Android Poodlebleed TLS Support

Question

In regards to the POODLE attack, I was wondering if Android or Android Browsers supports TLS protocol or not? And What could be done to prevent this attack

Answer 1

Adam Langley from Google posted a really good explanation of how the attack functions: https://www.imperialviolet.org/2014/10/14/poodle.html

Most browsers support TLS renegotiation for failed handshakes and this includes the HTTP clients within Android. For better or mostly worse, this is intentional functionality for backwards compatibility with incorrectly configured servers and is documented in most of the reference docs in most places or if you dig through the native code source.

Example HTTP Clients:

HttpUrlConnection

TLS Intolerance Support

This class attempts to create secure connections using common TLS extensions and SSL deflate compression. Should that fail, the connection will be retried with SSLv3 only.

OkHttp

OkHttp initiates new connections with modern TLS features (SNI, ALPN), and falls back to SSLv3 if the handshake fails.

That said I think the ability to specify supported protocol versions in Android really makes this somewhat of a non-issue in apps. Browsers are a different story and are being handled by their respective owners. For example Google has supported the TLS_FALLBACK_SCSV fix in Chrome since February 2014 and recently committed a change to drop SSLv3 support entirely from Chrome. Mozilla has stated that the Firefox "fix" will release in November.

Chromium commit: https://chromium.googlesource.com/chromium/src/+/32352ad08ee673a4d43e8593ce988b224f6482d3

Ultimately the solution is to keep your servers SSL implementation patched and if you are an app developer, either Android or iOS, limit the TLS protocol usage to secure protocols.