Tracking protection and NSS SSL secrets logging (two security questions)?

For the more technical/geeky chat subjects!

Moderator: satrow

miroR
Apollo supporter
Apollo supporter
Posts: 43
Joined: Tue May 31, 2016 7:22 pm

Tracking protection and NSS SSL secrets logging (two security questions)?

Postby miroR » Sun Jul 17, 2016 6:28 am

Title: Tracking protection and NSS SSL secrets logging (two security questions)?
---
I have been a Firefox user since it became, out of Netscape. A Linux user, Gentoo in the last near one decade (also a little Debian, and planning on Devuan too).

I hear good things a lot about Pale Moon, I have studied quite a few forum posts here, and searched a lot (with the duck-engine, I don't like beeing tracked, so no Goog).

I had my strong doubts about Firefox dissipated forcefully with the advent of tracking protection feature, by which even Goog's own tracking itself is being really left out (the https://disconnect.me do, appears to me, a good job), I know Goog's is being disconnected also because I trace (with Wireshark's dumpcap) whenever I go online and later often read the network.

I haven't yet installed Pale Moon, because the tracking protection in Firefox
has made me very content.

I haven't been completely convinced by the renewed privacy protections in Firefox, because I keep checking on everything, and I want to know for sure about things (very hard!). But I surely have no grounds to distrust it or complain about it. At least as yet.

I really wonder what Pale Moon offers to protect users from tracking? Is it as strong a protection as Firefox is? Is it the same tracking protection feature Firefox uses?

That was one thing.

Another thing is actually connected with my claim that I (often) read the network after I was online.

I surely couldn't really do that if there wasn't the NSS and if I didn't set the SSLKEYLOGFILE env variable (as per https://wiki.wireshark.org/SSL) and if I didn't patch the NSS library with the small patch at:

>=dev-libs/nss-3.24 - Add USE flag to enable SSL key logging
https://bugs.gentoo.org/show_bug.cgi?id=587116

because the SSL decrypting is what rare users really do... And that convenience is not anymore readily available for security concerns (I have a grsecurity-hardened kernel and hope to be able to keep secure though).

So the other question of mine is if the SSL secrets logging via NSS library is available in Pale Moon so the above method of mine can be deployed?

Regards!
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in
kernel
,
linux capabilities
for intrusion
? (Linus?)

miroR
Apollo supporter
Apollo supporter
Posts: 43
Joined: Tue May 31, 2016 7:22 pm

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby miroR » Sun Jan 15, 2017 6:28 am

Palemoon can log SSL-keys, just like its original program Firefox.

The thread on it:
https://marc.info/?t=148216793700001&r=1&w=2

and it starts here:

[gentoo-user] Reading the (SSL) traffic with Pale Moon
https://marc.info/?l=gentoo-user&m=148216789330419&w=2

And I've been using it daily. Don't think there are issues with it, but I'm not an expert.

BTW, it's Linux, Gentoo Linux, but $SSLKEYLOGFILE can be set in Windoze and Mac as well ;)

HaleSun
Moon lover
Moon lover
Posts: 97
Joined: Fri Mar 11, 2016 11:39 am

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby HaleSun » Sun Jan 15, 2017 11:14 am

Other than Pale Moon's general stance on tracking: viewtopic.php?f=5&t=12103
tracking security out of the box should at the very least be superior to that of Firefox since Pale Moon does not come with certain Firefox features that turn into security liabilities like WebRTC.

There was also the matter of a major security vulnerability in Firefox disclosed last November which allowed an exploit in the Tor browser which would reveal the real Tor user:
http://www.tomshardware.com/news/tor-br ... 33117.html

The exploit itself was heavily based on an earlier exploit discovered way back in 2013:
http://arstechnica.com/security/2013/08 ... tor-users/

This weakness in Firefox is NOT present in Pale Moon: viewtopic.php?f=1&t=13984

Then there's the autofill vulnerability: viewtopic.php?f=4&t=14425
Even though it affects basically every major browser, Mozilla actually wants to add it!: http://news.softpedia.com/news/sneak-pe ... 8993.shtml

Naturally Pale Moon will not add known privacy liabilities for the sake of "convenience".

