Click Here
home features news forums classifieds faqs links search
5808 members 
Amiga Q&A /  Free for All /  Emulation /  Gaming / (Latest Posts)
Login

Nickname

Password

Lost Password?

Don't have an account yet?
Register now!

Support Amigaworld.net
Your support is needed and is appreciated as Amigaworld.net is primarily dependent upon the support of its users.
Donate

Menu
Main sections
Home
Features
News
Forums
Classifieds
Links
Downloads
Extras
OS4 Zone
IRC Network
AmigaWorld Radio
Newsfeed
Top Members
Amiga Dealers
Information
About Us
FAQs
Advertise
Polls
Terms of Service
Search

IRC Channel
Server: irc.amigaworld.net
Ports: 1024,5555, 6665-6669
SSL port: 6697
Channel: #Amigaworld
Channel Policy and Guidelines

Who's Online
59 crawler(s) on-line.
 18 guest(s) on-line.
 1 member(s) on-line.


 NutsAboutAmiga

You are an anonymous user.
Register Now!
 NutsAboutAmiga:  1 secs ago
 BSzili:  18 mins ago
 amisteph:  34 mins ago
 Bugala:  45 mins ago
 Trixie:  48 mins ago
 hardwaretech:  48 mins ago
 nikosidis:  1 hr ago
 daydreamer:  1 hr 3 mins ago
 BigD:  1 hr 6 mins ago
 kolla:  1 hr 10 mins ago

Software News   Software News : Amiga SSL Vulnerabilities
   posted by jPV on 22-Feb-2014 18:26:13 (4079 reads)
Harry "Piru" Sintonen reveals security issues on Amiga SSL implementations.
Critical vulnerabilities are found from iBrowse, SimpleMail and other programs.

Read more at https://sintonen.fi/advisories/amiga-ssl-vulnerabilities.txt
    

Related Links
· More about Software News
· News by jPV


Most read story about Software News
UBoot 2010.06.04 for Sam460ex available

Last news about Software News
Goadf! 3.0 has been released
Printer Friendly Page  Send this Story to a Friend

Goto page ( 1 | 2 )

PosterThread
Jupp3 
Re: Amiga SSL Vulnerabilities
Posted on 22-Feb-2014 21:43:35
#1 ]
Super Member
Joined: 22-Feb-2007
Posts: 1224
From: Unknown

Well, it's been known for a long time that Amiga & its programs aren't really that secure... The only thing stopping more widespread hacking is small size of the userbase. No-one bothers hacking such small platform.

These issues, however, seem to be related to "common standards", so they don't really need any "Amiga-specific" knowledge or hacking. Just see if the SSL implementation is vulnerable, without even caring about the underlying OS.

Of course the good thing here is that something CAN already be done about it. Instructions within the text file. Also, ibrowse might be fixed at some point.

 Status: Offline
Profile     Report this post  
Futaura 
Re: Amiga SSL Vulnerabilities
Posted on 23-Feb-2014 10:56:16
#2 ]
Regular Member
Joined: 10-May-2004
Posts: 231
From: UK

Specific advice for IBrowse 2.4 users: http://www.ibrowse-dev.net/news.php?id=1393094281

 Status: Offline
Profile     Report this post  
Rob 
Re: Amiga SSL Vulnerabilities
Posted on 23-Feb-2014 12:01:37
#3 ]
Elite Member
Joined: 20-Mar-2003
Posts: 5927
From: S.Wales

Thanks to Piru for identifying the vulnerabilities and everyone involved in fixing them.

 Status: Offline
Profile     Report this post  
pjs 
Re: Amiga SSL Vulnerabilities
Posted on 23-Feb-2014 14:19:57
#4 ]
Member
Joined: 2-Jan-2006
Posts: 68
From: VA, USA

@Futaura

Thanks for following this and the quick post on tweaking my favorite browser!

