WebKitGTK+ security issues presentation at WebKit Contributors Meeting, Fall 2015

Last summer ended WK1 support in GTK+ port
WK1 apps have three options:

port WK1 apps to WK2 (best option, about 1/2 done)
bring WK1 back and maintain it again (requires too much man power)
merge security fixes back to old branch (becomes harder and harder over time)

Email clients hard to port because of dom operations

CVEs from Apple don’t include information about how to exploit the vulnerability
Igalia made a security advisory, has one member of the security team (Carlos Garcia)

​http://webkitgtk.org/security/WSA-2015-0001.html[[BR]]

Apple does not release information about security fixes to security team members, no way to make another one
Who from Apple sent this information in the past? Don’t know. Igalia will contact Alex Christensen with this information
WebKitGTK+ releases every 6 months, fixes security bugs, but also adds 6 months of new security bugs
To convince Fedora to upgrade to WebKitGTK+2.8, they need a list of CVEs
Debian won’t accept updates either without documentation of CVEs
BadSSL.com will show warning that headers were sent before a secure connection is established

cookies are leaked to unverified attackers - not just libsoup problem - CVE-2015-2330

Bug in gcc 4.8 caused crash in legacy indexeddb code, but distributions still use gcc4.8
​https://support.apple.com/en-us/HT205265 example of Safari security advisory
Igalia wants a link between those CVE numbers and the bugzilla bug or merged code revision

equivalent would be if we commented in the bugzilla with the CVE number

Web Engines Hackfest in December in Spain

GTK+ has no sandboxes right now, any security exploit has complete access to the computer (but not as root)
seccomp filter based sandbox would need to be specific to each linux distribution because WebKitGTK+ has lots of dependencies which have different system calls
network namespace, filesystem namespace should be used instead
Remove non-network process compile configurations

Chrome, Firefox disabling RC4 fallback January or February 2016, WebKitGTK+ disabled it last year
americanairlines.com fails
Safari has no security indicator when http is used, Chrome and Firefox are moving to a broken lock icon for all http instead of nothing