Mailing List Archive

Reading the (SSL) traffic with Pale Moon, WAS: from Firefox52: NO pure ALSA? Youtube... Audio: No
On 161217-20:56-0500, Walter Dnes wrote:
> I'm running Pale Moon. In an xterm, I did...
>
> export SSLKEYLOGFILE=/dev/shm/sslkeylogfile.txt
>
> ...and launched Pale Moon manually from the commandline. nd visited a
> couple of https sites. I did get /dev/shm/sslkeylogfile.txt which
> begins with the line...
>
> # SSL/TLS secrets log file, generated by NSS
>
> Following that are a bunch of lines starting with...
>
> CLIENT_RANDOM
>
> ...followed by a space, followed by 161 random hex-numeric characters
> i.e. [0-9a-f].
>
> I also saw a line beginning with...
>
> RSA
>
> ...followed by a space, followed by 113 random hex-numeric characters
> i.e. [0-9a-f].

The very usual and familiar text that I take all --really all-- the
time. Ever since I was pwned:
System attacked, Konqueror went on window-popping spree!
https://forums.gentoo.org/viewtopic-t-905472.html
(
Ah, and my Vimeo videos are back; not the Youtube ones, and it happened
relatively recently that my vimeo videos are back, linked from that
five, 5, years old topic on Gentoo Forums, as I informed here when they
too were removed:
https://forums.gentoo.org/viewtopic-t-905472-start-25.html#7881412

Plus, no way for me to update the Forums, since some people, like one of
the Site Admins there, really don't like me:
Was I really hijacking topics from other members?
https://forums.gentoo.org/viewtopic-t-1041614.html
Ctrl-F "your account has been banned.", currently still the very last
line, date was: "Posted: Fri Apr 01, 2016 3:14 am"
)

[Ever since I was pwned], I inquired a lot about this capabilitiy, and
some btwn 1 and 2 years ago I learned that since some times 2013 or
around there (so I was just around 2 years late from the beeding edge
development), Wireshark can read what Firefox SSL-keys captures, and
since then I capture SSL-keys all the time time.

> If you plan to do this regularly, your program launcher will need to
> launch bash scripts with seperate filenames for each profile. Maybe
> append date-time stamp to filenames to avoid multiple sessions
> overwriting each other.
In Firefox, you just need very little settings on the outside, :
https://wiki.wireshark.org/SSL
>
> As for privacy, there are the usual features, like...
>
> * asking sites to not track (don't trust that)
> * control of which sites to accept/refuse regular cookies, and 3rd-party
> cookies, from
> * whether or not to clear browsing and download history
> * private browsing session
I think some of the suggested extensions/addons here:
https://wiki.gentoo.org/wiki/Tor
(sadly) use Australis I currently have eff-https everywhere,
RequestPolicy-continued, Privacy Badger, NoScript and Agent Spoofer.
Some of them, I read (but don't remember which ones), use Australis...

But...
> --
> Walter Dnes <waltdnes@waltdnes.org>
> I don't run "desktop environments"; I run useful applications
>
...But thanks, why was this so hard to tell... See there in the Pale
Moon forums, nobody replied (yet)...

How come people are so little interested to read the traffic?

I have all kinds of traces posted (
far from expert talk, but still
useful stuff in somebody wants to learn to read the traffic of his own:
http://www.croatiafidelis.hr/foss/cap/
)...

How come people are so little interested to read the traffic, to learn
how sites behave which they visit, and often to discover what sites
really do to them?

I'll go and inquire at the Pale Moon forum about the issues above, and
will post there this exact question above, I think.

Also, if this is really true, the Wireshark SSL wiki (the link above)
needs to be updated...

And more, wait...

Wait... Did you need to patch the nss library to get the $SSLKEYLOGFILE
being written to? Like in this bug:

>=dev-libs/nss-3.24 - Add USE flag to enable SSL key logging
https://bugs.gentoo.org/show_bug.cgi?id=587116

Did you? (That's about the only patch there, that I submitted to
Bugzilla anywhere ;-) btw.)

