Tracking protection and NSS SSL secrets logging (two security questions)?

For the more technical/geeky chat subjects!

Moderator: satrow

miroR
Fanatic
Fanatic
Posts: 102
Joined: Tue, 31 May 2016, 19:22

Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby miroR » Sun, 17 Jul 2016, 06:28

Title: Tracking protection and NSS SSL secrets logging (two security questions)?
---
I have been a Firefox user since it became, out of Netscape. A Linux user, Gentoo in the last near one decade (also a little Debian, and planning on Devuan too).

I hear good things a lot about Pale Moon, I have studied quite a few forum posts here, and searched a lot (with the duck-engine, I don't like beeing tracked, so no Goog).

I had my strong doubts about Firefox dissipated forcefully with the advent of tracking protection feature, by which even Goog's own tracking itself is being really left out (the https://disconnect.me do, appears to me, a good job), I know Goog's is being disconnected also because I trace (with Wireshark's dumpcap) whenever I go online and later often read the network.

I haven't yet installed Pale Moon, because the tracking protection in Firefox
has made me very content.

I haven't been completely convinced by the renewed privacy protections in Firefox, because I keep checking on everything, and I want to know for sure about things (very hard!). But I surely have no grounds to distrust it or complain about it. At least as yet.

I really wonder what Pale Moon offers to protect users from tracking? Is it as strong a protection as Firefox is? Is it the same tracking protection feature Firefox uses?

That was one thing.

Another thing is actually connected with my claim that I (often) read the network after I was online.

I surely couldn't really do that if there wasn't the NSS and if I didn't set the SSLKEYLOGFILE env variable (as per https://wiki.wireshark.org/SSL) and if I didn't patch the NSS library with the small patch at:

>=dev-libs/nss-3.24 - Add USE flag to enable SSL key logging
https://bugs.gentoo.org/show_bug.cgi?id=587116

because the SSL decrypting is what rare users really do... And that convenience is not anymore readily available for security concerns (I have a grsecurity-hardened kernel and hope to be able to keep secure though).

So the other question of mine is if the SSL secrets logging via NSS library is available in Pale Moon so the above method of mine can be deployed?

Regards!
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in
kernel
,
linux capabilities
for intrusion
? (Linus?)

miroR
Fanatic
Fanatic
Posts: 102
Joined: Tue, 31 May 2016, 19:22

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby miroR » Sun, 15 Jan 2017, 06:28

Palemoon can log SSL-keys, just like its original program Firefox.

The thread on it:
https://marc.info/?t=148216793700001&r=1&w=2

and it starts here:

[gentoo-user] Reading the (SSL) traffic with Pale Moon
https://marc.info/?l=gentoo-user&m=148216789330419&w=2

And I've been using it daily. Don't think there are issues with it, but I'm not an expert.

BTW, it's Linux, Gentoo Linux, but $SSLKEYLOGFILE can be set in Windoze and Mac as well ;)

HaleSun
Fanatic
Fanatic
Posts: 107
Joined: Fri, 11 Mar 2016, 11:39

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby HaleSun » Sun, 15 Jan 2017, 11:14

Other than Pale Moon's general stance on tracking: viewtopic.php?f=5&t=12103
tracking security out of the box should at the very least be superior to that of Firefox since Pale Moon does not come with certain Firefox features that turn into security liabilities like WebRTC.

There was also the matter of a major security vulnerability in Firefox disclosed last November which allowed an exploit in the Tor browser which would reveal the real Tor user:
http://www.tomshardware.com/news/tor-br ... 33117.html

The exploit itself was heavily based on an earlier exploit discovered way back in 2013:
http://arstechnica.com/security/2013/08 ... tor-users/

This weakness in Firefox is NOT present in Pale Moon: viewtopic.php?f=1&t=13984

Then there's the autofill vulnerability: viewtopic.php?f=4&t=14425
Even though it affects basically every major browser, Mozilla actually wants to add it!: http://news.softpedia.com/news/sneak-pe ... 8993.shtml

Naturally Pale Moon will not add known privacy liabilities for the sake of "convenience".

