hi there,

I´d like to know, how "secure" MOS is, compared to OS X 10.5.8 and to ubuntu Mate linux distros.

AFAIK MorphOS has no "user privilleges concept", so basically any app can read/write into ram and therfore exploiting should be not too hard.

AFAIK OS X has old Java, certificates and old everything. there is an issue with bash and if you must surf the web, well, there is TenFourFox for that.

AFAIK Ubuntu ppc got also some bash issues, don´t know about surfing with firefox.

I know, the biggest risk is sitting in front of the computer ;)
But aside from this - what are your thoughts?

Would you use MorphOS for online-banking, pay-pal, ebay and such?


Cheers!

[ Editiert durch Elowan 25.04.2016 - 17:23 ]

So - where are the paranoid folks?? ;)

I use morphos for all of that just because there is no trojan or malware on morphos. I know that morphos is unsecured but who want to hack a software wich has a small usebase ?

[ Edited by acepeg 26.04.2016 - 11:29 ]

ok - so it will be security by obscurity?! ;)

Maybe this works - but what about phishing data, when browsing the web? I mean Java and such?

> I mean Java and such?

MorphOS doesn't have Java, so no risk there.

Quote:

I would, and I do, though I need online banking very rarely. I only get few bills in a year and recurring payments are on autopay system.

Quote:

MorphOS is completely unsecure operating system but since it is so rare you can browse web sites without worries... in Windows world even if your virus scanner is up to date you may get infected by ransomware and what not.

Ok - my main worry was to be vulnerable when surfing the web.

So it seems, MorphOS is maybe even more secure, than some linux distros - not because it is very safe and secured, but just because it´s rare and uncommon.

Good point.

And if no java runs on it - how does Java(script?) websites work, then?


Cheers!

Quote:

That's because Java isn't the same as Javascript. In fact they're completely different (except, maybe, the name).

hmmmmkaay - thought they were related somehow...

Ok, so there is javascript running in browser, I guess?
Brings me to the browser: any clues how secure it is? Like compared to Firefox or chromium?

> there is javascript running in browser, I guess?

Yes.

> Brings me to the browser: any clues how secure it is?

OWB 1.24 (April 2014) from Fab's site includes:
- OpenSSL 1.0.1g (April 2014)
- WebKit r161078 (January 2014)

OWB 1.23 (June 2015) from MorphOS 3.9 ISO includes:
- OpenSSL 1.0.1o (June 2015)
- WebKit r155188 (October 2013)

uhmmm - Webkit went 2.x some time ago... OWB uses 1.5/1.6, still?
Don´t know about SSL

but look very dated, or am I mistaken?

No more development, regarding OWB for 2 years?
That´s sad - did the developer gave up on this?

[ Editiert durch Elowan 26.04.2016 - 17:31 ]

Quote:

Probably you have heard the famous Java JIT engine problem on Big Endian machines (what the WebKit developers will not care anymore). It is really tricky to correct. That's why Fab haven't ported a recent version of WebKit.

[ Edited by deka 26.04.2016 - 18:04 ]

Quote:

That and a stack of dirty diapers ;)

Quote:

Again someone mixing Javascript with Java... Sigh...
From what I know the Javascript engine endianess issue isn't at all connected with JIT. This is the other story. If the Javascript engine would be fixed for big-endian machines we'd have a recent Odyssey version, running similar to the earlier versions. Then if the Javascript interpreter JIT would be ready, the browser (especially on heavy JS using sites) would feel much faster.


[ Edited by koszer 26.04.2016 - 18:41 ]

Indeed... I've mixed everything with everything. (blush)

> Webkit went 2.x some time ago...

WebKit2 discussion:

https://morph.zone/modules/newbb_plus/viewtopic.php?topic_id=11161&forum=3&start=24

> SSL [...] look very dated, or am I mistaken?

May 2015 is not exactly brand-new, but as was the case with MorphOS 3.8 and 3.9, the 3.10 release will likely bring new OpenSSL also for OWB as this can be upgraded without touching the other OWB parts.

> did the developer gave up on this?

https://morph.zone/modules/newbb_plus/viewtopic.php?topic_id=11566&forum=32&start=17

> the Javascript interpreter JIT

"JIT" is short for "just-in-time compiler", so it's either JavaScript interpreter or JavaScript JIT :-)

great Informations, thanks everybody!!

[ Editiert durch Elowan 27.04.2016 - 11:03 ]

Ok, so Webkit 2.x is not "more secure" than 1.x - it´s mostly about the tabs handling and performance.
So they should be equally, security-wise?

OpenSSL keeps being updated. As for OWB, yes, the Javascript engine is a pain in the *ss. But I havn't experienced any real problems with most web sites, except for Tumbl and Youtube. The first just doesn't work most of the time and the latter you can't log into. And then we have the general bloat trend that makes slow hardware like ours having to work like crazy, especially without the javascript JIT. But this is a problem all systems are facing now: bloat.

My general conclusion is that even though OWB is rather old now it still does what it's suppose to very well. I would say it's no more nor less secure than any other browser out there. MorphOS doesn't have much of security, but we don't have mal- spy- or ransomware either.

my main concern is/was Web-browsing. but this seems to be "in the o.k. zone" :)

maybe we could raise some money for the OWB - dev(s) or the MOS-team to make it even saver, browsing the web?!

Quote:
Beware that this is not entirely true. Odyssey is based upon WebKit, and WebKit is certainly a pretty big target for attack. So if Odyssey doesn't use an up-to-date version of WebKit, then there is some risk.

I don't know how up-to-date Odyssey's WebKit is on MorphOS, but on OS4 it is extremely out of date. Which, for example, leads to webpages being able to show a fake URL in the address bar, meaning you might think you are safely on your banking website, but in reality you are on a fake phishing website. An article about the exploit is here:
http://www.theregister.co.uk/2015/05/20/safari_address_spoofing_vuln/

And you can check if Odyssey is vulnerable using this:
http://www.deusen.co.uk/items/iwhere.9500182225526788/
(Click on "Go", and you will see a fake Daily Mail URL in the address bar.)

Note: If you could automatically disable JavaScript on all webpages, except those you white-list, then this would be much less of a problem. Odyssey v1.23 (for OS4) doesn't seem to have this option.

> I don't know how up-to-date Odyssey's WebKit is on MorphOS

See comment #10.

After reading all of this, it sounds like someone needs to make a "Lamer Exterminator NG" virus.

Ok, who's got the bounty on this? LOL

...oh dear!