Alfred Peng wrote: > > On 01/02/09 15:59, Hugh McIntyre wrote: >> Shi-Ying Irene Huang wrote: >> So does this mean that: >> >> - HTTPS is not supported right now? >> - HTTPS is supported, but does no verification of the server >> certificate, thus defeating half of the point of HTTPS? >> - HTTPS is supported and checks the certificates properly, just not >> via CURL/OpenSSL? >> - or that WebKit does not do the network accesses itself? > The current status for HTTPS support is between option 1 and 2. > Normally, WebKit doesn't support HTTPS. But if the environment > "WEBKIT_IGNORE_SSL_ERRORS" is set, WebKit will call libcURL function to > skip the certificate verification and deal with HTTPS request. OpenSSL > isn't involved in this right now. But to enable SSL verification is on > the plan.
Sounds OK, since the out-of-the-box default won't load HTTPS in an unsafe way. Presumably any documentation on "WEBKIT_IGNORE_SSL_ERRORS" will point out that this defeats the security of HTTPS? >> As a second security-related question, what's the support plan every >> time in future that Apple announces a Mac OS security fix that >> includes an update to it's WebKit? Will OpenSolaris be able to keep >> up promptly with this? >> >> Hugh. (not a LSARC member and thus no vote). > WebKit/GTK+ is part of the WebKit open source efforts which GNOME > community takes the initiative. Currently, several GNOME applications > migrate to depend on this web browser engine, devhelp/epiphany for > example. As for the security fix, we'll work with GNOME community to > provide support. OK. My point in mentioning this was mainly that, because of the common usage with Safari et al, any time Apple releases a security fix that includes fixes to WebKit it will be very obvious if Solaris has a fix ready at the same time or not. This will make any lag in security fixes more obvious than non-shared software. Hopefully the GNOME community will not be trailing Apple here. Hugh.