Though no matter which browser it is, it can only do so much by itself. For robust tracking protection the use of addons is required. With Decentraleyes. uBlock Origin, uMatrix, NoScript, and Crush Those Cookies you should be very secure, but you should also disable Flash and Java.

There are also a few about:config options that enhance privacy and security:

canvas.poisondata > true
This is a Pale Moon exclusive function that thwarts canvas fingerprinting: https://panopticlick.eff.org

webgl.disabled > true
This disables the WebGL hash fingerprinting also tested by panopticlick.

The following is for the truly paranoid:
security.ssl3.dhe_rsa_aes_128_sha > false
security.ssl3.dhe_rsa_aes_256_sha > false
The above disables ciphers suspected to be compromised by the NSA (will break some sites) :
https://www.eff.org/deeplinks/2015/10/h ... 024-bit-DH

security.ssl3.rsa_aes_128_sha > false
security.ssl3.rsa_aes_256_sha > false
The above disables ciphers without forward secrecy (will break many sites including most banking sites and PayPal) :
https://www.ssllabs.com/ssltest/viewMyClient.html

I hope that answers your question on tracking. As for your other question, only someone more familiar with Pale Moon's internal code can answer that.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21705
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby Moonchild » Sun, 15 Jan 2017, 13:52

For the SSLKEYLOGFILE, see http://xref.palemoon.org/palemoon-trunk ... ock.c#2867 (and following lines). So the answer is Yes, for now this is possible. If a future version of NSS removes this then it may not remain possible depending on NSS development.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne

miroR
Fanatic
Fanatic
Posts: 102
Joined: Tue, 31 May 2016, 19:22

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby miroR » Mon, 16 Jan 2017, 02:14

Thanks for exhaustive answers. That will take me some times to digest.

But, boy, was that a long wait!? I opened the topic at:
Postby miroR » Sun Jul 17, 2016 8:28 am

joe04
Lunatic
Lunatic
Posts: 259
Joined: Mon, 28 Sep 2015, 16:38
Location: US
Contact:

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby joe04 » Mon, 16 Jan 2017, 18:17

@HaleSun thanks for the canvas & webgl info. I made both pref changes. The canvas poisoning is a really nifty little feature and nicely implemented.

FYI, use this simple Webgl test page to verify it's enabled/disabled.

User avatar
New Tobin Paradigm
Knows the dark side
Knows the dark side
Posts: 4436
Joined: Tue, 09 Oct 2012, 19:37

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby New Tobin Paradigm » Mon, 16 Jan 2017, 18:29

Off-topic:
miroR wrote:But, boy, was that a long wait!? I opened the topic at:
Postby miroR » Sun Jul 17, 2016 8:28 am


If you would like to start paying the developers a generous hourly salary to ensure every one of your concerns are escalated to number one top priority being submitted to a dedicated sub-forum just for you and you alone and not one thread among thousands manned by people who provide a free product freely.. Then maybe you can point out when something slips under the radar or is not addressed at once.

It might be of interest to point out that in that long time gap you could have familiarized your self and done your own research and came to a conclusion.

Image

miroR
Fanatic
Fanatic
Posts: 102
Joined: Tue, 31 May 2016, 19:22

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby miroR » Tue, 17 Jan 2017, 10:22

Matt A Tobin wrote:
Off-topic:
miroR wrote:But, boy, was that a long wait!? I opened the topic at:
Postby miroR » Sun Jul 17, 2016 8:28 am


If you would like to start paying the developers a generous hourly salary to ensure every one of your concerns are escalated to number one top priority being submitted to a dedicated sub-forum just for you and you alone and not one thread among thousands manned by people who provide a free product freely.. Then maybe you can point out when something slips under the radar or is not addressed at once.

It might be of interest to point out that in that long time gap you could have familiarized your self and done your own research and came to a conclusion.