Though no matter which browser it is, it can only do so much by itself. For robust tracking protection the use of addons is required. With Decentraleyes. uBlock Origin, uMatrix, NoScript, and Crush Those Cookies you should be very secure, but you should also disable Flash and Java.

There are also a few about:config options that enhance privacy and security:

canvas.poisondata > true
This is a Pale Moon exclusive function that thwarts canvas fingerprinting: https://panopticlick.eff.org

webgl.disabled > true
This disables the WebGL hash fingerprinting also tested by panopticlick.

The following is for the truly paranoid:
security.ssl3.dhe_rsa_aes_128_sha > false
security.ssl3.dhe_rsa_aes_256_sha > false
The above disables ciphers suspected to be compromised by the NSA (will break some sites) :
https://www.eff.org/deeplinks/2015/10/h ... 024-bit-DH

security.ssl3.rsa_aes_128_sha > false
security.ssl3.rsa_aes_256_sha > false
The above disables ciphers without forward secrecy (will break many sites including most banking sites and PayPal) :
https://www.ssllabs.com/ssltest/viewMyClient.html

I hope that answers your question on tracking. As for your other question, only someone more familiar with Pale Moon's internal code can answer that.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19925
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby Moonchild » Sun Jan 15, 2017 1:52 pm

For the SSLKEYLOGFILE, see http://xref.palemoon.org/palemoon-trunk ... ock.c#2867 (and following lines). So the answer is Yes, for now this is possible. If a future version of NSS removes this then it may not remain possible depending on NSS development.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

miroR
Apollo supporter
Apollo supporter
Posts: 43
Joined: Tue May 31, 2016 7:22 pm

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby miroR » Mon Jan 16, 2017 2:14 am

Thanks for exhaustive answers. That will take me some times to digest.

But, boy, was that a long wait!? I opened the topic at:
Postby miroR » Sun Jul 17, 2016 8:28 am

joe04
Fanatic
Fanatic
Posts: 199
Joined: Mon Sep 28, 2015 4:38 pm
Location: US
Contact:

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby joe04 » Mon Jan 16, 2017 6:17 pm

@HaleSun thanks for the canvas & webgl info. I made both pref changes. The canvas poisoning is a really nifty little feature and nicely implemented.

FYI, use this simple Webgl test page to verify it's enabled/disabled.

User avatar
New Tobin Paradigm
Knows the dark side
Knows the dark side
Posts: 3807
Joined: Tue Oct 09, 2012 7:37 pm

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby New Tobin Paradigm » Mon Jan 16, 2017 6:29 pm

Off-topic:
miroR wrote:But, boy, was that a long wait!? I opened the topic at:
Postby miroR » Sun Jul 17, 2016 8:28 am


If you would like to start paying the developers a generous hourly salary to ensure every one of your concerns are escalated to number one top priority being submitted to a dedicated sub-forum just for you and you alone and not one thread among thousands manned by people who provide a free product freely.. Then maybe you can point out when something slips under the radar or is not addressed at once.

It might be of interest to point out that in that long time gap you could have familiarized your self and done your own research and came to a conclusion.
[ T O B I N W A V E ]

miroR
Apollo supporter
Apollo supporter
Posts: 43
Joined: Tue May 31, 2016 7:22 pm

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby miroR » Tue Jan 17, 2017 10:22 am

Matt A Tobin wrote:
Off-topic:
miroR wrote:But, boy, was that a long wait!? I opened the topic at:
Postby miroR » Sun Jul 17, 2016 8:28 am


If you would like to start paying the developers a generous hourly salary to ensure every one of your concerns are escalated to number one top priority being submitted to a dedicated sub-forum just for you and you alone and not one thread among thousands manned by people who provide a free product freely.. Then maybe you can point out when something slips under the radar or is not addressed at once.

It might be of interest to point out that in that long time gap you could have familiarized your self and done your own research and came to a conclusion.

I was joking! I wasn't complaining!

I actually was so pleased to learn new stuff that I suggested it to others (btw, that topic below is turning into another Palemoon topic ;-) your browser has been gaining much ground in Gentoo community):

Configuring Firefox for more privacy - an attempt (results)
https://lists.gt.net/gentoo/user/321894#321894

Regards!

