Ask / Submit
20

Sailfish FREAKed out?

asked 2015-03-04 23:10:21 +0300

Fuzzillogic gravatar image

updated 2015-03-04 23:11:22 +0300

Recently an old vulnerability called FREAKre-emerged. While Jolla's default browser, based on Firefox seems to be immune, other browsers like Webcat are vulnerable. Tested it at https://freakattack.com/. I guess it's not limited to those browsers, but to Qt in general, so things like e-mail, syncML, *DAV might be affected too. Could someone shed some light on the actual status of this vulnerability on Jolla?

edit retag flag offensive close delete

Comments

I also tested webcat yesterday it was listed immune. So RSA_EXPORT isn't offered. But there might be still a way to trick it to using one. Though I never saw an example in doing so. As it then would popup and ask for accepting an unknown certificate. If you don't accept that certificate (it needs user interverntion otherwise it won't accept) everything should be fine. So assume it is safe for now.

leszek ( 2015-03-05 14:37:59 +0300 )edit

1 Answer

Sort by » oldest newest most voted
10

answered 2015-03-05 14:17:02 +0300

tigeli gravatar image

We are still looking into it, but yes.. I think we need to disable some protocols/ciphers on the platform level as it's clear that not all applications are setting up allowed ciphers/protocols which can be used for the communications.

edit flag offensive delete publish link more

Comments

4

Disable poodle sslv3 support in QtWebkit please.

PS: And when your at it patching QtWebkit anyways please remember the feature request of enabling customized devicePixelRatio so we developers using it won't need to hack around just to display websites at the correct size

leszek ( 2015-03-05 14:34:43 +0300 )edit
2

If I see it correctly updating openssl-libs-1.0.1j-1.5.1.armv7hl to at least version k should fix the issue completely for QtWebkit; See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204

Nevertheless disabling poodle attack vector is important too.

leszek ( 2015-03-05 15:13:32 +0300 )edit
Login/Signup to Answer

Question tools

Follow
4 followers

Stats

Asked: 2015-03-04 23:10:21 +0300

Seen: 719 times

Last updated: Mar 05 '15