync case? If so, I think we can postpone working on that one given that we don't support Sync.

I believe only Sync and FxA, looking at #22170. I agree we can postpone this ticket.

comment:11 Changed 12 months ago by gk

Keywords: TorBrowserTeam201812 TBA-a3 removed

comment:12 Changed 12 months ago by gk

Status: needs_informationnew

comment:13 Changed 12 months ago by gk

Sponsor: Sponsor8

comment:14 Changed 12 months ago by gk

Actually, let's leave this tagged with Sponsor8. However, this is a "can" ticket "only" for that sponsor and thus not a high prio.

Note: See TracTickets for help on using tickets.