privacy and security

[fixmen]

hello

version 28.8.0 show greprefs.js

in this test:> https://browserleaks.com/firefox#more

help only this plugin:
https://addons.thunderbird.net/en-US/th ... dl-popular

^^ work in pale moon

in new firefox,torbrowser and seamonkey is Invisible this file.

[Moonchild]

FYI: "greprefs" are the platform preferences that are common to all UXP applications and provide 0 privacy or security information about individual installations. It is not possible to get any sort of profile information or non-generic data that lives outside of the browser or extensions through it, so it is not a leak.

The price of blocking resource:// URIs from content is the inability for any extension to use extension and browser resources in page content -- which is exactly why Mozilla waited for the version that killed all "legacy" extensions to put this denial of loading resource:// URIs in Firefox; they knew that it would break many, many powerful extensions by preventing them from putting custom controls in page content.

Also, this has already been discussed before on the forum -- it's old news and you could have found it by searching the forum before posting

[fixmen]

ok thx...

please add i new vesrion is possible...new funcion dissable all OSCP services taplink and others

check this:
https://scotthelme.co.uk/revocation-is-broken/

bot nets used oscp = attacking peoples

proff:
https://www.abuseipdb.com/check/93.184.220.29

^^^ this bot net attacking webbrowsers (active OSCP) = false certificate ocsp.digicert.com and crl4.digicert.com

[Isengrim]

please add i new vesrion is possible...new funcion dissable all OSCP services taplink and others

I'm really not sure what you're trying to ask here. Do you have privacy concerns with using OCSP, or with how the browser handles revocation, or something else?

[John connor]

I don't understand either. And AbuseIPDB is a reporting and API usage website for bad connections, etc. I use the API myself at my website. Meet the confidence score and you're 403ed. My script also reports to AbuseIPDB just like Fail2ban, etc. So in a nutshell, the AbuseIPDB is NOT a browser related thing at all. It's a server thing for websites.

Have a look at these three websites concerning browser fingerprints.

https://panopticlick.eff.org/

https://browserleaks.com/webrtc#webrtc-disable

https://ipx.ac/run

Also, you may want to turn on the canvas.poisondata in about:config. I have had it on for years and have had no trouble with websites.

[adesh]

please add i new vesrion is possible...new funcion dissable all OSCP services taplink and others

You can disable OCSP check in Pale Moon settings, if that is what you want.
Go to Preferences -> Advanced -> Certificates and uncheck "Use OCSP to confirm the current validity of certificates".

[fixmen]

oscp staplink disable possible : plugin or about:config

[fixmen]

uncheck OSCP and...

check this plugin:
https://addons.palemoon.org/addon/pm-commander/

go to security/ssl / you see stapling OSCP still default active

[fixmen]

if active oscp:

bot net attacks all MAC, LINUX, WINDOWS systems wherever OSCP is enabled.
creating a new process tcp and a new connection remote: and attacking systems

digicert.com is trusted
webrowser is trusted (firewall)

ocsp.digicert.com or crl4.digicert.com is trusted in webbrowser but false ..remote new process: from: 93.184.220.29 = ocsp.digicert.com or crl4.digicert.com (BOT NET)

[Isengrim]

I'm going to do my best to decipher/translate these...

oscp staplink disable possible : plugin or about:config

"Is it possible to disable OCSP stapling through an add-on or through about:config?"

Yes. Disabling OCSP entirely can be done using Adesh's instructions. Disabling OCSP stapling can be done through Pale Moon Commander or about:config.

uncheck OSCP and...

check this plugin:
https://addons.palemoon.org/addon/pm-commander/

go to security/ssl / you see stapling OSCP still default active

"If you disable OCSP, why does the "Use OCSP Stapling" preference still appear as checked in Pale Moon Commander?"

If you disable OCSP completely, the stapling preference will be ignored, so you don't need to worry about its value.

if active oscp:

bot net attacks all MAC, LINUX, WINDOWS systems wherever OSCP is enabled.
creating a new process tcp and a new connection remote: and attacking systems

digicert.com is trusted
webrowser is trusted (firewall)

ocsp.digicert.com or crl4.digicert.com is trusted in webbrowser but false ..remote new process: from: 93.184.220.29 = ocsp.digicert.com or crl4.digicert.com (BOT NET)

I'm really confused about this one... can you please rephrase the question?

[fixmen]

I mean adding a new function in the certificates tab "disable oscp staplinkg"

[Moonchild]

I don't see a point in doing that. Stapling OCSP responses is a Good Thing™ and you can already disable it if you insist in about:config.
Also, crl*.digicert.com is not a BOT NET connection at all. It's a server os a certificate authority that serves certificate revocation lists (the older method prior to OCSP)

Methinks you are being paranoid about normal connections made to check and verify the validity of SSL certificates. I'll summarize the tech for you:

• OCSP stapled responses: you want this wherever possible if you are concerned about CAs tracking you (which is unlikely). A stapled OCSP response is served by the https server you are connecting to and is a cryptographically-signed OCSP response attached to the certificate with short validity that verifies the certificate is verified and authenticated for use (i.e. a verification it is valid, issued by the CA and not revoked). This streamlines the validity checking without having to connect to other servers than the ones you are already connecting to.
• OCSP lookups: if not stapled, an OCSP lookup is performed to verify the validity of a certificate directly with the designated server operated by the CA. The type of verification is the same as with a stapled response but you request it from the CA directly, instead.
• CRL lookups: If you use further fallback because OCSP isn't/can't be used and it's not stapled, then the browser can perform a lookup by requesting a certificate revocation list, which is a list of all certificates that have been revoked by the CA. This is considerably slower because you request a potentially large list, not a specific host, and not all CAs support this anymore because of the bandwidth such a thing would require.

All these methods are perfectly normal to use to verify that the server certificate is valid and allowed to be used.