Tracking protection and NSS SSL secrets logging (two security questions)?

General discussion and chat (archived)
miroR
Fanatic
Fanatic
Posts: 116
Joined: 2016-05-31, 19:22

Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by miroR » 2016-07-17, 06:28

Title: Tracking protection and NSS SSL secrets logging (two security questions)?
---
I have been a Firefox user since it became, out of Netscape. A Linux user, Gentoo in the last near one decade (also a little Debian, and planning on Devuan too).

I hear good things a lot about Pale Moon, I have studied quite a few forum posts here, and searched a lot (with the duck-engine, I don't like beeing tracked, so no Goog).

I had my strong doubts about Firefox dissipated forcefully with the advent of tracking protection feature, by which even Goog's own tracking itself is being really left out (the https://disconnect.me do, appears to me, a good job), I know Goog's is being disconnected also because I trace (with Wireshark's dumpcap) whenever I go online and later often read the network.

I haven't yet installed Pale Moon, because the tracking protection in Firefox
has made me very content.

I haven't been completely convinced by the renewed privacy protections in Firefox, because I keep checking on everything, and I want to know for sure about things (very hard!). But I surely have no grounds to distrust it or complain about it. At least as yet.

I really wonder what Pale Moon offers to protect users from tracking? Is it as strong a protection as Firefox is? Is it the same tracking protection feature Firefox uses?

That was one thing.

Another thing is actually connected with my claim that I (often) read the network after I was online.

I surely couldn't really do that if there wasn't the NSS and if I didn't set the SSLKEYLOGFILE env variable (as per https://wiki.wireshark.org/SSL) and if I didn't patch the NSS library with the small patch at:

>=dev-libs/nss-3.24 - Add USE flag to enable SSL key logging
https://bugs.gentoo.org/show_bug.cgi?id=587116

because the SSL decrypting is what rare users really do... And that convenience is not anymore readily available for security concerns (I have a grsecurity-hardened kernel and hope to be able to keep secure though).

So the other question of mine is if the SSL secrets logging via NSS library is available in Pale Moon so the above method of mine can be deployed?

Regards!
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in
kernel
,
linux capabilities
for intrusion
? (Linus?)

miroR
Fanatic
Fanatic
Posts: 116
Joined: 2016-05-31, 19:22

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by miroR » 2017-01-15, 06:28

Palemoon can log SSL-keys, just like its original program Firefox.

The thread on it:
https://marc.info/?t=148216793700001&r=1&w=2

and it starts here:

[gentoo-user] Reading the (SSL) traffic with Pale Moon
https://marc.info/?l=gentoo-user&m=148216789330419&w=2

And I've been using it daily. Don't think there are issues with it, but I'm not an expert.

BTW, it's Linux, Gentoo Linux, but $SSLKEYLOGFILE can be set in Windoze and Mac as well ;)

HaleSun
Fanatic
Fanatic
Posts: 109
Joined: 2016-03-11, 11:39

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by HaleSun » 2017-01-15, 11:14

Other than Pale Moon's general stance on tracking: viewtopic.php?f=5&t=12103
tracking security out of the box should at the very least be superior to that of Firefox since Pale Moon does not come with certain Firefox features that turn into security liabilities like WebRTC.

There was also the matter of a major security vulnerability in Firefox disclosed last November which allowed an exploit in the Tor browser which would reveal the real Tor user:
http://www.tomshardware.com/news/tor-br ... 33117.html

The exploit itself was heavily based on an earlier exploit discovered way back in 2013:
http://arstechnica.com/security/2013/08 ... tor-users/

This weakness in Firefox is NOT present in Pale Moon: viewtopic.php?f=1&t=13984

Then there's the autofill vulnerability: viewtopic.php?f=4&t=14425
Even though it affects basically every major browser, Mozilla actually wants to add it!: http://news.softpedia.com/news/sneak-pe ... 8993.shtml

Naturally Pale Moon will not add known privacy liabilities for the sake of "convenience".

Though no matter which browser it is, it can only do so much by itself. For robust tracking protection the use of addons is required. With Decentraleyes. uBlock Origin, uMatrix, NoScript, and Crush Those Cookies you should be very secure, but you should also disable Flash and Java.

There are also a few about:config options that enhance privacy and security:

canvas.poisondata > true
This is a Pale Moon exclusive function that thwarts canvas fingerprinting: https://panopticlick.eff.org

webgl.disabled > true
This disables the WebGL hash fingerprinting also tested by panopticlick.

The following is for the truly paranoid:
security.ssl3.dhe_rsa_aes_128_sha > false
security.ssl3.dhe_rsa_aes_256_sha > false
The above disables ciphers suspected to be compromised by the NSA (will break some sites) :
https://www.eff.org/deeplinks/2015/10/h ... 024-bit-DH

security.ssl3.rsa_aes_128_sha > false
security.ssl3.rsa_aes_256_sha > false
The above disables ciphers without forward secrecy (will break many sites including most banking sites and PayPal) :
https://www.ssllabs.com/ssltest/viewMyClient.html
I hope that answers your question on tracking. As for your other question, only someone more familiar with Pale Moon's internal code can answer that.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by Moonchild » 2017-01-15, 13:52

For the SSLKEYLOGFILE, see http://xref.palemoon.org/palemoon-trunk ... ock.c#2867 (and following lines). So the answer is Yes, for now this is possible. If a future version of NSS removes this then it may not remain possible depending on NSS development.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

miroR
Fanatic
Fanatic
Posts: 116
Joined: 2016-05-31, 19:22

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by miroR » 2017-01-16, 02:14

Thanks for exhaustive answers. That will take me some times to digest.

