Java Spec Compatibility Weakened Android's TLS Encryption

sfcrazy writes "It has been discovered that Google downgraded the SSL encryption of Android after version 2.3.4 and defaulted to RC4 and MD5 ciphers. It may appear that NSA is at play here as both are broken and can be easily compromised. But after digging the code Georg Lukas concluded that the blame goes to Oracle. 'The cipher order on the vast majority of Android devices was defined by Sun in 2002 and taken over into the Android project in 2010 as an attempt to improve compatibility.'" The Java spec from 2002 specified RC4 and MD5 as the first two ciphers for TLS; Android, however, used DHE-RSA-AES256-SHA by default. The default cipher list for Java 7 was updated, but Android is stuck using JDK 6 and a default cipher list over a decade old.

Re:

[Galactic Dominator]

You know all of the 6 Android users who will dump their platform due to this? Your uber vigilante security circle didn't check this before? It seems your circle has bigger problems than just using potentially compromisable settings.

Re:

[dos1]

Thank god for Openmoko and still living community it has spawned. I can think of OpenPhoenux platforms as proper alternative when dumping Android for some security reasons like that.

Re:

[davetv]

I own a GTA02 and it was hardly useful as a full time phone. Sometimes it would fail to come out of suspend when called, sometimes lock up and need rebooting and other faults. It's power management wasn't that good either - 24 hours per charge if that. It lives in a drawer now, I bought a Galaxy S3 to replace it.

The GTA04 OpenPhoenix replacement board is a joke. 666 Euros ($AU 1000). It does not have a fully working kernel yet, there are various kernel versions with varying degrees of functionality. Even

Re:

[dos1]

I'm using my Neo Freerunner as my daily phone. Sure, it had those problems you mentioned, but those are fixable. My GTA02 lasts few days on battery now (which is quite weared off after those 5 years) and works pretty stable. The only thing that annoys me is really poor GPRS speed and graphics performance, which is better than it was at the launch, but is still quite unacceptable. Luckily, those issues aren't really important in light of freedom gains one gets from such device. I can live with them and I wou

Some things are not worth being compatible with

[Qzukk]

Shitty security protocols are one of them, if your obsolete software can't cope with modern encryption, it is crap and should be replaced.

Re:

[Billly Gates]

Shitty security protocols are one of them, if your obsolete software can't cope with modern encryption, it is crap and should be replaced.

Yeah try telling that to a boss who gets a bonus by keeping IE 6 and keeping you putting out fires all day instead of adaquite resources to do anything but putting out fires with viruses from IE 6 and java 5 infections. After all upgrading would take away his bonus and would not raise the share price next quarter. ... end rant.

Stuff that breaks IE 6/8 is considered broken, and broken is considered working with this same crowd too. If you talk about open standards he says, Tim why does this not work anymore.

Re:

[Rosyna]

I don't see what this has to do with Oracle/Java politics.

Google had/has absolutely no idea what the "correct" list of cipher order was/is. Google copied the order from OpenSSL. Google removed dependency on OpenSSL. Google copied from another source, which happened to be Java.

The ultimate choice may have been done for compatibility with websites not supporting TLS 1.2 but it was not done for compatibility with Java.

Re:

[cheater512]

Erm most Android apps are written in Java in their own JVM.
To improve JVM compatibility they had to copy what Oracle's JVM does.

100% to do with Java and 0% to do with websites.

Re:

[ChunderDownunder]

Well the issue is Android targetted Java 6 at inception, which is no excuse for not updating Android to match whatever security Oracle now supports in Java 7 and the forthcoming Java 8.

Re:

[Rosyna]

Confused. What does SSL handshaking with a remote server relate to what an app does internally to itself in a virtual machine?

Even more confused

[WaywardGeek]

RC4 (aka ARC4) is not "broken". Unknown Lamer is confused. WEP is broken because it had a flawed implementation of ARC4. Just hash the key, drop the first 1K bytes of output, and no known program can even differentiate ARC4 output from truly random numbers with less than a megabyte of data. If the NSA can crack ARC4, then they've beaten a huge collective effort of the world's cryptography community.

But... md5? Surely that's just for non-secure CRC, right? Android wouldn't do anything as dumb a signing document MD5 hashes, would they?

