thunderbird-android icon indicating copy to clipboard operation
thunderbird-android copied to clipboard
verified publisher icon thunderbird

Improve SSL connection handling

Open wmontwe opened this issue 1 year ago • 0 comments

While working on #7655 I noticed that we use a quite dated implementation to establish SSL connections. As we would like to raise the bar in terms of security (level needs to be decided). This is a good starting point for improvements.

The classes to look at:

  • DefaultTrustedSocketFactory implementation of TrustedSocketFactory for all mail backends
    • creates it's own SSLcontext and injects TrustManagerFactory and KeyChainKeyManager
  • TrustManagerFactory - internally uses a custom SecureX509TrustManager which is error prone and not advised
  • KeyChainKeyManager - Android 4.0 KeyChain API

These need to be evaluated and updated to latest security best practises or replaced by a solid and secure 3rd party solution. Also they are lacking any tests, it would be advised to add them to protect against accidential behavior changes and verify that it works as intended. Also there is no documentation describing the intended behavior.

wmontwe avatar Feb 23 '24 09:02 wmontwe