> there is javascript running in browser, I guess?

Yes.

> Brings me to the browser: any clues how secure it is?

OWB 1.24 (April 2014) from Fab's site includes:
- OpenSSL 1.0.1g (April 2014)
- WebKit r161078 (January 2014)

OWB 1.23 (June 2015) from MorphOS 3.9 ISO includes:
- OpenSSL 1.0.1o (June 2015)
- WebKit r155188 (October 2013)

uhmmm - Webkit went 2.x some time ago... OWB uses 1.5/1.6, still?
Don´t know about SSL

but look very dated, or am I mistaken?

No more development, regarding OWB for 2 years?
That´s sad - did the developer gave up on this?

[ Editiert durch Elowan 26.04.2016 - 17:31 ]

Quote:

Probably you have heard the famous Java JIT engine problem on Big Endian machines (what the WebKit developers will not care anymore). It is really tricky to correct. That's why Fab haven't ported a recent version of WebKit.

[ Edited by deka 26.04.2016 - 18:04 ]

Quote:

That and a stack of dirty diapers ;)

Quote:

Again someone mixing Javascript with Java... Sigh...
From what I know the Javascript engine endianess issue isn't at all connected with JIT. This is the other story. If the Javascript engine would be fixed for big-endian machines we'd have a recent Odyssey version, running similar to the earlier versions. Then if the Javascript interpreter JIT would be ready, the browser (especially on heavy JS using sites) would feel much faster.


[ Edited by koszer 26.04.2016 - 18:41 ]

Indeed... I've mixed everything with everything. (blush)

> Webkit went 2.x some time ago...

WebKit2 discussion:

https://morph.zone/modules/newbb_plus/viewtopic.php?topic_id=11161&forum=3&start=24

> SSL [...] look very dated, or am I mistaken?

May 2015 is not exactly brand-new, but as was the case with MorphOS 3.8 and 3.9, the 3.10 release will likely bring new OpenSSL also for OWB as this can be upgraded without touching the other OWB parts.

> did the developer gave up on this?

https://morph.zone/modules/newbb_plus/viewtopic.php?topic_id=11566&forum=32&start=17

> the Javascript interpreter JIT

"JIT" is short for "just-in-time compiler", so it's either JavaScript interpreter or JavaScript JIT :-)

great Informations, thanks everybody!!

[ Editiert durch Elowan 27.04.2016 - 11:03 ]

Ok, so Webkit 2.x is not "more secure" than 1.x - it´s mostly about the tabs handling and performance.
So they should be equally, security-wise?

OpenSSL keeps being updated. As for OWB, yes, the Javascript engine is a pain in the *ss. But I havn't experienced any real problems with most web sites, except for Tumbl and Youtube. The first just doesn't work most of the time and the latter you can't log into. And then we have the general bloat trend that makes slow hardware like ours having to work like crazy, especially without the javascript JIT. But this is a problem all systems are facing now: bloat.

My general conclusion is that even though OWB is rather old now it still does what it's suppose to very well. I would say it's no more nor less secure than any other browser out there. MorphOS doesn't have much of security, but we don't have mal- spy- or ransomware either.

my main concern is/was Web-browsing. but this seems to be "in the o.k. zone" :)

maybe we could raise some money for the OWB - dev(s) or the MOS-team to make it even saver, browsing the web?!

Quote:
Beware that this is not entirely true. Odyssey is based upon WebKit, and WebKit is certainly a pretty big target for attack. So if Odyssey doesn't use an up-to-date version of WebKit, then there is some risk.

I don't know how up-to-date Odyssey's WebKit is on MorphOS, but on OS4 it is extremely out of date. Which, for example, leads to webpages being able to show a fake URL in the address bar, meaning you might think you are safely on your banking website, but in reality you are on a fake phishing website. An article about the exploit is here:
http://www.theregister.co.uk/2015/05/20/safari_address_spoofing_vuln/

And you can check if Odyssey is vulnerable using this:
http://www.deusen.co.uk/items/iwhere.9500182225526788/
(Click on "Go", and you will see a fake Daily Mail URL in the address bar.)

Note: If you could automatically disable JavaScript on all webpages, except those you white-list, then this would be much less of a problem. Odyssey v1.23 (for OS4) doesn't seem to have this option.

> I don't know how up-to-date Odyssey's WebKit is on MorphOS

See comment #10.

After reading all of this, it sounds like someone needs to make a "Lamer Exterminator NG" virus.

Ok, who's got the bounty on this? LOL

...oh dear!

Quote:

Paradoxally the sites we have to fear are those maintained by Amigans as Amigans have enough knowledge to create malicious Javascript code potentially dangerous for our systems and iniect this code at any visit.

I think it should be not difficult to create a javascript program executing DOS commands or AreXX, am I wrong?

[ Edited by Raf_MegaByte 29.04.2016 - 00:42 ]

> you can check if Odyssey is vulnerable using this:
> http://www.deusen.co.uk/items/iwhere.9500182225526788/
> (Click on "Go", and you will see a fake Daily Mail URL in the address bar.)

Exploit doesn't work here (Odyssey 1.24 on MorphOS 3.9).

Quote:

Same versions here, but on my system clicking on "Go" actually results in a fake URL.....

> Same versions here, but on my system clicking on "Go" actually results in a fake URL.....

Yeah, I tried again today and the exploit works in fact. Something must have gone wrong when I tried first.

With the number of active and regular users of all AmigaOS and Amigaoid OS's now down to probably around 30-50 worldwide, being hacked because of an exploit -- even one that's easy -- is extremely unlikely. One in a million people still know what an ARexx script was. One in a hundred million still know how to write one. And Amiga browsers just didn't get far enough on for Java or Javascript to be a problem.

The security issue with the Amigaoid OS's is sending out your passwords over the web cleartext or using out of date and compromised SSL. The attacker doesn't care what you used to make the connection, he sees your password.

Quote:

Hmmm - I was thinking SSL takes care of this?!

Cheers!

>> sending out your passwords over the web cleartext or using out of date
>> and compromised SSL

> Hmmm - I was thinking SSL takes care of this?!

Yes, unless it's out of date, compromised or not used at all :-)

Quote:


Its limited due to browser abilities.

SSL is old, its not secured in that way.

One way of protection by obscurity where no Flash or Java works,
other is by CPU code where no x64 related mailware cannot be executed.

So we are quite safe

Quote:
I have some JavaScript snake oil to sell you. It is FDA approved...