I was joking! I wasn't complaining!

I actually was so pleased to learn new stuff that I suggested it to others (btw, that topic below is turning into another Palemoon topic ;-) your browser has been gaining much ground in Gentoo community):

Configuring Firefox for more privacy - an attempt (results)
https://lists.gt.net/gentoo/user/321894#321894

Regards!

User avatar
John connor
Banned user
Banned user
Posts: 553
Joined: Wed, 21 Jan 2015, 05:06

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby John connor » Fri, 20 Jan 2017, 04:51


miroR
Fanatic
Fanatic
Posts: 102
Joined: Tue, 31 May 2016, 19:22

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby miroR » Fri, 20 Jan 2017, 07:46

John connor wrote:



Cool! They linked my topic. I'm phamous. https://www.youtube.com/watch?v=C18p7QIbWqc

Except that:
PHAMOUS PLANET HOLLYWOOD FLASH MOB!
https://www.youtube.com/watch?v=C18p7QIbWqc
doesn't have anything to do with the topic. It's some dancing, if anyone cares.

I don't, nor would I have had time to go and view it...

And it would have been nice if the poster pasted the title and explained what it was about, since just the "C18p7QIbWqc" doesn't tell anybody what that Youtube video is about.

And which I corrected, now it is more clear what it is about, so others who don't care, don't have to spend time finding out...

User avatar
gracious1
Keeps coming back
Keeps coming back
Posts: 823
Joined: Sun, 15 May 2016, 05:00
Location: muggy, muggy upstate NY
Contact:

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby gracious1 » Tue, 28 Mar 2017, 19:30

HaleSun wrote:There are also a few about:config options that enhance privacy and security:

canvas.poisondata > true
This is a Pale Moon exclusive function that thwarts canvas fingerprinting:
https://panopticlick.eff.org


I made that configuration change, but when I tested at Panopticlick, I still got the result: "your browser has a unique fingerprint". So it didn't seem to work. :(
Image“Life is what happens to us while we are making other plans.” ― Allen Saunders

testator777
Hobby Astronomer
Hobby Astronomer
Posts: 28
Joined: Mon, 09 Jan 2017, 02:49

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby testator777 » Wed, 29 Mar 2017, 00:16

canvas.poisondata only randomizes your canvas fingerprint which means you have a extremely unique fingerprint either on every browser session or page load I forget which. If you want to blend in with canvas there is no plugin for that so you would have to write your own. The point of canvas.poisondata is to literally poison the data people collect by canvas by feeding them bogus data every time you visit them. Things like this work better the more everyone does it. But if few do it then it lights you up like spotlighting a one man ship while he is screaming find me.

If you are going to write a plugin for that might I recomend filling in the last few gaps I know of for javascript obfuscation known as Element.getClientRects. https://browserleaks.com/rects and they have more of the usual tracking stuff on the site too. Also https://browserleaks.com/firefox This makes a hash of some .js crux from firefox which can be used to fingerprint. There is a firefox jetpack(unsupported/does not work) plugin called https://addons.mozilla.org/en-US/firefo ... ak/?src=ss if you need tips.

Also why does anybody need access to firefox*.js? I can understand getprefs.js but why the others?

dark_moon

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby dark_moon » Wed, 29 Mar 2017, 17:01

The *.js files dont have any private data, so it doesn't matter if a site can read that or not.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21705
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread postby Moonchild » Wed, 29 Mar 2017, 21:00

gracious1 wrote:I made that configuration change, but when I tested at Panopticlick, I still got the result: "your browser has a unique fingerprint". So it didn't seem to work. :(


You don't understand. the whole point is making your fingerprint unique, but different every time. You are supposed to have a unique fingerprint. But a different unique fingerprint every time -- I've already explained in another thread how this works and why this is better - maybe someone with a few free minutes can look up the exact thread and link it.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne



Return to “Technical chat”

Who is online

Users browsing this forum: No registered users and 2 guests