Another example that if you don’t own the source code to your software, you can’t be fully sure what it does.
A curious computer security professional published findings Saturday that deconstructed the firmware code for some D-Link router devices and discovered a backdoor built directly into the code. By changing the user-agent in a web browser to “xmlset_roodkcableoj28840ybtide,” a user could bypass the security on the device and get online or control the higher functions of the router.
An Android developer has uncovered convincing evidence that Google inexplicably and deliberately dumbed-down Android’s SSL security.
“The change from the strong OpenSSL cipher list to a hardcoded one starting with weak ciphers is either a sign of horrible ignorance, security incompetence or a clever disguise for an NSA-influenced manipulation – you decide!”
Android is using the combination of horribly broken RC4 and MD5 as the first default cipher on all SSL connections. This impacts all apps that did not care enough to change the list of enabled ciphers (i.e. almost all existing apps). This post investigates why RC4-MD5 is the default cipher, and why it replaced better ciphers which were in use prior to the Android 2.3 release in December 2010.
via Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010.
