HackerTrans
TopNewTrendsCommentsPastAskShowJobs

alexw91

no profile record

comments

alexw91
·4 ปีที่แล้ว·discuss
Just trying to think if there are any other potential immediate recommendations for non-technical friends and family with Android phones from these vendors other than "don't sideload any apps" and "make sure to install any security updates as soon as they're available".
alexw91
·4 ปีที่แล้ว·discuss
Any idea if signing up for Google's Advanced Protection program would mitigate/prevent potential attacks from this security issue?

My understanding is that signing up for this program blocks the usual methods of installing sideloaded apps (you can't install an app's apk file from your phone's local storage), and instead requires you to physically connect your Android phone to an external computer and use the adb CLI tool to sideload apps that are not on the Google Play store.

https://landing.google.com/advancedprotection/
alexw91
·4 ปีที่แล้ว·discuss
That's not how the TLS handshake works. The TLS server must be configured to request a certificate from the client in order for the client to know that it needs to send a client certificate to the server, and that server-side configuration is disabled for ~99%+ of endpoints.

TLS server implementations should be aborting the TLS connection for violating the TLS Handshake state machine if a client attempts to send a client certificate when it wasn't requested.

So while this bug affects both clients and servers, 100% of clients are parsing the server's TLS cert during the TLS handshake, but less than ~1% of servers are parsing a client's certificate during a handshake.
alexw91
·4 ปีที่แล้ว·discuss
https://en.wikipedia.org/wiki/List_of_Google_products