Feature #210
openSpecify Privacy WebView's SSL settings
0%
Description
If you included open SSL in privacy browser would that allow to for user to disable weak TLS ciphers that are still in the Android open SSL on older phones? And even to specify cipher suite to be used in Domain pinning?
Updated by Soren Stoutner about 7 years ago
- Subject changed from ssl library to Specify Privacy WebView's SSL settings
- Assignee changed from bill bunter to Soren Stoutner
- Priority changed from 2 to 3.x
Shipping an SSL library with Privacy Browser would probably require too much time to implement correctly and opens up the possibility of introducing more bugs than it fixes. Plus it has all the downsides listed below.
It is possible to manually specify what settings are used with the SSL library already included in Android using `HttpsURLConnection`, `SSLEngine`, `SSLSocketFactory`, and `SSLParameters`. However, to integrate this with `WebView` would require making all data requests manually, processing them myself, and feeding them into `WebView`, a process that is likely to introduce a massive number of bugs.
https://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html
https://developer.android.com/reference/javax/net/ssl/SSLEngine.html
https://developer.android.com/reference/javax/net/SocketFactory.html
https://developer.android.com/reference/javax/net/ssl/SSLParameters.html
With the introduction of Privacy WebView, it should be possibly to modify the SSL settings in WebView without having to re-implement all the these other aspects. However, it will likely be a couple of years before the 4.x series is released.