search

livechat / chat-window-android

LiveChat mobile chat window for Android
https://developers.livechatinc.com/mobile/android/
MIT License
23 stars 28 forks source link

Security Issue #26

Closed Jerrychengjun closed 5 years ago

Jerrychengjun commented 5 years ago

When livechat sdk connect to livechat server,there is a TLS_RSA_WITH_3DES_EDE_CBC_SHA method need to remove from server,It's not safe.

image image

ZiggyKraus commented 5 years ago

Hello @Jerrychengjun ,

Thank you for reaching us with this case!

We have spoken with one of our administrators responsible for servers security, and we can confirm that we do not support the 3DES Cipher Suite. Because of that, we'd like to ask if you could provide us with a broader context of how have you performed such tests. Additionally, we believe that the 3DES may be visible due to the configuration of the web browser on which you have performed tests – we would truly appreciate if you could check that out and provide us with some additional details. Also, we have run the test of our cdn.livechatinc.com server in order to see which Cipher Suites are being used and we can confirm that 3DES is not among them – here's the link to the test result that is not dependent on LiveChat: https://www.ssllabs.com/ssltest/analyze.html?d=cdn.livechatinc.com

Please feel free to let us know once you will have additional questions or details, as we treat the matter of security seriously at LiveChat. We will truly appreciate it!

ZiggyKraus commented 5 years ago

@Jerrychengjun ,

We have run some additional tests at our side, and we were able to recreate the same scenario like the one that you have presented on the screenshot sent in your initial message. The 3DES Cipher Suite visible on the screenshot is the part of the regular connectivity negotiation (handshake SSL) that takes place when you are trying to reach our servers (like cdn.livechatinc.com) – in that case, your web browser sends to us various Cipher Suites that are available at your side (configured on your system):

client_to_cdn

Once you send such configuration to our server, cdn.livechatinc.com decides which Cipher Suite to use. However, you should not worry as we do not support 3DES. Because of that, the server will ignore this type of SSL handshake and will not allow establishing the connection via 3DES, choosing a different available Cipher:

cdn_to_client

@Jerrychengjun , I hope that this description will provide your team with the necessary information on how LiveChat establishes the connectivity between the client and the server and will confirm that we do not support the 3DES. However, if you will have any other questions or concerns, please don't hesitate to ask, as we will do our best to help!

Jerrychengjun commented 5 years ago

Thank you for your reply. We have confirmed that this is not a problem.