WebCat vulnerable to various known attacks. (FREAK, POODLE)

[RoestVrijStaal]

Like Web Pirate, WebCat is still suffering of the FREAK, POODLE and other numerous attacks. Dax89/WebPirate#30

I've checked it with https://www.ssllabs.com/ssltest/viewMyClient.html

Please release a bugfix version which at least work around to fix those problems.

[llelectronics]

Freak Attack shouldn't be a problem. See: https://freakattack.com/clienttest.html
The same goes for Poodle Attack: https://www.poodletest.com/

All those tests were performed on SailfishOS 2.0.0.10 with Webcat 2.0.8

[RoestVrijStaal]

Yeah, but WebCat still supports old protocols and cyphers like SSL 3.0.

[llelectronics]

This needs to be adressed upstream then.
On my tests I think I had my router (firewall) blocking sslv3 which lead to not vulnerable messages in the various testing suites.
I will reopen it and mark it as an upstream (qtwebkit) bug that needs fixing there. (basically by updating to a newer qt version)

[llelectronics]

Fixed

[comminux]

Was it fixed by you or by SFOS updates?

[llelectronics]

I have a fixed version available in the ll-webkit github repo.
https://github.com/llelectronics/lls-qtwebkit
Jolla should have fixed it also

[comminux]

Sorry, what is hash of this commit?

[llelectronics]

Sorry my bad. The fork from me fixes some image loading issues and memory leaks.
The actual fix should have landed in the various different libs qtwebkit depends on like openssl.
SSLv3 disabling is also possible during compile time. I think it is disabled by default now in a openssl update Jolla did for its latest version 2.0.1.11
I rechecked the different security tests today before releasing the new version and was not able to see any security issues thus I closed this here.

[comminux]

Thank you for responding!