Java Spec Compatibility Weakened Android's TLS Encryption

Posted by Unknown on Monday October 14, 2013 @11:21AM from the all-the-better-to-hear-you dept.

sfcrazy writes "It has been discovered that Google downgraded the SSL encryption of Android after version 2.3.4 and defaulted to RC4 and MD5 ciphers. It may appear that NSA is at play here as both are broken and can be easily compromised. But after digging the code Georg Lukas concluded that the blame goes to Oracle. 'The cipher order on the vast majority of Android devices was defined by Sun in 2002 and taken over into the Android project in 2010 as an attempt to improve compatibility.'" The Java spec from 2002 specified RC4 and MD5 as the first two ciphers for TLS; Android, however, used DHE-RSA-AES256-SHA by default. The default cipher list for Java 7 was updated, but Android is stuck using JDK 6 and a default cipher list over a decade old.

3 of 82 comments (clear)

Min score:

Reason:

Sort:

Almost! by mythosaz · 2013-10-14 11:25 · Score: 5, Insightful

Well, we almost worked the NSA into every article headline today. ...there's always tomorrow.
How is this Java's fault by Anonymous Coward · 2013-10-14 11:46 · Score: 5, Insightful

> The default cipher list for Java 7 was updated, but Android is stuck using JDK 6 and a default cipher list over a decade old.
The Android platform did not upgrade. How is that Oracle's fault? Next we will be blaming vendors for vulnerabilities that were patched years ago.
1. Re:How is this Java's fault by matfud · 2013-10-14 13:44 · Score: 5, Informative
  
  There has always been a solution. This is just the ordering that will be obtained if you do not specify a particular algorithm. If you don't specify the algorithm you get the first implemented in the list.
  Not good if you are not sure which algorithms are implemented on your platform as you will have to sort them your self but not dire unless you just ask and hope.