MorphOS security comparison
  • Yokemate of Keyboards
    Yokemate of Keyboards
    Andreas_Wolf
    Posts: 12150 from 2003/5/22
    From: Germany
    > there is javascript running in browser, I guess?

    Yes.

    > Brings me to the browser: any clues how secure it is?

    OWB 1.24 (April 2014) from Fab's site includes:
    - OpenSSL 1.0.1g (April 2014)
    - WebKit r161078 (January 2014)

    OWB 1.23 (June 2015) from MorphOS 3.9 ISO includes:
    - OpenSSL 1.0.1o (June 2015)
    - WebKit r155188 (October 2013)
  • »26.04.16 - 12:33
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    Elowan
    Posts: 214 from 2011/4/18
    From: Frankfurt (Ger...
    uhmmm - Webkit went 2.x some time ago... OWB uses 1.5/1.6, still?
    Don´t know about SSL

    but look very dated, or am I mistaken?

    No more development, regarding OWB for 2 years?
    That´s sad - did the developer gave up on this?

    [ Editiert durch Elowan 26.04.2016 - 17:31 ]
    12" ibook G4 1.33Ghz, 1.5GB RAM, ATI 9550 32MB, 16GB SSD, WiFi, BT, ComboDrive
  • »26.04.16 - 13:28
    Profile
  • Acolyte of the Butterfly
    Acolyte of the Butterfly
    deka
    Posts: 136 from 2013/2/12
    From: Hungary, Kecsk...
    Quote:

    Elowan wrote:
    That´s sad - did the developer gave up on this?



    Probably you have heard the famous Java JIT engine problem on Big Endian machines (what the WebKit developers will not care anymore). It is really tricky to correct. That's why Fab haven't ported a recent version of WebKit.

    [ Edited by deka 26.04.2016 - 18:04 ]
  • »26.04.16 - 14:03
    Profile
  • Moderator
    Kronos
    Posts: 2323 from 2003/2/24
    Quote:

    deka wrote:

    Probably you have heard the famous Java JIT engine problem on Big Endian machines (what the WebKit developers will not care anymore). It is really tricky to correct. That's why Fab haven't ported a recent version of WebKit.


    That and a stack of dirty diapers ;)
  • »26.04.16 - 14:33
    Profile
  • Paladin of the Pegasos
    Paladin of the Pegasos
    koszer
    Posts: 1250 from 2004/2/8
    From: Poland
    Quote:

    Probably you have heard the famous Java JIT engine problem on Big Endian machines (what the WebKit developers will not care anymore). It is really tricky to correct. That's why Fab haven't ported a recent version of WebKit.


    Again someone mixing Javascript with Java... Sigh...
    From what I know the Javascript engine endianess issue isn't at all connected with JIT. This is the other story. If the Javascript engine would be fixed for big-endian machines we'd have a recent Odyssey version, running similar to the earlier versions. Then if the Javascript interpreter JIT would be ready, the browser (especially on heavy JS using sites) would feel much faster.


    [ Edited by koszer 26.04.2016 - 18:41 ]
  • »26.04.16 - 14:37
    Profile
  • Acolyte of the Butterfly
    Acolyte of the Butterfly
    deka
    Posts: 136 from 2013/2/12
    From: Hungary, Kecsk...
    Indeed... I've mixed everything with everything. (blush)
  • »26.04.16 - 15:23
    Profile
  • Yokemate of Keyboards
    Yokemate of Keyboards
    Andreas_Wolf
    Posts: 12150 from 2003/5/22
    From: Germany
    > Webkit went 2.x some time ago...

    WebKit2 discussion:

    https://morph.zone/modules/newbb_plus/viewtopic.php?topic_id=11161&forum=3&start=24

    > SSL [...] look very dated, or am I mistaken?

    May 2015 is not exactly brand-new, but as was the case with MorphOS 3.8 and 3.9, the 3.10 release will likely bring new OpenSSL also for OWB as this can be upgraded without touching the other OWB parts.

    > did the developer gave up on this?

    https://morph.zone/modules/newbb_plus/viewtopic.php?topic_id=11566&forum=32&start=17
  • »26.04.16 - 20:03
    Profile
  • Yokemate of Keyboards
    Yokemate of Keyboards
    Andreas_Wolf
    Posts: 12150 from 2003/5/22
    From: Germany
    > the Javascript interpreter JIT

    "JIT" is short for "just-in-time compiler", so it's either JavaScript interpreter or JavaScript JIT :-)
  • »26.04.16 - 20:29
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    Elowan
    Posts: 214 from 2011/4/18
    From: Frankfurt (Ger...
    great Informations, thanks everybody!!

