Closed RoestVrijStaal closed 8 years ago
llelectronics
commented
8 years ago Freak Attack shouldn't be a problem. See: https://freakattack.com/clienttest.html The same goes for Poodle Attack: https://www.poodletest.com/
All those tests were performed on SailfishOS 2.0.0.10 with Webcat 2.0.8
RoestVrijStaal
commented
8 years ago Yeah, but WebCat still supports old protocols and cyphers like SSL 3.0.
llelectronics
commented
8 years ago This needs to be adressed upstream then. On my tests I think I had my router (firewall) blocking sslv3 which lead to not vulnerable messages in the various testing suites. I will reopen it and mark it as an upstream (qtwebkit) bug that needs fixing there. (basically by updating to a newer qt version)
llelectronics
commented
8 years ago Fixed
comminux
commented
8 years ago Was it fixed by you or by SFOS updates?
llelectronics
commented
8 years ago I have a fixed version available in the ll-webkit github repo. https://github.com/llelectronics/lls-qtwebkit Jolla should have fixed it also
comminux
commented
8 years ago Sorry, what is hash of this commit?
llelectronics
commented
8 years ago Sorry my bad. The fork from me fixes some image loading issues and memory leaks. The actual fix should have landed in the various different libs qtwebkit depends on like openssl. SSLv3 disabling is also possible during compile time. I think it is disabled by default now in a openssl update Jolla did for its latest version 2.0.1.11 I rechecked the different security tests today before releasing the new version and was not able to see any security issues thus I closed this here.
comminux
commented
8 years ago Thank you for responding!
Like Web Pirate, WebCat is still suffering of the FREAK, POODLE and other numerous attacks. https://github.com/Dax89/harbour-webpirate/issues/30
I've checked it with https://www.ssllabs.com/ssltest/viewMyClient.html
Please release a bugfix version which at least work around to fix those problems.