|
Odyssey's SSL is susceptible to the Freak attack |
Posted on: 2015/3/6 18:59
#1 |
---|---|---|
Home away from home
![]() ![]() Joined:
2007/5/19 13:23 Posts: 2815
|
You can test Odyssey here:
https://freakattack.com/ |
|
|
Re: Odyssey's SSL is susceptible to the Freak attack |
Posted on: 2015/3/7 0:50
#2 |
---|---|---|
Quite a regular
![]() ![]() Joined:
2008/1/6 17:56 From Pennsylvania, USA
Posts: 773
|
@ChrisH
Odyssey appears to be using AmiSSL so maybe it's an AmiSSL problem. RA-OWB shows the same result at that site. NetSurf just freezes after loading the page. |
|
|
Re: Odyssey's SSL is susceptible to the Freak attack |
Posted on: 2015/3/7 8:08
#3 |
---|---|---|
Just can't stay away
![]() ![]() Joined:
2006/11/30 11:30 From Finland
Posts: 1281
|
@xenic
OWB uses a statically linked libopenssl (not AmiSSL) and most likely Odyssey does too. In that case the only thing that needs to be done is to compile and re-link with a newer version of libopenssl assuming that the problem has already been fixed there. |
|
|
Re: Odyssey's SSL is susceptible to the Freak attack |
Posted on: 2015/3/7 9:36
#4 |
---|---|---|
Quite a regular
![]() ![]() Joined:
2006/12/2 0:35 From Sydney
Posts: 629
|
At least TW sems to be immune.
|
|
|
Re: Odyssey's SSL is susceptible to the Freak attack |
Posted on: 2015/3/7 10:22
#5 |
---|---|---|
Amigans Defender
![]() ![]() Joined:
2006/11/17 22:40 From England
Posts: 2862
|
@xenic
Quote: NetSurf just freezes after loading the page. It doesn't here (using a recent dev version), but the check result doesn't display, probably because it uses Javascript. On this page there are a couple of other links, which "if either connection succeeds, your software is vulnerable". I can't connect to either of them, so I think it's probably OK - at least in the latest dev, v3.2 might be a different story as it'll have an older OpenSSL. |
|
|
Re: Odyssey's SSL is susceptible to the Freak attack |
Posted on: 2015/3/7 16:19
#6 |
---|---|---|
Home away from home
![]() ![]() Joined:
2007/9/11 11:31 From Russia
Posts: 3846
|
Quote:
Salas00 right. Odyssey build use classic/standard libopenssl, which just need to be recompiled with new version (at least os4 version, i do not remember about morphos version, but imho libopenssl as well). Anyway, imho, all those "modern" bugs, make no hurt for us in general, as most of time no one will try to hack anyone with amigaos. Even, if it all will be related to some cross-platform attacks, most of time they will fail as something will be non supported in our browser and attack will fail :) Sure, better to have all up2date, but in our case we can no worry most of time , imho. |
|
|
Re: Odyssey's SSL is susceptible to the Freak attack |
Posted on: 2015/3/8 18:45
#7 |
---|---|---|
Amigans Defender
![]() ![]() Joined:
2006/11/17 22:40 From England
Posts: 2862
|
@kas1e
Quote:
That's a bad attitude to have to security advisories. Quote: On Tuesday, March 3, 2015, researchers announced a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. This is applicable to everybody. |
|
|
Re: Odyssey's SSL is susceptible to the Freak attack |
Posted on: 2015/3/8 19:05
#8 |
---|---|---|
Quite a regular
![]() ![]() Joined:
2010/3/28 14:03 From Palencia (capital of the mythical Vaccean Kingdom)
Posts: 557
|
@ChrisH
And freezes and crashes! |
|
|
Re: Odyssey's SSL is susceptible to the Freak attack |
Posted on: 2015/3/8 20:59
#9 |
---|---|---|
Quite a regular
![]() ![]() Joined:
2010/5/16 11:20 From Grimsby, UK
Posts: 914
|
@kas1e
I'd rather someone update Odyssey with something useful like a newer WebKit, Ràdeon HD support and a focus on speed. Some sites really crawl on AmigaOS. Although it's the best browser for AmigaOS it stills needs regular updates. |
|
|
Re: Odyssey's SSL is susceptible to the Freak attack |
Posted on: 2015/3/10 12:47
#10 |
---|---|---|
Home away from home
![]() ![]() Joined:
2007/5/19 13:23 Posts: 2815
|
@djrikki Quote:
I'd rather someone update Odyssey with something useful So you'd rather have browser speed, at the expense of your paypal/bank/email/etc account being hacked? ![]() This is such a common flaw (it applies to majority of Windows PCs especially if using IE), that criminals will likely be targeting it (if not already) for a long time to come. Quote: a focus on speed. Some sites really crawl on AmigaOS. That's certainly true, but most of the remaining speed problems can be blamed on heavy usage of JavaScript (e.g. Facebook). Sadly we may need ANOTHER bounty to get the JavaScript JIT that is being worked on for MorphOS (assuming it's developers are willing to allow an AmigaOS4 port in the first place - which I have no idea about). OK, another speed issue is video playback, for which usage of AmigaOS4's new YUV compositing mode *might* help a lot. |
|