Project

General

Profile

Actions

Feature #210

open

Specify Privacy WebView's SSL settings

Added by bill bunter about 7 years ago. Updated about 7 years ago.

Status:
New
Priority:
4.x
Start date:
09/28/2017
Due date:
% Done:

0%

Estimated time:

Description

If you included open SSL in privacy browser would that allow to for user to disable weak TLS ciphers that are still in the Android open SSL on older phones? And even to specify cipher suite to be used in Domain pinning?

Actions #1

Updated by Soren Stoutner about 7 years ago

  • Subject changed from ssl library to Specify Privacy WebView's SSL settings
  • Assignee changed from bill bunter to Soren Stoutner
  • Priority changed from 2 to 3.x

Shipping an SSL library with Privacy Browser would probably require too much time to implement correctly and opens up the possibility of introducing more bugs than it fixes. Plus it has all the downsides listed below.

It is possible to manually specify what settings are used with the SSL library already included in Android using `HttpsURLConnection`, `SSLEngine`, `SSLSocketFactory`, and `SSLParameters`. However, to integrate this with `WebView` would require making all data requests manually, processing them myself, and feeding them into `WebView`, a process that is likely to introduce a massive number of bugs.

https://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html

https://developer.android.com/reference/javax/net/ssl/SSLEngine.html

https://developer.android.com/reference/javax/net/SocketFactory.html

https://developer.android.com/reference/javax/net/ssl/SSLParameters.html

With the introduction of Privacy WebView, it should be possibly to modify the SSL settings in WebView without having to re-implement all the these other aspects. However, it will likely be a couple of years before the 4.x series is released.

https://www.stoutner.com/category/roadmap/

Actions #2

Updated by Soren Stoutner about 7 years ago

  • Priority changed from 3.x to 4.x
Actions

Also available in: Atom PDF