I'm puzzled... And overwhelmed with work, because I must now find time
to install and set Pale Moon to the (SSL) traffic (and I'm really a slow
worker).

(Still half-disbelieving... so surprised I am.)
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Re: Reading the (SSL) traffic with Pale Moon, WAS: from Firefox52: NO pure ALSA? Youtube... Audio: No [ In reply to ]
> How come people are so little interested to read the traffic, to learn
> how sites behave which they visit, and often to discover what sites
> really do to them?
>
> I'll go and inquire at the Pale Moon forum about the issues above, and
> will post there this exact question above, I think.

This is a very obscure topic. Maybe nobody who knows about it read
that post. I only read 3 sub-forums...

* Announcements... for new versions, etc
* Pale Moon for Linux... because I run the linux version
* Contributed builds... I do an SSE-only contributed 32-bit build. It
is useful for older Pentium 3 class machines, which will not run the
regular Pale Moon build.

I couldn't find anything about NSS logging on Google... except your
question. I followed the instructions in your post here, and that's how
I got it to work. I did not know about it until you told me.

> Wait... Did you need to patch the nss library to get the $SSLKEYLOGFILE
> being written to? Like in this bug:
>
> >=dev-libs/nss-3.24 - Add USE flag to enable SSL key logging
> https://bugs.gentoo.org/show_bug.cgi?id=587116
>
> Did you? (That's about the only patch there, that I submitted to
> Bugzilla anywhere ;-) btw.)

No patches required to the source code for that. I do my own custom
manual build, to eliminate the dependancy on dbus, plus other tweaks.
That involves setting options in the mozconfig file, but no source code
changes. If you want to do your own build, see my post on December 9th
https://forum.palemoon.org/viewtopic.php?f=37&t=13898&start=20#p100625
Note; this is version 2 of my build environment. You should see an
attached file "pmmain.tgz" on that post. Do not use version 1, with
(utils.tgz) in the first post of that thread.

--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
Re: Reading the (SSL) traffic with Pale Moon, WAS: from Firefox52: NO pure ALSA? Youtube... Audio: No [ In reply to ]
On 161218-02:04-0500, Walter Dnes wrote:
> > How come people are so little interested to read the traffic, to learn
> > how sites behave which they visit, and often to discover what sites
> > really do to them?
> >
> > I'll go and inquire at the Pale Moon forum about the issues above, and
> > will post there this exact question above, I think.
>
> This is a very obscure topic. Maybe nobody who knows about it read
> that post. I only read 3 sub-forums...
>
> * Announcements... for new versions, etc
> * Pale Moon for Linux... because I run the linux version
> * Contributed builds... I do an SSE-only contributed 32-bit build. It
> is useful for older Pentium 3 class machines, which will not run the
> regular Pale Moon build.
>
> I couldn't find anything about NSS logging on Google... except your
Why the Schmoog engine? duckduckgo.com is some much more privacy acceptable...

But there are links too in the page that I posted the patch, below...

> question. I followed the instructions in your post here, and that's how
> I got it to work. I did not know about it until you told me.

If Palemoon logs SSL-keys, then it must use some of openssl, libressl,
gnutls, or the Mozilla/Google/Oracle (IIRC), but primary Mozilla program
Network Security Services, dev-libs/nss-3.27.2 .

