On Thu, Aug 15, 2013 at 7:14 AM, Nathan of Guardian <[email protected]> wrote: > The only silver lining from their post was that HTTP/SSL connections > were not affected, so this only really affects apps that are > generating keys at the Java layer, which include apps like Android > Privacy Guard (APG) and our own Gibberbot.
I have a hard time trying to figure out from Alex Klyubin's blog post [1] just what the problem in affected Android class libraries was. Did they forget to include a urandom-backed SecureRandom provider? Or set it as one with highest priority? Or they did it include it, but it wasn't registered as SHA1PRNG that people used? Did Google implement its Java standard library subset from scratch (i.e., not based on GNU Classpath or similar)? [1] http://android-developers.blogspot.com/2013/08/some-securerandom-thoughts.html -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
