Android icon indicating copy to clipboard operation
Android copied to clipboard
verified publisher icon duckduckgo

The pertinence of the grade cannot be evaluated by the user

Open Ricky-Tigg opened this issue 3 years ago • 0 comments

Describe the bug

Hello. In order to be deserve the S of the protocol name HTTPS, –where S stands for Secure–, which is involved in an encrypted connection on internet, the NIST when needed has to re-evaluate the pertinence and validity of its cryptographic algorithms as part of standards it publishes and eventually adopt new mathematical functions either to insert to an existing version of TLS protocol or as part of a new version of TLS, so that it can cope with the mathematical advances –somehow modest– of cryptanalysis combined with the advances of computing statistical capabilities, which are consequent.

I yet remember that Calomel, an organisation, had poorly developed an add-on for browser whose goal was to grade the TLS cipher strength of the current HTTPS connection. Despite its obvious lack of reliability not to speak its lack of accuracy to define a proper grade, it was worth adopting, thus as experimental tool. Thanks to a change in the code of the program it was designed to operate in, its ability to function as intended eventually became inhibited hence its use non-relevant. Now what about this organisation in this respect? As we learn upon the use, at least bad.

How to Reproduce

  1. Display the view covering privacy grade for a site.

Duckduckgo_android_privacy_grade_view_element_encrypted_connection

  1. Click expression Encrypted connection.
  2. Observe the resulting effect.

Expected behavior

step 3. | Expression Encrypted connection not part of an element that supports clicking while it is dully expected to be. Hence the certificate tied to the connection cannot be exhibited, hence an investigation in this respect, aiming to ensure the pertinence of the evaluation made by this application cannot be achieved while it should be. Access to critical information, such as the name of the cipher suite and other pertinent details are not provided while it is of the highest importance that they can be accessed.

Worth noting when developing programs | None of the critical elements composing a scheme of privacy can be excluded without compromising the whole validity of the scheme. Adopting a product of an organisation with such a practise would not be even an option. Then this report, which is the first here posted, could also be the last if it appears it is so,

Environment

- This application version: 5.136.0
- Device: Samsung Galaxy Tab S7 FE
- OS: Android 12

Ricky-Tigg avatar Sep 22 '22 09:09 Ricky-Tigg