    [ Editiert durch Elowan 27.04.2016 - 11:03 ]
    12" ibook G4 1.33Ghz, 1.5GB RAM, ATI 9550 32MB, 16GB SSD, WiFi, BT, ComboDrive
  • »27.04.16 - 07:02
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    Elowan
    Posts: 214 from 2011/4/18
    From: Frankfurt (Ger...
    Ok, so Webkit 2.x is not "more secure" than 1.x - it´s mostly about the tabs handling and performance.
    So they should be equally, security-wise?
    12" ibook G4 1.33Ghz, 1.5GB RAM, ATI 9550 32MB, 16GB SSD, WiFi, BT, ComboDrive
  • »27.04.16 - 08:57
    Profile
  • Paladin of the Pegasos
    Paladin of the Pegasos
    Yasu
    Posts: 1724 from 2012/3/22
    From: Stockholm, Sweden
    OpenSSL keeps being updated. As for OWB, yes, the Javascript engine is a pain in the *ss. But I havn't experienced any real problems with most web sites, except for Tumbl and Youtube. The first just doesn't work most of the time and the latter you can't log into. And then we have the general bloat trend that makes slow hardware like ours having to work like crazy, especially without the javascript JIT. But this is a problem all systems are facing now: bloat.

    My general conclusion is that even though OWB is rather old now it still does what it's suppose to very well. I would say it's no more nor less secure than any other browser out there. MorphOS doesn't have much of security, but we don't have mal- spy- or ransomware either.
    AMIGA FORUM - Hela Sveriges Amigatidning!
    AMIGA FORUM - Sweden's Amiga Magazine!

    My MorphOS blog
  • »27.04.16 - 12:30
    Profile Visit Website
  • Order of the Butterfly
    Order of the Butterfly
    Elowan
    Posts: 214 from 2011/4/18
    From: Frankfurt (Ger...
    my main concern is/was Web-browsing. but this seems to be "in the o.k. zone" :)

    maybe we could raise some money for the OWB - dev(s) or the MOS-team to make it even saver, browsing the web?!
    12" ibook G4 1.33Ghz, 1.5GB RAM, ATI 9550 32MB, 16GB SSD, WiFi, BT, ComboDrive
  • »27.04.16 - 12:52
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    ChrisH
    Posts: 167 from 2009/11/26
    Quote:

    Elowan wrote:
    Ok - my main worry was to be vulnerable when surfing the web.

    So it seems, MorphOS is maybe even more secure, than some linux distros - not because it is very safe and secured, but just because it´s rare and uncommon.

    Beware that this is not entirely true. Odyssey is based upon WebKit, and WebKit is certainly a pretty big target for attack. So if Odyssey doesn't use an up-to-date version of WebKit, then there is some risk.

    I don't know how up-to-date Odyssey's WebKit is on MorphOS, but on OS4 it is extremely out of date. Which, for example, leads to webpages being able to show a fake URL in the address bar, meaning you might think you are safely on your banking website, but in reality you are on a fake phishing website. An article about the exploit is here:
    http://www.theregister.co.uk/2015/05/20/safari_address_spoofing_vuln/

    And you can check if Odyssey is vulnerable using this:
    http://www.deusen.co.uk/items/iwhere.9500182225526788/
    (Click on "Go", and you will see a fake Daily Mail URL in the address bar.)

    Note: If you could automatically disable JavaScript on all webpages, except those you white-list, then this would be much less of a problem. Odyssey v1.23 (for OS4) doesn't seem to have this option.
    Author of the PortablE programming language.
    It is pitch black. You are likely to be eaten by a grue...
  • »28.04.16 - 08:13
    Profile Visit Website
  • Yokemate of Keyboards
    Yokemate of Keyboards
    Andreas_Wolf
    Posts: 12150 from 2003/5/22
    From: Germany
    > I don't know how up-to-date Odyssey's WebKit is on MorphOS

    See comment #10.
  • »28.04.16 - 09:22
    Profile
  • Paladin of the Pegasos
    Paladin of the Pegasos
    TheMagicM
    Posts: 1220 from 2003/6/17
    After reading all of this, it sounds like someone needs to make a "Lamer Exterminator NG" virus.

    Ok, who's got the bounty on this? LOL
  • »28.04.16 - 13:36
    Profile Visit Website
  • Order of the Butterfly
    Order of the Butterfly
    Elowan
    Posts: 214 from 2011/4/18
    From: Frankfurt (Ger...
    ...oh dear!
    12" ibook G4 1.33Ghz, 1.5GB RAM, ATI 9550 32MB, 16GB SSD, WiFi, BT, ComboDrive
  • »28.04.16 - 14:45
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    Raf_MegaByte
    Posts: 430 from 2004/10/10
    From: Nella grande r...
    Quote:

    ChrisH wrote:
    Quote:

    Elowan wrote:
    Ok - my main worry was to be vulnerable when surfing the web.

    So it seems, MorphOS is maybe even more secure, than some linux distros - not because it is very safe and secured, but just because it´s rare and uncommon.

    Beware that this is not entirely true. Odyssey is based upon WebKit, and WebKit is certainly a pretty big target for attack. So if Odyssey doesn't use an up-to-date version of WebKit, then there is some risk.