User avatar
John connor
Lunatic
Lunatic
Posts: 470
Joined: Wed Jan 21, 2015 5:06 am
Location: USA
Contact:

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby John connor » Fri Jan 20, 2017 4:51 am

My forum project :wave:
You ever dance with the devil in the pale moon light?
Cooler Master Storm Scout 2 Advanced |GIGABYTE AORUS GA-Z270X-Gaming K7| i5 6600k | 2666 MHz Ballistix Tactical RAM | Crucial MX300 256GB SSD | 1 TB Hitachi platter | GTX 560TI |Logitech Z 5300 5.1 audio | Logitech mouse/keyboard
Laptop: Dell Precision M6300

miroR
Apollo supporter
Apollo supporter
Posts: 43
Joined: Tue May 31, 2016 7:22 pm

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby miroR » Fri Jan 20, 2017 7:46 am

John connor wrote:



Cool! They linked my topic. I'm phamous. https://www.youtube.com/watch?v=C18p7QIbWqc

Except that:
PHAMOUS PLANET HOLLYWOOD FLASH MOB!
https://www.youtube.com/watch?v=C18p7QIbWqc
doesn't have anything to do with the topic. It's some dancing, if anyone cares.

I don't, nor would I have had time to go and view it...

And it would have been nice if the poster pasted the title and explained what it was about, since just the "C18p7QIbWqc" doesn't tell anybody what that Youtube video is about.

And which I corrected, now it is more clear what it is about, so others who don't care, don't have to spend time finding out...

User avatar
gracious1
Astronaut
Astronaut
Posts: 511
Joined: Sun May 15, 2016 5:00 am
Location: suddenly cold upstate NY
Contact:

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby gracious1 » Tue Mar 28, 2017 7:30 pm

HaleSun wrote:There are also a few about:config options that enhance privacy and security:

canvas.poisondata > true
This is a Pale Moon exclusive function that thwarts canvas fingerprinting:
https://panopticlick.eff.org


I made that configuration change, but when I tested at Panopticlick, I still got the result: "your browser has a unique fingerprint". So it didn't seem to work. :(
Image
Fall is slipping away…

testator777
Hobby Astronomer
Hobby Astronomer
Posts: 21
Joined: Mon Jan 09, 2017 2:49 am

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby testator777 » Wed Mar 29, 2017 12:16 am

canvas.poisondata only randomizes your canvas fingerprint which means you have a extremely unique fingerprint either on every browser session or page load I forget which. If you want to blend in with canvas there is no plugin for that so you would have to write your own. The point of canvas.poisondata is to literally poison the data people collect by canvas by feeding them bogus data every time you visit them. Things like this work better the more everyone does it. But if few do it then it lights you up like spotlighting a one man ship while he is screaming find me.

If you are going to write a plugin for that might I recomend filling in the last few gaps I know of for javascript obfuscation known as Element.getClientRects. https://browserleaks.com/rects and they have more of the usual tracking stuff on the site too. Also https://browserleaks.com/firefox This makes a hash of some .js crux from firefox which can be used to fingerprint. There is a firefox jetpack(unsupported/does not work) plugin called https://addons.mozilla.org/en-US/firefo ... ak/?src=ss if you need tips.

Also why does anybody need access to firefox*.js? I can understand getprefs.js but why the others?

User avatar
dark_moon
Knows the dark side
Knows the dark side
Posts: 3683
Joined: Mon Jan 09, 2012 5:34 pm
Location: Germany

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby dark_moon » Wed Mar 29, 2017 5:01 pm

The *.js files dont have any private data, so it doesn't matter if a site can read that or not.
Happy Pale Moon x64 under Win7 x64 User
German translator for Pale Moon 15+ and Pale Moon Commander addon

HowTo create a new Pale Moon Profile & use the Safe Mode
My GPG Key: 0x01EAFE95

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19925
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Postby Moonchild » Wed Mar 29, 2017 9:00 pm

gracious1 wrote:I made that configuration change, but when I tested at Panopticlick, I still got the result: "your browser has a unique fingerprint". So it didn't seem to work. :(


You don't understand. the whole point is making your fingerprint unique, but different every time. You are supposed to have a unique fingerprint. But a different unique fingerprint every time -- I've already explained in another thread how this works and why this is better - maybe someone with a few free minutes can look up the exact thread and link it.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.



Return to “Technical chat”

Who is online

Users browsing this forum: davews and 3 guests