PJS

 Status: Offline
Profile     Report this post  
elwood 
Re: Amiga SSL Vulnerabilities
Posted on 23-Feb-2014 21:02:00
#5 ]
Elite Member
Joined: 17-Sep-2003
Posts: 3425
From: Lyon, France

Thanks Harry and Oliver.


_________________
Philippe 'Elwood' Ferrucci
Sam460 1.10 Ghz
AmigaOS 4 betatester
Amiga Translator Organisation

 Status: Offline
Profile     Report this post  
pavlor 
Re: Amiga SSL Vulnerabilities
Posted on 23-Feb-2014 21:10:21
#6 ]
Elite Member
Joined: 10-Jul-2005
Posts: 9120
From: Unknown

@Piru and Futaura

Thanks!

 Status: Offline
Profile     Report this post  
Moxee 
Re: Amiga SSL Vulnerabilities
Posted on 23-Feb-2014 22:41:45
#7 ]
Team Member
Joined: 20-Aug-2003
Posts: 6291
From: County Yakima, WA State, USA

Thanks guys for the heads up on this.

iBrowse has been my favorite browser for a very long time. Been using OWB lately, but I wish iBrowse had tons of funds and coders dumped on it to quickly bring it current because iBrowse should still be number one on my dance card. It is a connection back to a day I relish.

Any suggestion about when v2.5 will be released?

____________
Moxee


_________________
Moxee
AmigaOne X1000
AmigaOne XE G4
I'd agree with you, but then we'd both be wrong.

 Status: Offline
Profile     Report this post  
KimmoK 
Re: Amiga SSL Vulnerabilities
Posted on 24-Feb-2014 14:54:54
#8 ]
Elite Member
Joined: 14-Mar-2003
Posts: 5191
From: Ylikiiminki, Finland

IBrowse is still my favorite browser, also on PPC. I would love to buy an update.


_________________
- KimmoK
// For freedom, for honor, for AMIGA
//
// Thing that I should find more time for: CC64 - 64bit Community Computer?

 Status: Offline
Profile     Report this post  
Minuous 
Re: Amiga SSL Vulnerabilities
Posted on 25-Feb-2014 4:07:14
#9 ]
Regular Member
Joined: 30-Oct-2004
Posts: 319
From: Unknown

I hope there will be an update to AWeb.

 Status: Offline
Profile     Report this post  
broadblues 
Re: Amiga SSL Vulnerabilities
Posted on 25-Feb-2014 15:30:55
#10 ]
Amiga Developer Team
Joined: 20-Jul-2004
Posts: 4411
From: Portsmouth England

Quote:

I hope there will be an update to AWeb


I could take a look, but can't currently build 68k AWebs.

And right at the moment that advisory link seems to have gone dead, with an peer certificate error!


_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

 Status: Offline
Profile     Report this post  
broadblues 
Re: Amiga SSL Vulnerabilities
Posted on 25-Feb-2014 15:35:53
#11 ]
Amiga Developer Team
Joined: 20-Jul-2004
Posts: 4411
From: Portsmouth England

Hmm I can access it in chrome under linux , but no browser on my SAM can reach it AWeb and Odysey report a problem with the certificate (a different error to the occasional our of date error which ca be ignored) and OWB just shows a blank page.

Last edited by broadblues on 25-Feb-2014 at 03:43 PM.


_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

 Status: Offline
Profile     Report this post  
Hypex 
Re: Amiga SSL Vulnerabilities
Posted on 25-Feb-2014 15:51:50
#12 ]
Elite Member
Joined: 6-May-2007
Posts: 10018
From: Greensborough, Australia

Is it supposed to be broken in iBrowse? I get this requster come up about a blank certificate. And if I accept I get a blank page. Is that it? Did it just hack my system?

 Status: Offline
Profile     Report this post  
broadblues 
Re: Amiga SSL Vulnerabilities
Posted on 25-Feb-2014 16:19:25
#13 ]
Amiga Developer Team
Joined: 20-Jul-2004
Posts: 4411
From: Portsmouth England

@Hypex

The certificate can't be verified by AWeb but the usual continue anyway requester doesn't work perhaps Piru has his server setup with an unsupported protocol.

