[prev in list] [next in list] [prev in thread] [next in thread]
List: ietf-tls
Subject: Re: [TLS] J2ME and TLS
From: Vipul Gupta <Vipul.Gupta () sun ! com>
Date: 2007-01-19 19:38:04
Message-ID: 85B04BB4-35A1-4232-A40F-FEE84EDFF6D8 () sun ! com
[Download RAW message or body]
I wish I knew but this is a hard number to obtain. While I've seen
numbers that say there are nearly a billion cellphones with Java ME
worldwide, that doesn't directly translate into SSLv3 installs for at
least a couple of reasons:
-- HTTPS support only became a requirement for Java ME devices
starting with version 2.0 of MIDP (MIDP 1.0 compliance only required
HTTP support)
-- From what I've heard, many phone set manufacturers treat the
reference implementation as just that -- few use it as is, often
times their underlying OS has a native SSL/TLS implementation that
they reuse under a Java API.
I feel reasonably comfortable saying that many phones that support
HTTP(S) do not use TCP as the underlying bearer. They just need TCP-
like semantics -- in order, loss less delivery.
If you are interested in estimating SSLv3 v/s TLSv1 usage, here's an
interesting data point. SSL 3.0 ends up being used more often than it
should because many deployed servers are "TLS intolerant" due to a
bug -- the spec says that the encrypted premaster should carry the
highest version proposed by the client but servers with this bug
expect the negotiated version instead causing handshake failures.
When Mozilla/Firefox encounter such servers they abandon the failed
TLS handshake and reconnect using SSL 3.0. I believe this bug was
recently fixed by the MS team -- one of the nice outcomes of having
engineering teams from various vendors being able to communicate
directly with each other as part of the ECC interop forum (http://
dev.experimentalstuff.com:8082). There's also some relevant data at:
http://www.securityspace.com/s_survey/sdata/200612/protciph.html
vipul
On Jan 19, 2007, at 9:53 AM, home_pw@msn.com wrote:
> Vipul:
>
> Given parts of J2ME are in the handsets of many phones, could you
> give a best estimate of just HOW many installs of SSLv3 your think
> there might be, globally, in mobile terminals?
>
> This would be a fascinating number to approximate.
>
> Do these terminals use TCP as the bearer for SSL messages, in
> general, or otherwise?
>
> ----- Original Message -----
> From: "Vipul Gupta" <Vipul.Gupta@sun.com>
> To: "Omirjan Batyrbaev" <batyr@sympatico.ca>
> Cc: <TLS@lists.ietf.org>
> Sent: Thursday, January 18, 2007 9:47 PM
> Subject: Re: [TLS] J2ME and TLS
>
>>
>> As part of Sun's open sourcing of Java, the ssl client code in
>> MIDP is now available at:
>
_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic