privacy and security

General project discussion
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
Locked
User avatar
fixmen
Hobby Astronomer
Hobby Astronomer
Posts: 22
Joined: 2019-12-23, 16:08

privacy and security

Post by fixmen » 2019-12-23, 16:19

hello

version 28.8.0 show greprefs.js

in this test:> https://browserleaks.com/firefox#more

help only this plugin:
https://addons.thunderbird.net/en-US/th ... dl-popular

^^ work in pale moon

in new firefox,torbrowser and seamonkey is Invisible this file.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27933
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: privacy and security

Post by Moonchild » 2019-12-23, 16:53

FYI: "greprefs" are the platform preferences that are common to all UXP applications and provide 0 privacy or security information about individual installations. It is not possible to get any sort of profile information or non-generic data that lives outside of the browser or extensions through it, so it is not a leak.

The price of blocking resource:// URIs from content is the inability for any extension to use extension and browser resources in page content -- which is exactly why Mozilla waited for the version that killed all "legacy" extensions to put this denial of loading resource:// URIs in Firefox; they knew that it would break many, many powerful extensions by preventing them from putting custom controls in page content.

Also, this has already been discussed before on the forum -- it's old news and you could have found it by searching the forum before posting :)
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
fixmen
Hobby Astronomer
Hobby Astronomer
Posts: 22
Joined: 2019-12-23, 16:08

Re: privacy and security

Post by fixmen » 2019-12-25, 10:31

ok thx...

please add i new vesrion is possible...new funcion dissable all OSCP services taplink and others

check this:
https://scotthelme.co.uk/revocation-is-broken/

bot nets used oscp = attacking peoples

proff:
https://www.abuseipdb.com/check/93.184.220.29

^^^ this bot net attacking webbrowsers (active OSCP) = false certificate ocsp.digicert.com and crl4.digicert.com

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1257
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: privacy and security

Post by Isengrim » 2019-12-26, 01:13

fixmen wrote:
2019-12-25, 10:31
please add i new vesrion is possible...new funcion dissable all OSCP services taplink and others
I'm really not sure what you're trying to ask here. Do you have privacy concerns with using OCSP, or with how the browser handles revocation, or something else? :eh:
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

John connor
Banned user
Banned user
Posts: 1492
Joined: 2015-01-21, 05:06

Re: privacy and security

Post by John connor » 2019-12-26, 08:09

I don't understand either. And AbuseIPDB is a reporting and API usage website for bad connections, etc. I use the API myself at my website. Meet the confidence score and you're 403ed. My script also reports to AbuseIPDB just like Fail2ban, etc. So in a nutshell, the AbuseIPDB is NOT a browser related thing at all. It's a server thing for websites.

Have a look at these three websites concerning browser fingerprints.

https://panopticlick.eff.org/

https://browserleaks.com/webrtc#webrtc-disable

https://ipx.ac/run

Also, you may want to turn on the canvas.poisondata in about:config. I have had it on for years and have had no trouble with websites.

User avatar
adesh
Board Warrior
Board Warrior
Posts: 1209
Joined: 2017-06-06, 07:38

Re: privacy and security

Post by adesh » 2019-12-26, 08:20

fixmen wrote:
2019-12-25, 10:31
please add i new vesrion is possible...new funcion dissable all OSCP services taplink and others
You can disable OCSP check in Pale Moon settings, if that is what you want.
Go to Preferences -> Advanced -> Certificates and uncheck "Use OCSP to confirm the current validity of certificates".

User avatar
fixmen
Hobby Astronomer
Hobby Astronomer
Posts: 22
Joined: 2019-12-23, 16:08

Re: privacy and security

Post by fixmen » 2019-12-26, 10:02

oscp staplink disable possible : plugin or about:config

User avatar
fixmen
Hobby Astronomer
Hobby Astronomer
Posts: 22
Joined: 2019-12-23, 16:08

Re: privacy and security

Post by fixmen » 2019-12-26, 10:22

uncheck OSCP and...

check this plugin:
https://addons.palemoon.org/addon/pm-commander/

go to security/ssl / you see stapling OSCP still default active

User avatar
fixmen
Hobby Astronomer
Hobby Astronomer
Posts: 22
Joined: 2019-12-23, 16:08

Re: privacy and security

Post by fixmen » 2019-12-26, 12:21

if active oscp:

bot net attacks all MAC, LINUX, WINDOWS systems wherever OSCP is enabled.
creating a new process tcp and a new connection remote: and attacking systems

digicert.com is trusted
webrowser is trusted (firewall)

ocsp.digicert.com or crl4.digicert.com is trusted in webbrowser but false ..remote new process: from: 93.184.220.29 = ocsp.digicert.com or crl4.digicert.com (BOT NET)

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1257
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: privacy and security

Post by Isengrim » 2019-12-26, 14:49

I'm going to do my best to decipher/translate these...
fixmen wrote:
2019-12-26, 10:02
oscp staplink disable possible : plugin or about:config
"Is it possible to disable OCSP stapling through an add-on or through about:config?"

Yes. Disabling OCSP entirely can be done using Adesh's instructions. Disabling OCSP stapling can be done through Pale Moon Commander or about:config.
fixmen wrote:
2019-12-26, 10:22
uncheck OSCP and...

check this plugin:
https://addons.palemoon.org/addon/pm-commander/

go to security/ssl / you see stapling OSCP still default active
"If you disable OCSP, why does the "Use OCSP Stapling" preference still appear as checked in Pale Moon Commander?"

If you disable OCSP completely, the stapling preference will be ignored, so you don't need to worry about its value.
fixmen wrote:
2019-12-26, 12:21
if active oscp:

bot net attacks all MAC, LINUX, WINDOWS systems wherever OSCP is enabled.
creating a new process tcp and a new connection remote: and attacking systems

digicert.com is trusted
webrowser is trusted (firewall)

ocsp.digicert.com or crl4.digicert.com is trusted in webbrowser but false ..remote new process: from: 93.184.220.29 = ocsp.digicert.com or crl4.digicert.com (BOT NET)
I'm really confused about this one... can you please rephrase the question?
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
fixmen
Hobby Astronomer
Hobby Astronomer
Posts: 22
Joined: 2019-12-23, 16:08

Re: privacy and security

Post by fixmen » 2020-01-04, 16:56

I mean adding a new function in the certificates tab "disable oscp staplinkg"

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27933
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: privacy and security

Post by Moonchild » 2020-01-04, 18:57

I don't see a point in doing that. Stapling OCSP responses is a Good Thing™ and you can already disable it if you insist in about:config.
Also, crl*.digicert.com is not a BOT NET connection at all. It's a server os a certificate authority that serves certificate revocation lists (the older method prior to OCSP)

Methinks you are being paranoid about normal connections made to check and verify the validity of SSL certificates. I'll summarize the tech for you:
  • OCSP stapled responses: you want this wherever possible if you are concerned about CAs tracking you (which is unlikely). A stapled OCSP response is served by the https server you are connecting to and is a cryptographically-signed OCSP response attached to the certificate with short validity that verifies the certificate is verified and authenticated for use (i.e. a verification it is valid, issued by the CA and not revoked). This streamlines the validity checking without having to connect to other servers than the ones you are already connecting to.
  • OCSP lookups: if not stapled, an OCSP lookup is performed to verify the validity of a certificate directly with the designated server operated by the CA. The type of verification is the same as with a stapled response but you request it from the CA directly, instead.
  • CRL lookups: If you use further fallback because OCSP isn't/can't be used and it's not stapled, then the browser can perform a lookup by requesting a certificate revocation list, which is a list of all certificates that have been revoked by the CA. This is considerably slower because you request a potentially large list, not a specific host, and not all CAs support this anymore because of the bandwidth such a thing would require.
All these methods are perfectly normal to use to verify that the server certificate is valid and allowed to be used.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

Locked