Closed angrytec closed 3 months ago
anamarin09041995
commented
7 months ago Wondering the same since LogListDataSourceFactory class is marked by Veracode as insecure due to the use of the SSL protocol. The recommendation to remove this warning is to replace the protocol with TLS (TLS 1.2 preferred). Is there a reason to maintain SSL?
mattmook
commented
3 months ago This is a very good question. I'm also not entirely sure why this hadn't been raised in any of the security scans the library has been in that I'd seen. 🤷
While it may say SSL, SSLv3 support was dropped since Java SE 7u75 so it will usually be using TLS as a minimum anyway. Also the default connection spec used by OkHttp only allows TLSv1.2 and TLSv1.3 anyway so really the value specified shouldn't matter as far as I can tell. For support of modern TLS on older Android platforms, Google Play services can help - see https://developer.android.com/privacy-and-security/security-gms-provider
It's worth noting that the log list data is signed with a public/private key pair so any risk comes down to man in the middle attack pushing stale data which the library additionally protects itself against given that log-list.json the file contains a timestamp.
Given the library makes as few assertions of what platform it is running on I cannot easily enforce a precise protocol (or cipher suite), but will expose OkHttp's ConnectionSpec to allow this to be configured through LogListDataSourceFactory.createLogListService. The default is MODERN_TLS.
In LogListDataSourceFactory, is there a reason why SSL is specifically used here and not TLS ?
sslContext = SSLContext.getInstance("SSL")