> > Wait... Did you need to patch the nss library to get the $SSLKEYLOGFILE
> > being written to? Like in this bug:
> >
> > >=dev-libs/nss-3.24 - Add USE flag to enable SSL key logging
> > https://bugs.gentoo.org/show_bug.cgi?id=587116
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.24_release_notes#Notable_changes_in_NSS_3.24
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_environment_variables
(from that Bugzilla page)
> >
> > Did you? (That's about the only patch there, that I submitted to
> > Bugzilla anywhere ;-) btw.)
>
> No patches required to the source code for that.
Probably that means what it meant in some of the Mozilla pages... That's
not good. Because it means the SSL-key logging is enabled by default.
Was in Firefox too. Not, it need to be at user's decision, compile time
only possible in Firefox, in optimize ebuilds, with my (minuscule) patch... But in
binary releases, it is enabled by default in Firefox...
> I do my own custom
> manual build, to eliminate the dependancy on dbus, plus other tweaks.
> That involves setting options in the mozconfig file, but no source code
> changes. If you want to do your own build, see my post on December 9th
> https://forum.palemoon.org/viewtopic.php?f=37&t=13898&start=20#p100625
> Note; this is version 2 of my build environment. You should see an
> attached file "pmmain.tgz" on that post. Do not use version 1, with
> (utils.tgz) in the first post of that thread.
You know why the no-dbus way above may be my only way of doing it? Or
for which reason I might have to give up?

The only way, because after:

$ git clone https://github.com/deuiore/palemoon-overlay

I grep'd a log of dbus lines in that repo :-( , so Palemoon has the dbus
dependency... Firefox does not. And not only in Gentoo.

(And I don't intend to install no poetterware whatsoever --dbus being at
least a relative, or maybe better defined as the precursor, which
prepared the way for poetterware, IMO.)

And that also may prove to be the reason that I might have to give up.
Which I will only do if it shows to be too difficult for me.

I've only just downloaded:
https://forum.palemoon.org/download/file.php?id=6761
from:
https://forum.palemoon.org/viewtopic.php?f=37&t=13898&start=20#p100625
so I don't yet know...

We'll see...
> --
> Walter Dnes <waltdnes@waltdnes.org>
> I don't run "desktop environments"; I run useful applications
>

Thanks also to Martin Vaeth for his correcting of my assumption.

Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Re: Reading the (SSL) traffic with Pale Moon, WAS: from Firefox52: NO pure ALSA? Youtube... Audio: No [ In reply to ]
On 161218-19:16+0100, Miroslav Rovis wrote:
...
> >
> > No patches required to the source code for that.
> Probably that means what it meant in some of the Mozilla pages... That's
> not good. Because it means the SSL-key logging is enabled by default.
And that's a security risk.
> Was in Firefox too. Not, it need to be at user's decision, compile time
> only possible in Firefox, in optimize ebuilds, with my (minuscule) patch... But in
> binary releases, it is enabled by default in Firefox...
> > I do my own custom
> > manual build, to eliminate the dependancy on dbus, plus other tweaks.
> > That involves setting options in the mozconfig file, but no source code
> > changes. If you want to do your own build, see my post on December 9th
> > https://forum.palemoon.org/viewtopic.php?f=37&t=13898&start=20#p100625
> > Note; this is version 2 of my build environment. You should see an
> > attached file "pmmain.tgz" on that post. Do not use version 1, with
> > (utils.tgz) in the first post of that thread.
> You know why the no-dbus way above may be my only way of doing it? Or
> for which reason I might have to give up?
>
> The only way, because after:
>
> $ git clone https://github.com/deuiore/palemoon-overlay
>
> I grep'd a log of dbus lines in that repo :-( , so Palemoon has the dbus
> dependency... Firefox does not. And not only in Gentoo.
>
> (And I don't intend to install no poetterware whatsoever --dbus being at
> least a relative, or maybe better defined as the precursor, which
> prepared the way for poetterware, IMO.)

But, looking into:

palemoon-overlay/www-client/palemoon/palemoon-27.0.2.ebuild

I see:

if ! use dbus; then
mozconfig_disable dbus
fi

So dbus is _not_ a requirement... So I don't understand why you
(
I had
also starting looking into pmmain , your build scripts, and the above
does the same as:

$ grep -r dbus pmmain/
pmmain/utils/mymozconfig.txt:ac_add_options --disable-dbus
$
)
[So I don't understand why you] thought dbus was needed to be disabled
by other means, than the (as yet still) unofficial repo/overlay?)

