asked 2014-10-15 11:36:34 +0300
The Jolla stock browser has the #poodle vulnerability - SSLv3 It should be fixed. Firefox 33 is not vulnerable.
https://www.openssl.org/~bodo/ssl-poodle.pdf Here's the result of http://poodletest.com
answered 2014-10-15 14:20:01 +0300
Workaround:
Add the following line in /home/nemo/.mozilla/mozembed/user.js and restart the browser:
user_pref("security.tls.version.min", 1);
This will set the minimum version to use to TLS1.0 as seen here: Mozilla KB
@meneer: See my modified answer below. It should not be vulnerable by default (we went back to 1.0.0.5 even and that one was ok). Since we do not know what might have modified it for some people we will fix this for sure, but it might be that it does not make u9)
Philippe De Swert ( 2014-10-15 15:28:28 +0300 )editanswered 2014-10-15 12:58:25 +0300
In 1.0.8.21 the browser shouldnot be vulnerable, although due to circumostances it could be Please update your device with the latest hotfixes. ( https://together.jolla.com/question/57874/release-notes-security-hotfix-for-tahkalampi-10821/ ) Please check if this worries you as browser preferences might have been adjusted on your device.
In case something modified your browser preferences, check the work-around with user.js posted in this question. In one of the coming updates we will resolve the issue by explicitly disabling the ssl3 so it should also be fixed for people where it does not seem to be correct now.
And to make it absolutely clear. A sure fix for all will be coming. It can even be seen in the browser repository: https://github.com/sailfishos/sailfish-browser/commit/33850562c8e0fa7a85e7b7730fd69f6b51e93898
@kaulian: Please check you have the hotfix (not update) installed
Philippe De Swert ( 2014-10-15 13:19:58 +0300 )editi've 1.0.8.21 installed and poodletest.com says the sailfish-browser is vulnerable. Android-Firefox 32.0.1 is not.
lpr ( 2014-10-15 13:27:44 +0300 )editDo you have anything from openrepos or so installed as the poodletest passes (non-vulnerable) on a stock 1.0.8.21 (and also on my update9 testing device)
Philippe De Swert ( 2014-10-15 13:43:55 +0300 )editanswered 2014-10-17 13:20:07 +0300
For those who receive a "not vulnerable" test result even without the workaround - there might a certificate error with the poodle image (https://sslv3.dshield.org/vulnpoodle.png). You might try to invoke the image directly and check for errors. Due to this problem (https://www.ssllabs.com/ssltest/analyze.html?d=sslv3.dshield.org) this image might be blocked and your browser shows the terrier despite being vulnerable to poodle. Take care and apply the workaround in any case!
i have no user.js but opening the inage shows the poodle and my browswr says there us no vulnerability, so my thoughts say its ok
NuklearFart ( 2014-10-20 17:07:05 +0300 )editHey LVPVS, that is exactly what I've ment. The certificate error is due to the poor configuration of the test site. If you'd applied the workaround as described above, you'd see the poodle in neither case. Unfortunately, the test site can be misleading due to this certificate error. Or in short: Not seeing the poodle does not guarantee being save from the poodle attack, since a potential attacker may simply use a proper configured server to undertake the attack.
inte ( 2014-10-20 18:56:57 +0300 )editAsked: 2014-10-15 11:36:34 +0300
Seen: 1,739 times
Last updated: Oct 20 '14
On my phone, SailfishOS 1.0.8.21 (Tahkalampi), http://poodletest.com/ no SSLv3 so not vunerable. Also on the stock browser, so what's the difference here?
filipb92 ( 2014-10-15 12:06:03 +0300 )editAt least snowshoe browser on Jolla is not vulnerable ;) (and no, I dont change the browser settings reflecting this in my builds)
Nieldk ( 2014-10-15 21:38:41 +0300 )editno vulnetability here but for webcat browser
NuklearFart ( 2014-10-16 01:00:19 +0300 )edit1.0.8.21 is not vulnerable, how old a SFOS release are you running?
juiceme ( 2014-10-16 12:41:53 +0300 )editStrange things seem to happen to the browser. My 1.0.8.21 version was vulnerable, others with the same version were not vulnerable. There may well be a relation to apps that use internet services and that somehow impact the security level of SailfishOS - not by vulnerabilities of the app itself, but by introducing vulnerabilities in the sailfishos platform. This is, of course, a risk in any system that is jailbroken or rooted, it's by no means a weakness of sailfishos or Jolla. But this security issue should be documented and some advise to devs should be given.
meneer ( 2014-10-17 10:32:03 +0300 )edit