Bug 739019 – Disable SSL 3 (POODLE attack) in WebKit

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 739019 - Disable SSL 3 (POODLE attack) in WebKit


Summary:	Disable SSL 3 (POODLE attack) in WebKit


Status:	RESOLVED FIXED

Product:	geary
Classification:	Other
Component:	client
Version:	master
Hardware:	Other Linux

Importance:	Urgent normal
Target Milestone:	0.8.2
Assigned To:	Geary Maintainers
QA Contact:	Geary Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-10-22 16:31 UTC by Jim Nelson
Modified:	2014-10-23 00:04 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Jim Nelson 2014-10-22 16:31:14 UTC

We need to make sure all browser (i.e. HTTPS) encrypted network connections don't use or fall back to SSL 3:

http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html

WebKit 2 has fixed this problem but it won't be fixed in WebKit 1.  We simply need to disable it manually:

https://bugzilla.gnome.org/show_bug.cgi?id=738633

It doesn't appear this problem exists for *all* SSLv3 traffic (i.e. this isn't an issue with IMAP or SMTP), but since Geary does load images across the network, we should ensure SSLv3 is disabled for them.

Comment 1 Jim Nelson 2014-10-22 23:43:51 UTC

It appears POODLE requires Javascript to be an attack vector, which isn't an issue with Geary, but it makes sense to follow guidelines and disable SSLv3 anyway.

Comment 2 Jim Nelson 2014-10-23 00:04:14 UTC

Pushed to master, commit 8e272f