Re: [TLS] J2ME and TLS

To: home_pw at msn.com
Subject: Re: [TLS] J2ME and TLS
From: Vipul Gupta <Vipul.Gupta at sun.com>
Date: Fri, 19 Jan 2007 11:38:04 -0800
Cc: Vipul Gupta <Vipul.Gupta at sun.com>, tls mailing list <tls at ietf.org>
In-reply-to: <BAY126-DAV9C8247C181C283F1F9D1292A90@phx.gbl>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <001c01c73b7c$9c6d9800$bea65e41@pbo8f8e10aowa> <ABC028C8-6858-4599-8440-8CCFF88740C6@sun.com> <BAY126-DAV9C8247C181C283F1F9D1292A90@phx.gbl>

I wish I knew but this is a hard number to obtain. While I've seen numbers that say there are nearly a billion cellphones with Java ME worldwide, that doesn't directly translate into SSLv3 installs for at least a couple of reasons:

-- HTTPS support only became a requirement for Java ME devices starting with version 2.0 of MIDP (MIDP 1.0 compliance only required HTTP support) -- From what I've heard, many phone set manufacturers treat the reference implementation as just that -- few use it as is, often times their underlying OS has a native SSL/TLS implementation that they reuse under a Java API.

I feel reasonably comfortable saying that many phones that support HTTP(S) do not use TCP as the underlying bearer. They just need TCP- like semantics -- in order, loss less delivery.

If you are interested in estimating SSLv3 v/s TLSv1 usage, here's an interesting data point. SSL 3.0 ends up being used more often than it should because many deployed servers are "TLS intolerant" due to a bug -- the spec says that the encrypted premaster should carry the highest version proposed by the client but servers with this bug expect the negotiated version instead causing handshake failures. When Mozilla/Firefox encounter such servers they abandon the failed TLS handshake and reconnect using SSL 3.0. I believe this bug was recently fixed by the MS team -- one of the nice outcomes of having engineering teams from various vendors being able to communicate directly with each other as part of the ECC interop forum (http:// dev.experimentalstuff.com:8082). There's also some relevant data at: http://www.securityspace.com/s_survey/sdata/200612/protciph.html

vipul

On Jan 19, 2007, at 9:53 AM, home_pw at msn.com wrote:

Vipul:
Given parts of J2ME are in the handsets of many phones, could you give a best estimate of just HOW many installs of SSLv3 your think there might be, globally, in mobile terminals?
This would be a fascinating number to approximate.
Do these terminals use TCP as the bearer for SSL messages, in general, or otherwise?
----- Original Message -----
From: "Vipul Gupta" <Vipul.Gupta at sun.com>
To: "Omirjan Batyrbaev" <batyr at sympatico.ca>
Cc: <TLS at lists.ietf.org>
Sent: Thursday, January 18, 2007 9:47 PM
Subject: Re: [TLS] J2ME and TLS
As part of Sun's open sourcing of Java, the ssl client code in MIDP is now available at:

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] J2ME and TLS
  - From: Omirjan Batyrbaev
- Re: [TLS] J2ME and TLS
  - From: Vipul Gupta
- Re: [TLS] J2ME and TLS
  - From: home_pw

Prev by Date: Re: [TLS] J2ME and TLS
Next by Date: [TLS] TLS extension
Previous by thread: Re: [TLS] J2ME and TLS
Next by thread: [TLS] TLS/SRP WGLC
Index(es):
- Date
- Thread

Re: [TLS] J2ME and TLS

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.