Your system is certainly not hacked.


_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

 Status: Offline
Profile     Report this post  
broadblues 
Re: Amiga SSL Vulnerabilities
Posted on 25-Feb-2014 16:21:12
#14 ]
Amiga Developer Team
Joined: 20-Jul-2004
Posts: 4411
From: Portsmouth England

I've patched AWeb but I don't how to verify the patch is working. I mean it still connects to secure sites with the exception of the advisory above as noted, but how to verify it's only using secure connections etc.


_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

 Status: Offline
Profile     Report this post  
broadblues 
Re: Amiga SSL Vulnerabilities
Posted on 26-Feb-2014 2:28:32
#15 ]
Amiga Developer Team
Joined: 20-Jul-2004
Posts: 4411
From: Portsmouth England

Patched AWeb 3.5.11 is now at os4depot (upload queue) some other pending fixes included.

Source is in archive for anyone who wants to build 68k or Morphos versions.

Last edited by broadblues on 26-Feb-2014 at 11:48 AM.


_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

 Status: Offline
Profile     Report this post  
Boot_WB 
Re: Amiga SSL Vulnerabilities
Posted on 26-Feb-2014 19:17:13
#16 ]
Super Member
Joined: 14-Feb-2006
Posts: 1134
From: Kingston upon Hull, UK

@Broadblues

You can use https://gotofail.com/ to run a check.


_________________
Troll - n., A disenfranchised former potential customer who remains interested enough to stay informed and express critical opinions.
opp., the vast majority who voted silently with their feet.

 Status: Offline
Profile     Report this post  
broadblues 
Re: Amiga SSL Vulnerabilities
Posted on 26-Feb-2014 22:01:20
#17 ]
Amiga Developer Team
Joined: 20-Jul-2004
Posts: 4411
From: Portsmouth England

Quote:

You can use https://gotofail.com/ to run a check.


Not with AWeb! That site uses css ana javasript that AWeb doesn't have.


_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

 Status: Offline
Profile     Report this post  
Jupp3 
Re: Amiga SSL Vulnerabilities
Posted on 26-Feb-2014 23:26:11
#18 ]
Super Member
Joined: 22-Feb-2007
Posts: 1224
From: Unknown

Of course big players like Apple can also fail miserably in SSL security. Even in NEW code...

 Status: Offline
Profile     Report this post  
Futaura 
Re: Amiga SSL Vulnerabilities
Posted on 27-Feb-2014 19:54:30
#19 ]
Regular Member
Joined: 10-May-2004
Posts: 231
From: UK

Try http://sintonen.fi/advisories/amiga-ssl-vulnerabilities.txt instead (no https) in IBrowse or AWeb which works. Oddly, this redirects to the https url in Chrome, yet in IBrowse there is no hint of any redirects.

It looks like part of the problem, if I'm understanding the OpenSSL error message correctly, is that AmiSSL does not yet support SHA2 (only SHA1) which was a feature added to OpenSSL since the last release of AmiSSL. At least, that would be why the certificate verification failure happens in AWeb.

Last edited by Futaura on 27-Feb-2014 at 08:22 PM.

 Status: Offline
Profile     Report this post  
Jupp3 
Re: Amiga SSL Vulnerabilities
Posted on 27-Feb-2014 22:39:07
#20 ]
Super Member
Joined: 22-Feb-2007
Posts: 1224
From: Unknown

Quote:
Oddly, this redirects to the https url in Chrome, yet in IBrowse there is no hint of any redirects.

The web server is configured to allow http on Amiga browsers specifically. Anything more modern gets https version, which might have issues on Amiga browsers.

 Status: Offline
Profile     Report this post  

Goto page ( 1 | 2 )

[ home ][ about us ][ privacy ] [ forums ][ classifieds ] [ links ][ news archive ] [ link to us ][ user account ]
Copyright (C) 2000 - 2019 Amigaworld.net.
Amigaworld.net was originally founded by David Doyle