WebKit [LSARC/2008/782 FastTrack timeout 26/12/2008]
Hugh McIntyre
lists at mcintyreweb.com
Tue Jan 6 09:21:51 PST 2009
Alfred Peng wrote:
>
> On 01/02/09 15:59, Hugh McIntyre wrote:
>> Shi-Ying Irene Huang wrote:
>> So does this mean that:
>>
>> - HTTPS is not supported right now?
>> - HTTPS is supported, but does no verification of the server
>> certificate, thus defeating half of the point of HTTPS?
>> - HTTPS is supported and checks the certificates properly, just not
>> via CURL/OpenSSL?
>> - or that WebKit does not do the network accesses itself?
> The current status for HTTPS support is between option 1 and 2.
> Normally, WebKit doesn't support HTTPS. But if the environment
> "WEBKIT_IGNORE_SSL_ERRORS" is set, WebKit will call libcURL function to
> skip the certificate verification and deal with HTTPS request. OpenSSL
> isn't involved in this right now. But to enable SSL verification is on
> the plan.
Sounds OK, since the out-of-the-box default won't load HTTPS in an
unsafe way. Presumably any documentation on "WEBKIT_IGNORE_SSL_ERRORS"
will point out that this defeats the security of HTTPS?
>> As a second security-related question, what's the support plan every
>> time in future that Apple announces a Mac OS security fix that
>> includes an update to it's WebKit? Will OpenSolaris be able to keep
>> up promptly with this?
>>
>> Hugh. (not a LSARC member and thus no vote).
> WebKit/GTK+ is part of the WebKit open source efforts which GNOME
> community takes the initiative. Currently, several GNOME applications
> migrate to depend on this web browser engine, devhelp/epiphany for
> example. As for the security fix, we'll work with GNOME community to
> provide support.
OK. My point in mentioning this was mainly that, because of the common
usage with Safari et al, any time Apple releases a security fix that
includes fixes to WebKit it will be very obvious if Solaris has a fix
ready at the same time or not. This will make any lag in security fixes
more obvious than non-shared software. Hopefully the GNOME community
will not be trailing Apple here.
Hugh.
More information about the opensolaris-arc
mailing list