webkitfltk icon indicating copy to clipboard operation
webkitfltk copied to clipboard

Published 20 hours ago verified publisher icon clbr

WebKitFLTK security update model

Open tukoz opened this issue 9 years ago • 3 comments

Hi clbr

Linux distros aren't updating webkit, making web unsecure (or straight to Michael Catanzaro blog post On WebKit Security Updates) Ryan Castellucci's paper on certs issues for webkit-based Midori and Xombrero

WebKitGTK+ and QtWebKit for most GNU Linux distros have security flaws that come from a buggy update workflow. Being a port of webkit to FLTK,

  • which webkit version does webkitfltk-0.4 relies on?
  • what sort of updates does Webkitfltk receive?

tukoz avatar Feb 21 '16 01:02 tukoz

https://www.reddit.com/r/linux/comments/46kyjf/linux_distros_arent_updating_webkit_making_web/ https://rya.nc/https-script.html

The https page shows Fifth behaving as intended, ie sub-resource certificates are checked, but CAs are ignored.

WebKitGTK+ and QtWebKit for most GNU Linux distros have security flaws that come from a buggy update workflow. Being a port of webkit to FLTK,

  • which webkit version does webkitfltk-0.4 relies on?

Webkit1.

  • what sort of updates does Webkitfltk receive?

I'm the only person working on it in a stable manner, so it receives updates when I have time.

Thus no CVEs or security patches for old releases, and even the latest release is most likely vulnerable to some things upstream webkit is.

Whether this is important for one's use depends. The sec bugs are most of the time crashers, so you may lose a session, not something that would let them impersonate a bank, steal credentials, etc.

clbr avatar Feb 21 '16 09:02 clbr

Thanks for clarifying a abit. Appreciated. [Developping your own browser must be fun and also killing some times][1]

Do some of the security and privacy pilars arround which you're building Fifth influence some of the flaws an outdated WebKit web engine let us face, and if so how? And even the Javascript and WebGL limitations?

ON a sidenote I remember the first day I opened a set of 40 tech sites in Fifth; and how the browser politely requested me to love Justin ;) before loading any javascript external to the domain (on ~ten of them); not even talking of Google services who change their (root domain certs? I thing) every connection ;))

[1]: Wish some of the minimalist browsers developers actively shared some of their ressources, though that may be overkill for the proudest samourais amongst them.

tukoz avatar Feb 21 '16 22:02 tukoz

Yes, not supporting WebGL, WebCL, audio, video, or Web Fonts means there's much less attack surface. WebGL in particular has been used for a lot of the exploits, which obviously become useless when the browser does not execute WebGL.

I did discuss sharing things with Otter, another Opera-like free software browser, but we didn't have much that could be shared. I believe that applies to the others too; technically there isn't much possibility for sharing code.

clbr avatar Feb 22 '16 08:02 clbr