Or am I missing something?
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Re: Reading the (SSL) traffic with Pale Moon, WAS: from Firefox52: NO pure ALSA? Youtube... Audio: No [ In reply to ]
On Sun, Dec 18, 2016 at 07:43:47PM +0100, Miroslav Rovis wrote

> [So I don't understand why you] thought dbus was needed to be disabled
> by other means, than the (as yet still) unofficial repo/overlay?)
>
> Or am I missing something?

You are looking at the Pale Moon overlay. I did not know about it
when I first used Pale Moon. I originally downloaded the official
version tarball from http://linux.palemoon.org/ which needs dbus. I
built Pale Moon from source with several changes in the mozconfig file.
I also built it with gcc 5.4.0 with additional optimization. Gentoo
stable currently uses gcc 4.9.3.

dbus was included in the original code from Firefox before the forking
took place for a few reasons...

* "necko-wifi" for improved geo-location, which you probably do not want.
Since Pale Moon is separate from Firefox, they don't have a licence to
use Google's wifi database.

* WebRTC. I don't think it's enabled on the official version

* "WakeLock". *IF YOU HAVE A SCREENSAVER THAT COMMUNICATES VIA DBUS*
then Pale Moon can ask it to temporarily disable screensaving while
you are playing a long video.

--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
Re: Reading the (SSL) traffic with Pale Moon, WAS: from Firefox52: NO pure ALSA? Youtube... Audio: No [ In reply to ]
On 161218-15:29-0500, Walter Dnes wrote:
> On Sun, Dec 18, 2016 at 07:43:47PM +0100, Miroslav Rovis wrote
>
> > [So I don't understand why you] thought dbus was needed to be disabled
> > by other means, than the (as yet still) unofficial repo/overlay?)
> >
> > Or am I missing something?
>
> You are looking at the Pale Moon overlay. I did not know about it
> when I first used Pale Moon. I originally downloaded the official
> version tarball from http://linux.palemoon.org/ which needs dbus. I
...

I'll look at those later, likely in the next, or some later email.

First, I installed Pale Moon, but by no means is the task over.

And not just because I had issues, i.e. couldn't log into Pale Moon forum:

SSL-key logging with Pale Moon (the current title)
http://www.croatiafidelis.hr/foss/cap/cap-161218-palemoon/
( and great if we get some insight here by seniors as to why the
apparent *fork bomb* or something happened ).

( Pls. do note that Pale Moon can SSL-key log just fine, except, it's an
old version of the nss library that Pale Moon uses, which is likely not
a good thing. )

But even more, because I only really install in my master Air-Gapped
Gentoo --link missing, because I haven't transferred my bookmarks yet...
(
No, I just installed, it's completely trivial, via GUi, takes in the the
Firefox bookmark JSON just fine...):

Air-Gapped Gentoo Install, Tentative
https://forums.gentoo.org/viewtopic-t-987268.html
)
link not missing--

...and I really install only what I can verify.

So, is there anywhere that I can read on the Wiki, where I can figure
out how I could git-install in completely verifiable way? Plus...

Plus: I want to be able to clone that install, from this online clone to
my master Air-Gapped installation, how?

One thing I never stop being excited about it the emerge-webrsync and
the fact that every package in Gentoo is verifiably signed by the Releng
team, and that's as safe as you can get in any distro in the world. The
best!

Now came the git install, with the git pack thing and all. May be very
safe, but how do I know it? How do I verify it?

I remember having read, either on gentoo-dev or on the wiki, or
somewhere else, that some devs do have this concern that I also voiced
here...

Any advice will be appreciated!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Re: Reading the (SSL) traffic with Pale Moon, WAS: from Firefox52: NO pure ALSA? Youtube... Audio: No [ In reply to ]
On 161218-15:29-0500, Walter Dnes wrote:
> On Sun, Dec 18, 2016 at 07:43:47PM +0100, Miroslav Rovis wrote
>
> > [So I don't understand why you] thought dbus was needed to be disabled
> > by other means, than the (as yet still) unofficial repo/overlay?)
> >
> > Or am I missing something?
>
> You are looking at the Pale Moon overlay. I did not know about it
> when I first used Pale Moon. I originally downloaded the official
> version tarball from http://linux.palemoon.org/ which needs dbus. I
> built Pale Moon from source with several changes in the mozconfig file.
> I also built it with gcc 5.4.0 with additional optimization. Gentoo
> stable currently uses gcc 4.9.3.
Pasting from my about:buildconfig :

