Results 1 to 11 of 11
  1.    #1  
    Can anyone (i.e. 'guru') point me to the configuration location for the Pre's Web 1.0. I assume it has one, like Apache, since webOS is linux.

    I'm looking, specifically, to undo a security 'fix' implemented in 1.3.1 (and NOT in 1.2.1) that denies access to SSL enabled html. (Web 1.0 throws an error when I try to access my school's https redirect-to-login page. 1.2.1 didn't do this.)

    I've done some research and have been led down roads leading to mal-formed and/or self signed security certificates but they ultimately come to no determinate conclusions.

    I'm desperately hoping there's a config switch to comment or uncomment that will return this (considered insecure) functionality and am willing to put in the time to look and learn.

    I also understand the risks, both to Pre and to network, and am familiar with the "1,2,3"s of administration.
  2. mosdl's Avatar
    Posts
    781 Posts
    Global Posts
    787 Global Posts
    #2  
    That is probably coded into webkit - the source code for the WebOS version is not available. You are most likely out of luck.
    Apps: MyQ for Netflix (Phone/TouchPad), Giantbomb (Phone), Excavate (Reddit/Digg clients for TouchPad)
  3.    #3  
    While I certainly appreciate the knowledge, I won't uncross my fingers until there is a definitely where your most likely is.

    maybe digging inside the webOSDoc 1.2.1 jar will help???

    besides, I thought WebKit is OpenSource??? - The WebKit Open Source Project


    all the code one should need is found here:
    OpenSource.Palm.com - 1.3.1
    and here:
    OpenSource.Palm.com - 1.2.1
    Last edited by jnever1; 11/26/2009 at 02:37 AM.
  4. mosdl's Avatar
    Posts
    781 Posts
    Global Posts
    787 Global Posts
    #4  
    Opensource doesn't mean all the source is open for the palm modifications - only changes made to existing webkit files have to be released. So there is no guarantee that you can compile the source and patches, replace the .so files on your pre and get a working browser.
    Apps: MyQ for Netflix (Phone/TouchPad), Giantbomb (Phone), Excavate (Reddit/Digg clients for TouchPad)
  5.    #5  
    Quote Originally Posted by mosdl View Post
    Opensource doesn't mean all the source is open for the palm modifications - only changes made to existing webkit files have to be released.
    This statement is confusing, mosdl. To me, OpSo is OpSo... but I'm starting to gather an mental image of what palm is doing with WebOS.

    I am guessing that WebKit comes from Apple (the name is plastered all over the WebCore text files internally) and was/is the basis for their Safari browser. I guess further that WebOS is a linux implementation of the Safari concept, extended to handle OS like tasks (connecting to wi-fi, running apps, etc).

    So, with the above in consideration, the unaltered WebKit is open source but Palm's specific extensions/modifications are not? Is this what you mean?

    Never-the-less, I have the WebOSDoctor for 1.2.1 and for 1.3.1 in *.jar format. I'll compare, file by file, if I have to, on my own. What I continue to ask of the PalmPre elite community is for a General Location to Start My Investigation.

    I'm looking at a map of an entire country worth of OS files here, mosdl, and from two different time periods (like looking at two maps of the US, one made in 1900 and one made in 2009) and I'm asking if anyone knows which territory (folder or file family) within this country handles the web browsing.

    If I hit a brick wall, it'll be because I failed to break through it, or, at the very least, walk around it.
    Last edited by jnever1; 11/26/2009 at 05:22 PM.
  6.    #6  
    See the attached images for a specific example of how 1.2.1 differs from 1.3.1.

    I'm in the <root>\etc\ssl\certs\ directory.

    You'll see that 1.3.1 does not have the PalmCAcert.pem file and ca-certificates and system-bundle.crt.gz differ in file size.

    What does this mean? I don't know...
    Attached Images Attached Images
    Last edited by jnever1; 11/26/2009 at 06:12 PM.
  7. mosdl's Avatar
    Posts
    781 Posts
    Global Posts
    787 Global Posts
    #7  
    You can play with the certs (replace the new with the old) and see if that helps, but it is possible the changes where made in the browser code rather than in config files.