    Paradoxally the sites we have to fear are those maintained by Amigans as Amigans have enough knowledge to create malicious Javascript code potentially dangerous for our systems and iniect this code at any visit.

    I think it should be not difficult to create a javascript program executing DOS commands or AreXX, am I wrong?

    [ Edited by Raf_MegaByte 29.04.2016 - 00:42 ]
    Bill Gates "Think!", Steve Jobs: "Think different!" So... Let these guy continue blabbering thinking and enjoy computing! We are on Amiga!
  • »28.04.16 - 20:40
    Profile
  • Yokemate of Keyboards
    Yokemate of Keyboards
    Andreas_Wolf
    Posts: 12150 from 2003/5/22
    From: Germany
    > you can check if Odyssey is vulnerable using this:
    > http://www.deusen.co.uk/items/iwhere.9500182225526788/
    > (Click on "Go", and you will see a fake Daily Mail URL in the address bar.)

    Exploit doesn't work here (Odyssey 1.24 on MorphOS 3.9).
  • »28.04.16 - 22:15
    Profile
  • pOS
  • Order of the Butterfly
    Order of the Butterfly
    pOS
    Posts: 217 from 2003/11/14
    From: Bavaria
    Quote:

    Andreas_Wolf wrote:
    > you can check if Odyssey is vulnerable using this:
    > http://www.deusen.co.uk/items/iwhere.9500182225526788/
    > (Click on "Go", and you will see a fake Daily Mail URL in the address bar.)

    Exploit doesn't work here (Odyssey 1.24 on MorphOS 3.9).


    Same versions here, but on my system clicking on "Go" actually results in a fake URL.....
  • »28.04.16 - 22:57
    Profile Visit Website
  • Yokemate of Keyboards
    Yokemate of Keyboards
    Andreas_Wolf
    Posts: 12150 from 2003/5/22
    From: Germany
    > Same versions here, but on my system clicking on "Go" actually results in a fake URL.....

    Yeah, I tried again today and the exploit works in fact. Something must have gone wrong when I tried first.
  • »29.04.16 - 06:49
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    KennyR
    Posts: 878 from 2003/3/4
    From: #AmigaZeux, Gu...
    With the number of active and regular users of all AmigaOS and Amigaoid OS's now down to probably around 30-50 worldwide, being hacked because of an exploit -- even one that's easy -- is extremely unlikely. One in a million people still know what an ARexx script was. One in a hundred million still know how to write one. And Amiga browsers just didn't get far enough on for Java or Javascript to be a problem.

    The security issue with the Amigaoid OS's is sending out your passwords over the web cleartext or using out of date and compromised SSL. The attacker doesn't care what you used to make the connection, he sees your password.
  • »01.05.16 - 18:43
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    Elowan
    Posts: 214 from 2011/4/18
    From: Frankfurt (Ger...
    Quote:

    KennyR schrieb:

    The security issue with the Amigaoid OS's is sending out your passwords over the web cleartext or using out of date and compromised SSL. The attacker doesn't care what you used to make the connection, he sees your password.


    Hmmm - I was thinking SSL takes care of this?!

    Cheers!
    12" ibook G4 1.33Ghz, 1.5GB RAM, ATI 9550 32MB, 16GB SSD, WiFi, BT, ComboDrive
  • »02.05.16 - 13:05
    Profile
  • Yokemate of Keyboards
    Yokemate of Keyboards
    Andreas_Wolf
    Posts: 12150 from 2003/5/22
    From: Germany
    >> sending out your passwords over the web cleartext or using out of date
    >> and compromised SSL

    > Hmmm - I was thinking SSL takes care of this?!

    Yes, unless it's out of date, compromised or not used at all :-)
  • »02.05.16 - 14:51
    Profile
  • vox
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    vox
    Posts: 524 from 2003/11/24
    From: Belgrade
    Quote:

    Elowan wrote:
    hi there,

    Would you use MorphOS for online-banking, pay-pal, ebay and such?


    Cheers!

    [ Editiert durch Elowan 25.04.2016 - 17:23 ]



    Its limited due to browser abilities.

    SSL is old, its not secured in that way.

    One way of protection by obscurity where no Flash or Java works,
    other is by CPU code where no x64 related mailware cannot be executed.

    So we are quite safe :-)
    ------------------------------------------
    iMac G5 1GB with MorphOS and MacOS X
    Lame PC with AmiKit XE
    YT channel https://www.youtube.com/channel/UCdHl_msNWHEVPf229h_gijQ
    Telegram Amiga group: https://t.me/amigaranchorelaxo
  • »03.05.16 - 23:52
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    ChrisH
    Posts: 167 from 2009/11/26
    Quote:

    vox wrote:
    One way of protection by obscurity where no Flash or Java works,
    other is by CPU code where no x64 related mailware cannot be executed.

    So we are quite safe :-)

    I have some JavaScript snake oil to sell you. It is FDA approved...
    Author of the PortablE programming language.
    It is pitch black. You are likely to be eaten by a grue...
  • »13.05.16 - 18:42
    Profile Visit Website