Compiler Version Compiler flags
gcc 5.4.0 -Wall -Wdeclaration-after-statement -Wempty-body
-Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused
-Wcast-align -march=native -pipe -std=gnu99 -fgnu89-inline
-fno-strict-aliasing -fno-math-errno -pthread -pipe
> dbus was included in the original code from Firefox before the forking
> took place for a few reasons...
I see.
> * "necko-wifi" for improved geo-location, which you probably do not want.
> Since Pale Moon is separate from Firefox, they don't have a licence to
> use Google's wifi database.
>
> * WebRTC. I don't think it's enabled on the official version
>
> * "WakeLock". *IF YOU HAVE A SCREENSAVER THAT COMMUNICATES VIA DBUS*
> then Pale Moon can ask it to temporarily disable screensaving while
> you are playing a long video.
Those are not there in my Pale Moon (in clone-machine only yet, as I
explained in my other reply email to this message), again pasting from
my about:buildconfig :

Configure arguments
--enable-application=browser --disable-install-strip
--enable-optimize=-O2 --disable-valgrind --disable-dbus
--disable-necko-wifi --enable-gstreamer --disable-webrtc --enable-alsa
--disable-pulseaudio --enable-official-branding
--enable-default-toolkit=cairo-gtk2

> --
> Walter Dnes <waltdnes@waltdnes.org>
> I don't run "desktop environments"; I run useful applications
>
And I'm very curious to learn how to install in Air-Gapped, from git,
through intermediary action, that is acceptable, but in a verifiable
way, as I asked in my other reply email to this message.

Just in case (pasting from about:support):

Name Pale Moon
Version 27.0.2
Build ID 20161218222634
...
User Agent Mozilla/5.0 (X11; Linux x86_64; rv:45.9) Gecko/20100101
Goanna/3.0 Firefox/45.9 PaleMoon/27.0.2

Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Re: Reading the (SSL) traffic with Pale Moon [ In reply to ]
On 161219-12:16+0100, Miroslav Rovis wrote:
> On 161218-15:29-0500, Walter Dnes wrote:
...
> First, I installed Pale Moon, but by no means is the task over.
>
> And not just because I had issues, i.e. couldn't log into Pale Moon forum:
>
> SSL-key logging with Pale Moon (the current title)
> http://www.croatiafidelis.hr/foss/cap/cap-161218-palemoon/
> ( and great if we get some insight here by seniors as to why the
> apparent *fork bomb* or something happened ).
>
> ( Pls. do note that Pale Moon can SSL-key log just fine, except, it's an
> old version of the nss library that Pale Moon uses, which is likely not
> a good thing. )
...

The NSS library that Palemoon uses (as I posted on that link above) is,
IIUC, ancient (paste from about:support):

NSS 3.19.5.0 Basic ECC 3.19.5.0 Basic ECC

See in your own portage:

# cd /usr/portage/dev-libs/nss/
# grep 'bug #' ChangeLog | cut -d# -f2 | sed 's/)//' | sed 's/\.//' \
| sed 's/\.//'|sort -u
564834
571086
574848
576862
585372
#

Of the above Gentoo Bugzilla bugs, only the last one (585372) is not about vulns but
about stable request ("=dev-libs/nss-3.23 stable request").