But, boy, was that a long wait!? I opened the topic at:
Postby miroR » Sun Jul 17, 2016 8:28 am

joe04

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by joe04 » 2017-01-16, 18:17

@HaleSun thanks for the canvas & webgl info. I made both pref changes. The canvas poisoning is a really nifty little feature and nicely implemented.

FYI, use this simple Webgl test page to verify it's enabled/disabled.

New Tobin Paradigm

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by New Tobin Paradigm » 2017-01-16, 18:29

Off-topic:
miroR wrote:But, boy, was that a long wait!? I opened the topic at:
Postby miroR » Sun Jul 17, 2016 8:28 am
If you would like to start paying the developers a generous hourly salary to ensure every one of your concerns are escalated to number one top priority being submitted to a dedicated sub-forum just for you and you alone and not one thread among thousands manned by people who provide a free product freely.. Then maybe you can point out when something slips under the radar or is not addressed at once.

It might be of interest to point out that in that long time gap you could have familiarized your self and done your own research and came to a conclusion.

miroR
Fanatic
Fanatic
Posts: 116
Joined: 2016-05-31, 19:22

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by miroR » 2017-01-17, 10:22

Matt A Tobin wrote:
Off-topic:
miroR wrote:But, boy, was that a long wait!? I opened the topic at:
Postby miroR » Sun Jul 17, 2016 8:28 am
If you would like to start paying the developers a generous hourly salary to ensure every one of your concerns are escalated to number one top priority being submitted to a dedicated sub-forum just for you and you alone and not one thread among thousands manned by people who provide a free product freely.. Then maybe you can point out when something slips under the radar or is not addressed at once.

It might be of interest to point out that in that long time gap you could have familiarized your self and done your own research and came to a conclusion.
I was joking! I wasn't complaining!

I actually was so pleased to learn new stuff that I suggested it to others (btw, that topic below is turning into another Palemoon topic ;-) your browser has been gaining much ground in Gentoo community):

Configuring Firefox for more privacy - an attempt (results)
https://lists.gt.net/gentoo/user/321894#321894

Regards!


miroR
Fanatic
Fanatic
Posts: 116
Joined: 2016-05-31, 19:22

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by miroR » 2017-01-20, 07:46

John connor wrote:

Cool! They linked my topic. I'm phamous. https://www.youtube.com/watch?v=C18p7QIbWqc
Except that:
PHAMOUS PLANET HOLLYWOOD FLASH MOB!
https://www.youtube.com/watch?v=C18p7QIbWqc
doesn't have anything to do with the topic. It's some dancing, if anyone cares.

I don't, nor would I have had time to go and view it...

And it would have been nice if the poster pasted the title and explained what it was about, since just the "C18p7QIbWqc" doesn't tell anybody what that Youtube video is about.

And which I corrected, now it is more clear what it is about, so others who don't care, don't have to spend time finding out...

User avatar
gracious1
Keeps coming back
Keeps coming back
Posts: 891
Joined: 2016-05-15, 05:00
Location: humid upstate NY

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by gracious1 » 2017-03-28, 19:30

HaleSun wrote:There are also a few about:config options that enhance privacy and security:

canvas.poisondata > true
This is a Pale Moon exclusive function that thwarts canvas fingerprinting:
https://panopticlick.eff.org
I made that configuration change, but when I tested at Panopticlick, I still got the result: "your browser has a unique fingerprint". So it didn't seem to work. :(
20 July 1969 🌗 Apollo 11 🌓 "One small step for [a] man, one giant leap for mankind." 🚀

testator777

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by testator777 » 2017-03-29, 00:16

canvas.poisondata only randomizes your canvas fingerprint which means you have a extremely unique fingerprint either on every browser session or page load I forget which. If you want to blend in with canvas there is no plugin for that so you would have to write your own. The point of canvas.poisondata is to literally poison the data people collect by canvas by feeding them bogus data every time you visit them. Things like this work better the more everyone does it. But if few do it then it lights you up like spotlighting a one man ship while he is screaming find me.

If you are going to write a plugin for that might I recomend filling in the last few gaps I know of for javascript obfuscation known as Element.getClientRects. https://browserleaks.com/rects and they have more of the usual tracking stuff on the site too. Also https://browserleaks.com/firefox This makes a hash of some .js crux from firefox which can be used to fingerprint. There is a firefox jetpack(unsupported/does not work) plugin called https://addons.mozilla.org/en-US/firefo ... ak/?src=ss if you need tips.

Also why does anybody need access to firefox*.js? I can understand getprefs.js but why the others?

dark_moon

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by dark_moon » 2017-03-29, 17:01

The *.js files dont have any private data, so it doesn't matter if a site can read that or not.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Tracking protection and NSS SSL secrets logging (two security questions)?

Unread post by Moonchild » 2017-03-29, 21:00

gracious1 wrote:I made that configuration change, but when I tested at Panopticlick, I still got the result: "your browser has a unique fingerprint". So it didn't seem to work. :(
You don't understand. the whole point is making your fingerprint unique, but different every time. You are supposed to have a unique fingerprint. But a different unique fingerprint every time -- I've already explained in another thread how this works and why this is better - maybe someone with a few free minutes can look up the exact thread and link it.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite


Locked