Ask / Submit

Sailfish FREAKed out?

asked 2015-03-04 23:10:21 +0300

Fuzzillogic gravatar image

updated 2015-03-04 23:11:22 +0300

Recently an old vulnerability called FREAKre-emerged. While Jolla's default browser, based on Firefox seems to be immune, other browsers like Webcat are vulnerable. Tested it at I guess it's not limited to those browsers, but to Qt in general, so things like e-mail, syncML, *DAV might be affected too. Could someone shed some light on the actual status of this vulnerability on Jolla?

edit retag flag offensive close delete


I also tested webcat yesterday it was listed immune. So RSA_EXPORT isn't offered. But there might be still a way to trick it to using one. Though I never saw an example in doing so. As it then would popup and ask for accepting an unknown certificate. If you don't accept that certificate (it needs user interverntion otherwise it won't accept) everything should be fine. So assume it is safe for now.

leszek ( 2015-03-05 14:37:59 +0300 )edit

1 Answer

Sort by » oldest newest most voted

answered 2015-03-05 14:17:02 +0300

tigeli gravatar image

We are still looking into it, but yes.. I think we need to disable some protocols/ciphers on the platform level as it's clear that not all applications are setting up allowed ciphers/protocols which can be used for the communications.

edit flag offensive delete publish link more



Disable poodle sslv3 support in QtWebkit please.

PS: And when your at it patching QtWebkit anyways please remember the feature request of enabling customized devicePixelRatio so we developers using it won't need to hack around just to display websites at the correct size

leszek ( 2015-03-05 14:34:43 +0300 )edit

If I see it correctly updating openssl-libs-1.0.1j-1.5.1.armv7hl to at least version k should fix the issue completely for QtWebkit; See

Nevertheless disabling poodle attack vector is important too.

leszek ( 2015-03-05 15:13:32 +0300 )edit
Login/Signup to Answer

Question tools



Asked: 2015-03-04 23:10:21 +0300

Seen: 713 times

Last updated: Mar 05 '15