asked 2015-03-04 23:10:21 +0200
Recently an old vulnerability called FREAKre-emerged. While Jolla's default browser, based on Firefox seems to be immune, other browsers like Webcat are vulnerable. Tested it at https://freakattack.com/. I guess it's not limited to those browsers, but to Qt in general, so things like e-mail, syncML, *DAV might be affected too. Could someone shed some light on the actual status of this vulnerability on Jolla?
answered 2015-03-05 14:17:02 +0200
We are still looking into it, but yes.. I think we need to disable some protocols/ciphers on the platform level as it's clear that not all applications are setting up allowed ciphers/protocols which can be used for the communications.
Disable poodle sslv3 support in QtWebkit please.
PS: And when your at it patching QtWebkit anyways please remember the feature request of enabling customized devicePixelRatio so we developers using it won't need to hack around just to display websites at the correct size
leszek ( 2015-03-05 14:34:43 +0200 )editIf I see it correctly updating openssl-libs-1.0.1j-1.5.1.armv7hl to at least version k should fix the issue completely for QtWebkit; See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
Nevertheless disabling poodle attack vector is important too.
leszek ( 2015-03-05 15:13:32 +0200 )editAsked: 2015-03-04 23:10:21 +0200
Seen: 810 times
Last updated: Mar 05 '15
I also tested webcat yesterday it was listed immune. So RSA_EXPORT isn't offered. But there might be still a way to trick it to using one. Though I never saw an example in doing so. As it then would popup and ask for accepting an unknown certificate. If you don't accept that certificate (it needs user interverntion otherwise it won't accept) everything should be fine. So assume it is safe for now.
leszek ( 2015-03-05 14:37:59 +0200 )edit