    And yes, WebOS is not open source. It is based on open source, and they only have to release patches for existing open source that Palm modified. But it is very likely that the security changes were made directly in base webkit and I would check if safari does the same.
    Apps: MyQ for Netflix (Phone/TouchPad), Giantbomb (Phone), Excavate (Reddit/Digg clients for TouchPad)
  8.    #8  
    Well,
    The cert test is scheduled for 6:00pm my local time (lol. my next class). If the PalmCAcert doesn't fix it, I'll try to overwrite the entire 1.3.1 certs folder with the 1.2.1 contents.

    I've already had success accessing the school ssl web from afar (i.e. my house through the web). An option to 'trust certificate?' popped up. I chose to trust. Now I'm in.

    The real test is going to be passing the redirect/authentication while directly connected to the campus wi-fi. I'll return with results tomorrow evening.

    Either way, I'll be looking deeper into certificate security. If for no other reason, I'd like to set it up as the main SSH protective of my Palm/WinSCP access system.
    Last edited by jnever1; 11/30/2009 at 01:02 AM. Reason: sh it's and gi ggles
  9.    #9  
    Catastrophic failure.

    Ok, so the premise was that my school used a CA [Certificate Authority - a company] cert to ssl authenticate and 1.3.1 removed the root cert from 1.2.1.
    Experimentation reveals that this is not the case. I'm still denied at redirect.

    Further research on ev-ssl spoofing (via MitM attack - as mentioned in a tandem thread) expresses that it is a flaw of the browser(s) that allows this vulnerability to exist. Hardcoded, as mosdl has warned. I haven't been able to gather whether or not the details of this exploit have been released. Palm must have received the information and acted to correct their browser in the 1.3.1 upgrade.

    More details on the spoof hack can be found here.

    Ok. So off I go digging into WebOSDoctor 1.3.1 archive and find a "browser-app.conf" file in the <root>\etc\palm\ folder. Inside I notice a switch to enable debugging.

    My question is, if I enable debugging, where/how are fault details dumped? A file? Where? Live output?

    I'm going to throw the switch and see, as well as investigate the browser.conf file in the same directory and compare both .conf s to their 1.2.1 counterparts.

    Any help is appreciated.
    Last edited by jnever1; 11/30/2009 at 09:02 PM.
  10.    #10  
    Some info to demonstrate that I am able to authenticate to AP at school:
    (extracted from <root>/var/log/wpa_supplicant.log)
    Trying to associate with 00:0b:85:13:78:5f (SSID='LCCguest' freq=2462 MHz)
    Cancelling scan request
    Association request to the driver failed
    Associated with 00:0b:85:13:78:5f
    CTRL-EVENT-CONNECTED - Connection to 00:0b:85:13:78:5f completed (auth) [id=0 id_str=]
    Cancelling scan request
    CTRL-EVENT-SCAN-RESULTS
    started wpa_supplicant
    ioctl[SIOCSIWPMKSA]: Invalid argument
    ioctl[SIOCSIWPMKSA]: Invalid argument
    Setting scan request: 0 sec 100000 usec
    CTRL-EVENT-SCAN-RESULTS
    No suitable AP found.
    Setting scan request: 1 sec 0 usec
    Setting scan request: 0 sec 0 usec
    Reconfiguration completed
    CTRL-EVENT-SCAN-RESULTS
    Setting scan request: 0 sec 0 usec
    Setting scan request: 0 sec 0 usec
    CTRL-EVENT-SCAN-RESULTS
    Does anyone know where a browser-app error (like the one I'm fighting to fix that occurs at a https redirect) would be logged, or that it is logged at all?
  11.    #11  
    found in webkit-patch inside of the webkit-patch.gz file on opensource.palm.com 1.3.1 opensource packages page:

    +/** @defgroup CURL libcurl errors
    + * Errors returned by the CURL library (libcurl).
    + * /usr/include/curl/curl.h


    +const int ERR_CURL_SSL_CONNECT_ERROR = 2035; ///< CURLE_SSL_CONNECT_ERROR(35)
    +const int ERR_CURL_PEER_FAILED_VERIFICATION = 2051; ///< CURLE_PEER_FAILED_VERIFICATION(51)
    from : libcurl - Error Codes

    CURLE_PEER_FAILED_VERIFICATION (51)

    The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK

Tags for this Thread

Posting Permissions