Hi Hugh, On 01/02/09 15:59, Hugh McIntyre wrote: > Shi-Ying Irene Huang wrote: >> 4.11. Security Impact: >> In the future, the WebKit community plans that WebKit/GTK+ will >> use cURL >> and then OpenSSL library to verify the peer's certificates for >> HTTPS >> connections. However, this feature is not implemented yet. > > So does this mean that: > > - HTTPS is not supported right now? > - HTTPS is supported, but does no verification of the server > certificate, thus defeating half of the point of HTTPS? > - HTTPS is supported and checks the certificates properly, just not > via CURL/OpenSSL? > - or that WebKit does not do the network accesses itself? The current status for HTTPS support is between option 1 and 2. Normally, WebKit doesn't support HTTPS. But if the environment "WEBKIT_IGNORE_SSL_ERRORS" is set, WebKit will call libcURL function to skip the certificate verification and deal with HTTPS request. OpenSSL isn't involved in this right now. But to enable SSL verification is on the plan. > As a second security-related question, what's the support plan every > time in future that Apple announces a Mac OS security fix that > includes an update to it's WebKit? Will OpenSolaris be able to keep > up promptly with this? > > Hugh. (not a LSARC member and thus no vote). WebKit/GTK+ is part of the WebKit open source efforts which GNOME community takes the initiative. Currently, several GNOME applications migrate to depend on this web browser engine, devhelp/epiphany for example. As for the security fix, we'll work with GNOME community to provide support.
Thanks, -Alfred