So all of these:

<dev-libs/nspr-4.10.10, <dev-libs/nss-3.20.1: use-after-poison, buffer
overflow, integer overflow (CVE-2015-{7181,7182,7183})
https://bugs.gentoo.org/show_bug.cgi?id=564834

(CVE-2015-7575, CVE-2016-1938) - <dev-libs/nss-3.21-r2: Weak RSA-MD5
signature allows attack on client certificate authentication (part of SLOTH
attack), miscalculations in bignum lib (CVE-2015-7575, CVE-2016-1938)
https://bugs.gentoo.org/show_bug.cgi?id=571086

dev-libs/nss-3.22[utils] - multilib-minimal_abi_src_install - !!! dobin:
checkcert does not exist
https://bugs.gentoo.org/show_bug.cgi?id=574848

<www-client/firefox{,-bin}-{38.7.0,45.0}
<mail-client/thunderbird{,-bin}-38.7.0 <dev-libs/nss-3.22.2 : multiple
vulnerabilities (CVE-2016-{1950..1979}, CVE-2016-{2790..2802})
https://bugs.gentoo.org/show_bug.cgi?id=576862

[all of the above] speak of serious security risks with the then version of
NSS, and Pale Moon uses a version of the NSS that predates any patches to
those bugs. If I understand correctly.

In the meantime, I have retried to log into Pale Moon forum, same issue
shows up. And yet another time I retired. And it's consistent
behavior... Maybe because now the forum thinks I tried many times
before, which is just not the case by any means!

And for that try, I cleared the cache, and get a cast/trace pair short,
and clean event, no other, or not much other conversations, but those
with the Pale Moon Forum (and its requests, true, which are a lot of
requests...).

No addons/extensions yet (not even the eff-https-everywhere, the browser
functionalities minimized, privacy browsing set to always, though, and
I'll show that too. Ah, no tracking protection in Pale Moon, we'll see
to that... But later I'll make page 2 with that cast/trace pair.

( And, regarding the short post by Taiidan@gmx.com
http://www.gossamer-threads.com/lists/gentoo/user/320794#320794
also something to fake browser fingerprinting, probably start looking from:
https://wiki.gentoo.org/wiki/Tor )

So what should I think of Pale Moon, regarding the SSL-key logging, but
with that ancient NSS?

Aaarggghhh!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Re: Reading the (SSL) traffic with Pale Moon [ In reply to ]
I need to correct what I wrote... Things are *not* as bad as I
misunderstood...

On 161219-18:17+0100, Miroslav Rovis wrote:
...
> ...
>
> The NSS library that Palemoon uses (as I posted on that link above) is,
> IIUC, ancient (paste from about:support):

Nope! But see below...

> NSS 3.19.5.0 Basic ECC 3.19.5.0 Basic ECC
>
> See in your own portage:
>
> # cd /usr/portage/dev-libs/nss/
> # grep 'bug #' ChangeLog | cut -d# -f2 | sed 's/)//' | sed 's/\.//' \
> | sed 's/\.//'|sort -u
> 564834
> 571086
> 574848
> 576862
> 585372
> #
>
> Of the above Gentoo Bugzilla bugs, only the last one (585372) is not about vulns but
> about stable request ("=dev-libs/nss-3.23 stable request").
>
> So all of these:
Really not!


There is talk of 3.19.2.1 and 3.19.4 ...
> <dev-libs/nspr-4.10.10, <dev-libs/nss-3.20.1: use-after-poison, buffer
> overflow, integer overflow (CVE-2015-{7181,7182,7183})
> https://bugs.gentoo.org/show_bug.cgi?id=564834
[There is talk of 3.19.2.1 and 3.19.4]
on 2015-11-03 20:19:00 UTC here:
https://bugs.gentoo.org/show_bug.cgi?id=564834#c0

I don't know about this one, but probably it doesn't apply to what Pale
Moon either...
> (CVE-2015-7575, CVE-2016-1938) - <dev-libs/nss-3.21-r2: Weak RSA-MD5
> signature allows attack on client certificate authentication (part of SLOTH
> attack), miscalculations in bignum lib (CVE-2015-7575, CVE-2016-1938)
> https://bugs.gentoo.org/show_bug.cgi?id=571086

This bug #574848
> dev-libs/nss-3.22[utils] - multilib-minimal_abi_src_install - !!! dobin:
> checkcert does not exist
> https://bugs.gentoo.org/show_bug.cgi?id=574848
is entirely local error within Gentoo

