WebKit [LSARC/2008/782 FastTrack timeout 26/12/2008]

[Alfred Peng]

Hi Hugh,

On 01/02/09 15:59, Hugh McIntyre wrote:
> Shi-Ying Irene Huang wrote:
>>     4.11. Security Impact:
>>      In the future, the WebKit community plans that WebKit/GTK+ will 
>> use cURL
>>        and then OpenSSL library to verify the peer's certificates for 
>> HTTPS
>>        connections. However, this feature is not implemented yet.
>
> So does this mean that:
>
> - HTTPS is not supported right now?
> - HTTPS is supported, but does no verification of the server 
> certificate, thus defeating half of the point of HTTPS?
> - HTTPS is supported and checks the certificates properly, just not 
> via CURL/OpenSSL?
> - or that WebKit does not do the network accesses itself?
The current status for HTTPS support is between option 1 and 2. 
Normally, WebKit doesn't support HTTPS. But if the environment 
"WEBKIT_IGNORE_SSL_ERRORS" is set, WebKit will call libcURL function to 
skip the certificate verification and deal with HTTPS request. OpenSSL 
isn't involved in this right now. But to enable SSL verification is on 
the plan.
> As a second security-related question, what's the support plan every 
> time in future that Apple announces a Mac OS security fix that 
> includes an update to it's WebKit?  Will OpenSolaris be able to keep 
> up promptly with this?
>
> Hugh.  (not a LSARC member and thus no vote).
WebKit/GTK+ is part of the WebKit open source efforts which GNOME 
community takes the initiative. Currently, several GNOME applications 
migrate to depend on this web browser engine, devhelp/epiphany for 
example. As for the security fix, we'll work with GNOME community to 
provide support.

Thanks,
-Alfred