Re:

[devman]

Unfortunately, it does appear that RC4 is broken at this point (see other commenters). The upside is that this will hopefully speed the adoption of TLS1.2 and people can start using AES in GCM mode (basically turns AES in to stream cipher with authenticated encryption as well).

Re:

[WaywardGeek]

Cripes... I take a few years and don't read about the latest RC4 attacks, and someone finally figures out an attack [isecpartners.com] that can make use of the super-low long-term biases found in RC4. I guess I'll have to switch to something else. I've been using message authentication MACs in P2P protocols when messages are not encrypted. The combination seems like a good idea for stream ciphers.

Re:

[Benhida Salma]

The Android platform did not upgrade. How is that Oracle's fault? http://www.youtube.com/watch?v=JRomAmUbcv0 [youtube.com]

Almost!

[mythosaz]

Well, we almost worked the NSA into every article headline today. ...there's always tomorrow.

Re:

[Anonymous Coward]

Don't sound so bitter. Nice to see some competition to Fukushima articles, even if they cater to the same crowd.

Re:

[Joining Yet Again]

Ah yes, that universally hated crowd OL and IRL: "The set of people who disagree with me on anything."

Re:

[VortexCortex]

Don't sound so bitter. Nice to see some competition to Fukushima articles, even if they cater to the same crowd.

Fukushima was an outside job!

The IT Crowd was an inside job!

The NSA was a Snow-job!

How is this Java's fault

[Anonymous Coward]

> The default cipher list for Java 7 was updated, but Android is stuck using JDK 6 and a default cipher list over a decade old.

The Android platform did not upgrade. How is that Oracle's fault? Next we will be blaming vendors for vulnerabilities that were patched years ago.

Re:

[Meditato]

How is that Oracle's fault? Next we will be blaming vendors for vulnerabilities that were patched years ago.

Exactly. As much as I love hating on Oracle, the blame lies on the Android Java team for not merging in those updates.

Speaking of that, has anyone presented a solution? I'm an app developer among other things, and I don't want my apps using old ciphers over important network infrastructure.

Re:How is this Java's fault

[matfud]

There has always been a solution. This is just the ordering that will be obtained if you do not specify a particular algorithm. If you don't specify the algorithm you get the first implemented in the list.

Not good if you are not sure which algorithms are implemented on your platform as you will have to sort them your self but not dire unless you just ask and hope.

Re:

[matfud]

A man in the middle attack generally does not care either way as they have spoofed the client and pretended to be them to the server That means they have clear text. The strength of encryption is not generally an issue in this situation. The trust chain is the issue.

But I do agree that the list is incorrect as it selects known weak algorithms first. Even if it was reordered (java 1.7 and later) it would, as you said, result in fall back mechanism to algorithms with known problems.

Your best bet is to remove

Re:

[VortexCortex]

Speaking of that, has anyone presented a solution?

Uh, remove the weak ciphers from the server's supported list of ciphers. Done. Users will negotiate to a better cipher.

Re:

[Billly Gates]

Because Java 7 is a buggy piece of crap. Java 6 has less bugs patched and works better. I do not want to upgrade and will stay with Java 6 because it works just fine for my needs thank you very much. I have disabled Java in my browsers I may add.

But if Oracle rushed Java 7 and craeted many bugs and a new rushed verison from a diferent set of developers than java 6. It really shows.

Re:

[smash]

Err.... Java 6 is unsupported now, which is probably why it has less bugs patched. They're both buggy piles of crap, but lets compare apples with apples here. One is still being updated.

Re:

[tlhIngan]

Err.... Java 6 is unsupported now, which is probably why it has less bugs patched. They're both buggy piles of crap, but lets compare apples with apples here. One is still being updated.

And apparently Oracle is so fed up with Android that they've put the JDK6 behind a registraiion-wall, something I found out when trying to set up a machine to build Android. Used to be easy to get, now that Oracle's completely deprecated it, they're making ti hard to get the last version available.

It's something to note when

Re:

[sproketboy]

It's because Oracle is "Evil" and Google is "Good". Dude get your facts straight.

I fully understand your position.

[tlambert]

> The default cipher list for Java 7 was updated, but Android is stuck using JDK 6 and a default cipher list over a decade old.

The Android platform did not upgrade. How is that Oracle's fault? Next we will be blaming vendors for vulnerabilities that were patched years ago.

I fully understand your position. You're from the universe where Spock has a beard, right?