And there is talk of .19.2.3 ...
https://bugs.gentoo.org/show_bug.cgi?id=576862#c0
> <www-client/firefox{,-bin}-{38.7.0,45.0}
> <mail-client/thunderbird{,-bin}-38.7.0 <dev-libs/nss-3.22.2 : multiple
> vulnerabilities (CVE-2016-{1950..1979}, CVE-2016-{2790..2802})
> https://bugs.gentoo.org/show_bug.cgi?id=576862
[And there is talk of .19.2.3]
on 2016-03-09 14:42:36 UTC here:
https://bugs.gentoo.org/show_bug.cgi?id=576862#c0
>
...
> No addons/extensions yet (not even the eff-https-everywhere, the browser
> functionalities minimized, privacy browsing set to always, though, and
> I'll show that too. Ah, no tracking protection in Pale Moon, we'll see
> to that... But later I'll make page 2 with that cast/trace pair.
>
> ( And, regarding the short post by Taiidan@gmx.com
> http://www.gossamer-threads.com/lists/gentoo/user/320794#320794
> also something to fake browser fingerprinting, probably start looking from:
> https://wiki.gentoo.org/wiki/Tor )
>

And whether the NSS that Pale Moon uses is fine, maybe some of the devs
can tell us, I apologize for for having made too hasty and very probably
wrong conclusion in regard...

Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Re: Reading the (SSL) traffic with Pale Moon [ In reply to ]
On Mon, Dec 19, 2016 at 06:43:53PM +0100, Miroslav Rovis wrote

> And whether the NSS that Pale Moon uses is fine, maybe some of the devs
> can tell us, I apologize for for having made too hasty and very probably
> wrong conclusion in regard...

See the 2nd post in https://forum.palemoon.org/viewtopic.php?t=8971

Moonchild (the lead developer)
> The moment I am given access to the MozSec bugs after each 6-week
> release, I perform a full security audit on the bugs and code
> for applicability. If a vulnerability exists in Pale Moon that is
> addressed by these bugs, it is patched in the next release, with
> chemspill releases for urgent security issues pushed out asap in a
> point release.

There is some informal slang here that you may not understand...
* "chemspill" ==> an emergency similar in nature to a hazardous chemical
spill, requiring immediate response
* "asap" ==> an acronym for "As Soon As Possible"

3rd post in same thread
Matt Tobin (developer)
> One thing to keep in mind is that just because there is a vulnerability
> in a codebase doesn't mean that there always was a vulnerability. As
> most know, Mozilla has been rewriting code (refactoring) at a rabid
> pace and has actually introduced more security flaws just by
> refactoring and rewriting the code badly than were previously there
> in the older incarnation of a chunk of code.

Short summary...
* Pale Moon is an independant fork
* Pale Moon started out with a snapshot of Firefox code
* Pale Moon has made its own set of changes
* Mozilla (Firefox) has made a different set of changes
* the two browsers' source code is different enough that a problem that
affects Firefox may not affect Pale Moon; see...
https://forum.palemoon.org/viewtopic.php?f=1&t=13984
* if there are real problems, there are point releases. That's one
reason why Pale Moon 27.0.1 and 27.0.2 and 27.0.3 have been released.
E.g. see "Security-related and crash fixes:" in
https://forum.palemoon.org/viewtopic.php?f=1&t=14223

--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
Re: Reading the (SSL) traffic with Pale Moon, WAS: from Firefox52: NO pure ALSA? Youtube... Audio: No [ In reply to ]
On Mon, Dec 19, 2016 at 01:25:19PM +0100, Miroslav Rovis wrote

> And I'm very curious to learn how to install in Air-Gapped, from git,
> through intermediary action, that is acceptable, but in a verifiable
> way, as I asked in my other reply email to this message.

The Pale Moon project is located at...
https://github.com/MoonchildProductions/Pale-Moon

The current release branch is "27.0_Relbranch". I'm not a programmer,
and I don't push commits back to the project. So I don't need the full
depth and history. The following command grabs the latest 27.0.x source
and downloads it to a directory pmsrc/ and only downloads what is needed
to do a build.

git clone -b 27.0_RelBranch --depth 1 https://github.com/MoonchildProductions/Pale-Moon.git pmsrc

To save typing, I made a script "getcode". I merely have to type
./getcode 27.0

The script consists of 2 lines...

