WebKitGTK+ security issues presentation at WebKit Contributors Meeting, Fall 2015 Last summer ended WK1 support in GTK+ port[[BR]] WK1 apps have three options:[[BR]] port WK1 apps to WK2 (best option, about 1/2 done)[[BR]] bring WK1 back and maintain it again (requires too much man power)[[BR]] merge security fixes back to old branch (becomes harder and harder over time)[[BR]] Email clients hard to port because of dom operations[[BR]] [[BR]] CVEs from Apple don’t include information about how to exploit the vulnerability[[BR]] Igalia made a security advisory, has one member of the security team (Carlos Garcia)[[BR]] http://webkitgtk.org/security/WSA-2015-0001.html[[BR]] Apple does not release information about security fixes to security team members, no way to make another one[[BR]] Who from Apple sent this information in the past? Don’t know. Igalia will contact Alex Christensen with this information[[BR]] WebKitGTK+ releases every 6 months, fixes security bugs, but also adds 6 months of new security bugs[[BR]] To convince Fedora to upgrade to WebKitGTK+2.8, they need a list of CVEs[[BR]] Debian won’t accept updates either without documentation of CVEs[[BR]] BadSSL.com will show warning that headers were sent before a secure connection is established[[BR]] cookies are leaked to unverified attackers - not just libsoup problem - CVE-2015-2330[[BR]] Bug in gcc 4.8 caused crash in legacy indexeddb code, but distributions still use gcc4.8[[BR]] https://support.apple.com/en-us/HT205265 example of Safari security advisory[[BR]] Igalia wants a link between those CVE numbers and the bugzilla bug or merged code revision[[BR]] equivalent would be if we commented in the bugzilla with the CVE number[[BR]] Web Engines Hackfest in December in Spain[[BR]] [[BR]] GTK+ has no sandboxes right now, any security exploit has complete access to the computer (but not as root)[[BR]] seccomp filter based sandbox would need to be specific to each linux distribution because WebKitGTK+ has lots of dependencies which have different system calls[[BR]] network namespace, filesystem namespace should be used instead[[BR]] Remove non-network process compile configurations[[BR]] [[BR]] Chrome, Firefox disabling RC4 fallback January or February 2016, WebKitGTK+ disabled it last year[[BR]] americanairlines.com fails[[BR]] Safari has no security indicator when http is used, Chrome and Firefox are moving to a broken lock icon for all http instead of nothing[[BR]] [[BR]]