search

anthonycr / Lightning-Browser

A lightweight Android browser with modern navigation
http://acrdevelopment.org
Mozilla Public License 2.0
2.19k stars 795 forks source link

vulnerable to the Logjam attack #374

Open mimi89999 opened 8 years ago

mimi89999 commented 8 years ago

I tested this browser on this website: https://www.ssllabs.com:10445/

christianfl commented 8 years ago

Here it says it is not vulnerable to the Logjam attack (because it does not load that test site. Instead, Lightning is vulnerable to the POODLE attack because SSLv3 is activated. I would suggest a menu option where the user can check/uncheck the different SSL and TLS versions with SSLv3 deactivated at first.

Edit: Cyanogenmod 12.1 based on Android 5.1.1

mimi89999 commented 8 years ago

I think it depends of the android version. I have 6.0.1

christianfl commented 8 years ago

I edited my Android version. To my mind the user should be able to deactivate some SSL versions or maybe ciphers or something like that in the browser directly - if the OS itself does not have any security features like that.

mimi89999 commented 8 years ago

Could you test Lightning against this vulnerability on this website: https://weakdh.org/

I got: "Warning! Your web browser is vulnerable to Logjam and can be tricked into using weak encryption. You should update your browser."

christianfl commented 8 years ago

It says: "Good News! Your browser is safe against the Logjam attack." with Lightning version 4.2.3a.

mimi89999 commented 8 years ago

I'm using the same version on CM-13

ghost commented 8 years ago

I'm running 6.0.1_r11, and I'm getting the warning from https://weakdh.org/

Is this a webview issue? I'm running the stock AOSP version of webview (compiled from source), not the proprietary Google version.

If it's a webview issue, it's not related to lightning; users should either upgrade to the latest Google version or -- if their ROM doesn't support it -- a ROM that does.

christianfl commented 8 years ago

Now I am using another ROM: PureNexus 6.0.1-20160308 based on Marshmallow.

The test on SSLlabs says that my user agent is not vulnerable to anything. It has a gold protocol support by the way. The test on weahdh.org does not give me a warning, too.

For me, everything is fine now. By the way (doesn't know, whether this makes any difference), I have not installed any gapps package on my phone.

ghost commented 8 years ago

About that menu option. I think it's a bad idea. Unsafe protocols should be disabled by default without a menu option to enable it. Whenever a site does use a weak protocol the browser should treat it the same way as a revoked certificate (e.g https being red instead of green, a warning message etc.)