Well, it's been known for a long time that Amiga & its programs aren't really that secure... The only thing stopping more widespread hacking is small size of the userbase. No-one bothers hacking such small platform.

These issues, however, seem to be related to "common standards", so they don't really need any "Amiga-specific" knowledge or hacking. Just see if the SSL implementation is vulnerable, without even caring about the underlying OS.

Of course the good thing here is that something CAN already be done about it. Instructions within the text file. Also, ibrowse might be fixed at some point.

Specific advice for IBrowse 2.4 users: http://www.ibrowse-dev.net/news.php?id=1393094281

_________________
IBrowse, AmiSSL and Warp Datatype Developer

Thanks to Piru for identifying the vulnerabilities and everyone involved in fixing them.

@Futaura

Thanks for following this and the quick post on tweaking my favorite browser!

PJS

Thanks Harry and Oliver.

_________________
Philippe 'Elwood' Ferrucci
Sam460 1.10 Ghz
AmigaOS 4 betatester
Amiga Translator Organisation

@Piru and Futaura

Thanks!

Thanks guys for the heads up on this.

iBrowse has been my favorite browser for a very long time. Been using OWB lately, but I wish iBrowse had tons of funds and coders dumped on it to quickly bring it current because iBrowse should still be number one on my dance card. It is a connection back to a day I relish.

Any suggestion about when v2.5 will be released?

____________
Moxee

_________________
Moxee
AmigaOne X1000
AmigaOne XE G4
I'd agree with you, but then we'd both be wrong.

IBrowse is still my favorite browser, also on PPC. I would love to buy an update.

_________________
- KimmoK
// For freedom, for honor, for AMIGA
//
// Thing that I should find more time for: CC64 - 64bit Community Computer?

I hope there will be an update to AWeb.

Quote:

I hope there will be an update to AWeb

I could take a look, but can't currently build 68k AWebs.

And right at the moment that advisory link seems to have gone dead, with an peer certificate error!

_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

Hmm I can access it in chrome under linux , but no browser on my SAM can reach it AWeb and Odysey report a problem with the certificate (a different error to the occasional our of date error which ca be ignored) and OWB just shows a blank page.

Last edited by broadblues on 25-Feb-2014 at 03:43 PM.

_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

Is it supposed to be broken in iBrowse? I get this requster come up about a blank certificate. And if I accept I get a blank page. Is that it? Did it just hack my system?

@Hypex

The certificate can't be verified by AWeb but the usual continue anyway requester doesn't work perhaps Piru has his server setup with an unsupported protocol.

Your system is certainly not hacked.

_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

I've patched AWeb but I don't how to verify the patch is working. I mean it still connects to secure sites with the exception of the advisory above as noted, but how to verify it's only using secure connections etc.

_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

Patched AWeb 3.5.11 is now at os4depot (upload queue) some other pending fixes included.

Source is in archive for anyone who wants to build 68k or Morphos versions.

Last edited by broadblues on 26-Feb-2014 at 11:48 AM.

_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

@Broadblues

You can use https://gotofail.com/ to run a check.

_________________
Troll - n., A disenfranchised former potential customer who remains interested enough to stay informed and express critical opinions.
opp., the vast majority who voted silently with their feet.

Quote:

You can use https://gotofail.com/ to run a check.

Not with AWeb! That site uses css ana javasript that AWeb doesn't have.

_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

Of course big players like Apple can also fail miserably in SSL security. Even in NEW code...

Try http://sintonen.fi/advisories/amiga-ssl-vulnerabilities.txt instead (no https) in IBrowse or AWeb which works. Oddly, this redirects to the https url in Chrome, yet in IBrowse there is no hint of any redirects.

It looks like part of the problem, if I'm understanding the OpenSSL error message correctly, is that AmiSSL does not yet support SHA2 (only SHA1) which was a feature added to OpenSSL since the last release of AmiSSL. At least, that would be why the certificate verification failure happens in AWeb.

Last edited by Futaura on 27-Feb-2014 at 08:22 PM.

_________________
IBrowse, AmiSSL and Warp Datatype Developer

Quote:

Oddly, this redirects to the https url in Chrome, yet in IBrowse there is no hint of any redirects.

The web server is configured to allow http on Amiga browsers specifically. Anything more modern gets https version, which might have issues on Amiga browsers.