Re:

[samkass]

> The default cipher list for Java 7 was updated, but Android is stuck using JDK 6 and a default cipher list over a decade old.

The Android platform did not upgrade. How is that Oracle's fault? Next we will be blaming vendors for vulnerabilities that were patched years ago.

It can't possibly be Google's fault; this is Slashdot. It must be Oracle's fault that Google copied badly from Java.

Law droid

[tepples]

But when you're up against the lawyers of Lucasfilm's parent Disney, how easy will it be to convince the judge that these aren't the Droids he's looking for?

I think this explains

[maroberts]

How the Rebel Alliance were able to get the plans for the Death Star so easily - they hacked into Darth Vaders mobile phone

The blame is Google's, not Oracle's

[DavidinAla]

Nobody forced Google to use Java. Google made its own decision what to use and how to use it. Quit trying to give most geeks' favorite company a pass when it makes lousy decisions that come back to hurt users.

Re:

[jazzis]

mod up insightful.

Re:

[Parker Lewis]

Nobody forced Google to use Oracle old Java implementation compatibility

Instead of a blog note how about some info?

[Virtucon]

Qualys published a list in August of this year for Java 6 Update 45 that lists the default Cipher Suites in order of preference. [ssllabs.com] On that list there are 4 that are insecure but there 7 that are weak. What needs to start happening to fix this is
1) App vendors need to become aware of the situation.
2) Disable use of the weak and vulnerable ciphers. This can be done on the web server for example as a start.

Remember it takes two to tango in an SSL/TLS handshake and if one side says No to a weak or vulnerable Cipher then one of the stronger Ciphers (if available) can be used. If you're using weak or vulnerable ciphers at all, fix your app. We also have to push to get rid of any of the older than TLS 1.1 and keep pushing on the Browsers to support TLS 1.2 which oddly enough only MSFT has supported since IE8 and Opera since version 10. http://en.wikipedia.org/wiki/Transport_Layer_Security [wikipedia.org]

Re:

[Indy1]

The current stable version of Chrome supports TLS 1.2 out of the box.

Firefox 24 has support for TLS 1.2, but you have to explicitly enable it.

Re:

[Virtucon]

The current stable version of Chrome supports TLS 1.2 out of the box.

Chrome is a fun beast..

The current version for Android has TLS 1.2 Support.
You'll need at least the following versions for Windows, OSX:
Windows - 31.0.1625.2
OSX 10.8 - 31.0.1625.0

For Linux, you'll need 1625.2 and NSS 3.15.1

AFAIK Latest stable is 30 for OSX and Windows but I'll check.

Firefox 24 has support for TLS 1.2, but you have to explicitly enable it.

I hadn't seen the update on that. I'll have to test it.

Re:

[kthreadd]

And both Safari and Internet Explorer has supported TLS 1.2 for a long time.

Re:

[Virtucon]

I already said that about IE. I can't find any official statement on Safari, mind pointing a link?

Georg Lukas didn't blame Oracle

[Diamonddavej]

No, Georg Lukas didn't blame Oracle, in his own words...

"The change from the strong OpenSSL cipher list to a hardcoded one starting with weak ciphers is either a sign of horrible ignorance, security incompetence or a clever disguise for an NSA-influenced manipulation - you decide!

Java 1.4 uses RFC 2246, which came out in 1999 and uses weak older ciphers that were approved for export during a time when the US restricted the export of strong encryption. It is about the weakest standard that anyone at Oracle or Google could find.

Eric Schmidt chimes in

[Swampash]

"Android is more secure than iPhone."

The proclamation was made during a question-and-answer session at the Gartner Symposium/ITxpo, where it drew laughter from the attending audience.

http://tech2.in.com/news/smartphones/eric-schmidt-calls-android-more-secure-than-iphone/917208 [in.com]

Re:

[Chrisq]

Didn't Eric Schmidt tell us Android was more secure than a straight mans buttox??!

I'm not sure that the Apple users will understand that analogy

NSA?

[Darinbob]

Why does everyone blame NSA here? NSA does not want ciphers that everyone can decrypt more easily. They'd be much happier with ciphers that only the NSA could decrypt but which stumped the Chinese and Russians and mafia and terrorists and foreign hackers, etc.

