Kindle browser security issues

dhdurgee · 08-11-2015, 11:53 AM

I have been following a thread on updating the firmware on older model kindles to 3.4.2 to improve security. As my K3 is already at that level I decided to check security with the howsmyssl.com web site mentioned there.

I was somewhat surprised by the output, which declared my SSL client BAD.
Further details were:

Version is improvable, as TLS 1.1 is being used instead of 1.2

Session Ticket Support is not supported and thus could be improved

The reason for the BAD call is that there are included Cipher Suites known to be insecure, specifically RC4 in three of them.

Is there anything we can do to remove the insecure cipher suites? I have not been using the K3 browser for anything critical, but it would be better to have it as secure as possible if a time came when I needed to use it due to lack of other equipment.

Dave

knc1 · 08-11-2015, 11:55 AM

Make your report to Amazon, they are fairly quick to act on security matters.
The 3.4.2 version release is still new enough that they should be supporting it.

dhdurgee · 08-11-2015, 12:20 PM

Quote:

Originally Posted by knc1

Make your report to Amazon, they are fairly quick to act on security matters.
The 3.4.2 version release is still new enough that they should be supporting it.

They have a bigger problem than I originally thought. I just thought to check this on my KT2 with 5.6.2.1 firmware and get the same report! I will submit a report to them immediately.

Dave

knc1 · 08-11-2015, 12:34 PM

Quote:

Originally Posted by dhdurgee

They have a bigger problem than I originally thought. I just thought to check this on my KT2 with 5.6.2.1 firmware and get the same report! I will submit a report to them immediately.

Dave

Better check 5.6.5 - they may have fixed it.

dhdurgee · 08-11-2015, 12:42 PM

Quote:

Originally Posted by knc1

Better check 5.6.5 - they may have fixed it.

How can I initiate the update? The "Update Your Kindle" menu entry on the Settings page is greyed out. I tried a "Sync and Check for Items" with no change. Does this need to be initiated from the Amazon website as opposed to the device?

Dave

PS: manually downloaded and installed 5.6.5 here. Nope, problem still present.

PPS: perhaps this thread should be retitled "kindle browser security issues" as it impacts all versions of the browser.

eschwartz · 08-11-2015, 02:25 PM

Quote:

Originally Posted by dhdurgee

PPS: perhaps this thread should be retitled "kindle browser security issues" as it impacts all versions of the browser.

Done.

dhdurgee · 08-11-2015, 04:30 PM

Quote:

Originally Posted by eschwartz

Done.

Thanks for making the thread title more appropriate. I just checked a few other browsers I have on my systems and found that the Gnome epiphany browser, whch is also based on webkit, shares the same problems as the kindle browsers. If any of the developers is active with gnome.org then perhaps they could open a bugzilla report on this issue.

Dave

08-11-2015, 11:53 AM	#1
dhdurgee Guru Posts: 878 Karma: 2580688 Join Date: Jun 2010 Device: K3W, PW4	Kindle browser security issues I have been following a thread on updating the firmware on older model kindles to 3.4.2 to improve security. As my K3 is already at that level I decided to check security with the howsmyssl.com web site mentioned there. I was somewhat surprised by the output, which declared my SSL client BAD. Further details were: Version is improvable, as TLS 1.1 is being used instead of 1.2 Session Ticket Support is not supported and thus could be improved The reason for the BAD call is that there are included Cipher Suites known to be insecure, specifically RC4 in three of them. Is there anything we can do to remove the insecure cipher suites? I have not been using the K3 browser for anything critical, but it would be better to have it as secure as possible if a time came when I needed to use it due to lack of other equipment. Dave Last edited by dhdurgee; 08-11-2015 at 11:53 AM. Reason: fix typo

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Heartbleed and security issues	Geco	Kobo Reader	3	04-11-2014 02:25 PM
Android Android security issues	sarah11918	enTourage eDGe	7	07-21-2011 01:16 AM
EE browser issues	North19	enTourage eDGe	12	06-03-2011 01:46 PM
Android some issues with dolphin browser	teelu	enTourage Archive	22	04-22-2010 03:35 PM
Browser issues	manchuia	Amazon Kindle	5	11-11-2008 06:38 PM

08-11-2015, 11:55 AM	#2
knc1 Going Viral Posts: 17,212 Karma: 18210809 Join Date: Feb 2012 Location: Central Texas Device: No K1, PW2, KV, KOA	Make your report to Amazon, they are fairly quick to act on security matters. The 3.4.2 version release is still new enough that they should be supporting it.