View Single Post
Old 07-17-2015, 07:55 AM   #3572
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Updated speculation and added spoiler'd "human" readable cert to post:
https://www.mobileread.com/forums/sho...postcount=3568

The originally posted problem (wikipedia) uses ec-prime256v1 public key, which may not be supported by name in the (old) DX web-kit browser.

It is also maked "TLS only".

Also note that the two translated samples date from **BEFORE** "Poodle" was announced (the attack against TLS/SSLv3 that caused sites to stop supporting fallback or other use of SSLv3).
See: http://googleonlinesecurity.blogspot...ng-ssl-30.html

- - - -

Well, we (I) certainly have dragged this thread Off-Topic, but ....

The two samples show that the sites will not even admit to supporting secure connections if TLS with fallback to SSLv3 support is sent by the client.
It must be TLS **ONLY**.

That probably would require a patch to web-kit in the 2.5.8 build.

Wikipedia might be another case, would have to check if the web-kit build in 2.5.8 was new enough to support elliptical curve cryptography (it might not be new enough).

- - - - -

Since we don't have the Experimental Browser code (that is Amazon proprietary), only the source to the web-kit library it is built on (we need both to patch 2.5.8) . . . .

I think the answer here is similar to Amazon's "won't fix" :
"Can't fix"
Sorry about that, but at least we gave some solid speculation as to why.

Last edited by knc1; 07-18-2015 at 11:43 AM.
knc1 is offline   Reply With Quote