There's the attitude I see that seems to be getting more popular, which implies that the NSA wishes that no one used encryption at all. But that's patently false. They absolutely want encryption within the government (so that we can't spy on the government), they want encryption in the business sector (secure communications is good business), and the absolutely don't want the US to be painfully backwards with respect to cryptography compared to every other country in the world.

Re:

[Bite The Pillow]

Reading too much into it. The snarky and cynical have to constantly bring everything back to the story that confirms their pessimism.
Why let it be Oracles fault and blame incompetence when you can say Oracle was forced, and have malice to rail against?
Every news story suffers from confirmation bias as the unknown details filled in now point to the suspected source.
Fluoride fingerprints your teeth so the fluoroscope at the airport knows what city you visited, because NSA. Contrails disrupt communication so y

Re:

[AmiMoJo]

The NSA are fools if they think that the Russian and Chinese and French and Israeli intelligence agencies are not at least as good as they are. If the NSA has found a weakness in something it's fairly safe to assume that at least one other agency has, and then maybe shared it with their partners in the same way that the NSA shares stuff with the British.

When they put weaknesses and backdoors in they are taking a calculated risk. Someone will find it, it's just a question of how long and how much benefit the

Re:

[jbolden]

The NSA spends a great deal more than the Russians, Chinese, French and Israelis. The NSA hires a huge number of number theorists those other agencies few. Yes they are better. Money matters and the USA spends.

Who trusts him?

[OhANameWhatName]

Georg Lukas concluded that the blame goes to Oracle

No matter what, you have to take responsibility. You've destroyed the hopes of leagues of loyal fans.

Not Everything is a conspiracy

[Anonymous Coward]

RC4 was the preferred cipher of choice and recommended by multiple security firms until recently with their guidelines for ssl/tls security. Most recently Qualys in their 1.3 revision called for disabling rc4 (updated in September of this year) it was the recommended cipher over AES-CBC in the 1.2 guide. The reason for this is that many in the security community believed that at the time CRIME and BEAST attacks were more serious and exploitable. That was until really BlackHat 2013 when BEAST was shown to

They copied the behaviour of old software

[peppepz]

Oracle provide a state-of-the-art, GPL-licensed, 3 years old Java implementation that works and is secure. Google prefer to roll their own (inferior) virtual machine because they do not like GPL, and while doing so they copied in 2010 [googlesource.com] the behaviour of a 2006 implementation to be included into a 2011 product — and the fault is Oracle's?

(By the way, so much for “Android does not use Java and does not care about Java compatibility”.)

Re:

[smash]

Pretty much. But this is slashdot, where google can do no evil, and Oracle are the bad guys. No matter what.

Re:

[peppepz]

Really? and there was me thinking it was precisely so they could win a case brought against them by Oracle which they did.

You're not informed about that case, which was precisely about Oracle thinking that Google didn't have permission to make their own implementation of the Java APIs without giving them money.

The reason they went their own way has nothing to do with the GPL (only OpenJDK is GPL'd and at risk of patent suits because Oracle refuse to grant it protection) and everything to do with ensure their project couldn't have terms dictated by Oracle.

A GPL project enjoys patent protection and can have no field of use restrictions by virtue of the GPL itself. As for the fact that Google dislike the GPL, hear it from themselves [android.com].

Android doesn't use the JVM, it uses the Java language however. They've also never said they don't care about Java compatibility. You just made that bit up, because you're trolling, or stupid.

It's not them who said that. Google have always said clearly that Android development is based on the Java language. When the Oracle vs Google

Why?

[luis_a_espinal]

But after digging the code Georg Lukas concluded that the blame goes to Oracle.

Why is it Oracle's fault? I'm not a fan of Oracle, but I fail to see why blame of this situation goes to it? It would seem that Google, given the plenty of implementation latitude it already has on Android, that it could have side-stepped compatibility to provide stronger cyphers.

So why is this Oracle's fault and why no mention of Google's fault exist in this one-sided article? As Colbert once said "I can't prove it, but I can say it.". That seems to be what governs the writing of this particular submissi

Implementation issue

[multimediavt]

Ok, I read the articles and most of the comments above. This seems more like an implementation issue on Google's part than a licensing or compatibility issue with Java. Compatibility with older TLS implementations may have been the reason for the use of RC4 and MD5, but that certainly falls back to a Google decision, not having anything to do with Oracle. I think everyone is a little overly paranoid given the current security--or lack thereof--climate, but I don't see this as any kind of capitulation to a t