TLS 1.3 - Possible Problem Now or in the Near Future!

[whitedavidp]

I have started noticing that many https calls on my Android 9 apps and even some Windows programs are starting to fail with security exceptions of one sort or another.

I just tried making an HTTP Request call with Tasker (latest version on Play) to this client checker site. And it shows that the client is NOT TLS 1.3 compliant. I have no idea what client is used for this work in Tasker and other apps. But I did find this post talking about OkHttp not working with TLS 1.3 so perhaps that is a red flag? 

I then found this post speaking to how one dev dealt with this. And then this app which can be used, if installed, to provide the needed Conscrypt library in a fairly convenient and centralized way. Otherwise, every app would need to contain this rather massive library.

I am no expert and cannot be sure how big an issue this is for Tasker. But it is already an issue for some of the apps I use on Android 9.

[Chris Bennett]

On Fri, Nov 03, 2023 at 11:31:47AM -0700, whitedavidp wrote:
> I have started noticing that many https calls on my Android 9 apps and even
> some Windows programs are starting to fail with security exceptions of one
> sort or another.
>
> I just tried making an HTTP Request call with Tasker (latest version on
> Play) to this client checker site

> <https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html>. And it

> shows that the client is NOT TLS 1.3 compliant. I have no idea what client
> is used for this work in Tasker and other apps. But I did find this post

> <https://stackoverflow.com/questions/55539513/how-to-enable-tlsv1-3-for-okhttp-3-12-x-on-android-8-9>

> talking about OkHttp not working with TLS 1.3 so perhaps that is a red
> flag?

It is a big deal. TLS 1.1 and 1.2 are not considered secure anymore.

I only allow 1.3 on my servers. I would do whatever you can to make sure
that the app and programmers for Android and Windows software are aware of the
problem. You might get a few to update for that.

File issues about it if you find it on Github or the software has a
website.

You might not get any changes out of it, but see if you can work out
some good questions that name the programs and apps onto stackoverflow
and elsewhere. You might push a programmer of new or in development on
software to go ahead and fix the problem.

But ultimately, you can only get someone to do that much reprogramming
if they actually want to or need to.

Good Luck!
--
Chris Bennett

[whitedavidp]

Thanks Chris. This is just a wild conjecture, but would running my network over a TLS1.3-capable VPN/tunnel "solve the problem"? I have no experience or knowledge of them. But I see that, at least on Android, apps exist that claim to do this. Best...

[Chris Bennett]

On Sat, Nov 04, 2023 at 02:48:39PM -0700, whitedavidp wrote:
> Thanks Chris. This is just a wild conjecture, but would running my network
> over a TLS1.3-capable VPN/tunnel "solve the problem"? I have no experience
> or knowledge of them. But I see that, at least on Android, apps exist that
> claim to do this. Best...
>

I can't swear that this is correct, but I would assume that they wrap
your packets in TLS 1.3 to ensure security of your information.

But that doesn't solve the problem because that wrapper will get
stripped off, leaving the original packet.

Also, your hardware might not be capable of actually doing 1.3


--
Chris Bennett

[whitedavidp]

Thanks. I should have known it wouldn't be this easy...