#!/bin/bash
git clone -b "${1}_RelBranch" --depth 1 https://github.com/MoonchildProductions/Pale-Moon.git pmsrc

Note that this picks up the latest git tag. You can force a specific
tag (e.g. 27.0.0 or 27.0.1 or 27.0.2) if you use the appropriate git
command. Once the the pmsrc/ subdirectory is populated, you can...

cp -r pmsrc/ <usb_stick>/pmsrc/

walk over to the air-gapped machine and...

cp -r <usb_stick>/pmsrc/ pmsrc/

and then do a "-march=native" build on the air-gapped machine.

--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
Re: Reading the (SSL) traffic with Pale Moon [ In reply to ]
Very useful! Thanks!

But only quick notes now.

On 161220-03:00-0500, Walter Dnes wrote:
> On Mon, Dec 19, 2016 at 01:25:19PM +0100, Miroslav Rovis wrote
>
> > And I'm very curious to learn how to install in Air-Gapped, from git,
> > through intermediary action, that is acceptable, but in a verifiable
> > way, as I asked in my other reply email to this message.
>
> The Pale Moon project is located at...
> https://github.com/MoonchildProductions/Pale-Moon

I see.

And one thing appears to be missing for me. *IIUC* <-- pls. note.

The tags are not verified on the Pale Moon repo above! Do you see that
they are, if you open:
https://github.com/MoonchildProductions/Pale-Moon/tags
?
I don't!

*IIUC* <-- pls. note.

Do you see that my tags are verified, e.g. if you open:

https://github.com/miroR/tshark-hosts-conv/tags
and by clicking on "Verified" link, you should see:

This tag was signed with a verified signature.
@miroR
miroR
Miroslav Rovis
GPG key ID: EA9884884FBAF0AE Learn about signing commits

Or am I again missing something?

And if the tags are not verified, I may do the below, but I still don't
feel right.

I'm used to webrsync-gpg which is obsolete in comparison to git, but
it's so safe, because all the the portage, including distfiles, all is
PGP verifiable!

I leave your instuctions below, since this is really useful, and it's a
possible route for me to take... But...

> The current release branch is "27.0_Relbranch". I'm not a programmer,
> and I don't push commits back to the project. So I don't need the full
> depth and history. The following command grabs the latest 27.0.x source
> and downloads it to a directory pmsrc/ and only downloads what is needed
> to do a build.
>
> git clone -b 27.0_RelBranch --depth 1 https://github.com/MoonchildProductions/Pale-Moon.git pmsrc
>
> To save typing, I made a script "getcode". I merely have to type
> ./getcode 27.0
>
> The script consists of 2 lines...
>
> #!/bin/bash
> git clone -b "${1}_RelBranch" --depth 1 https://github.com/MoonchildProductions/Pale-Moon.git pmsrc
>
> Note that this picks up the latest git tag. You can force a specific
> tag (e.g. 27.0.0 or 27.0.1 or 27.0.2) if you use the appropriate git
> command. Once the the pmsrc/ subdirectory is populated, you can...
>
> cp -r pmsrc/ <usb_stick>/pmsrc/
>
> walk over to the air-gapped machine and...
>
> cp -r <usb_stick>/pmsrc/ pmsrc/
>
> and then do a "-march=native" build on the air-gapped machine.
>
> --
> Walter Dnes <waltdnes@waltdnes.org>
> I don't run "desktop environments"; I run useful applications
>

... But also, the time on my hands is an issue. If the Gentoo overlay
prooves easier and quicker, I may go that other way...

And which way I go may also depend on which one I get to verifiably install...

Yes, verifiability is my sine qua non!

I have to say, I had no issues with installing from Gentoo palemoon
overlay, and I may open an issue about verification there, or in main
Pale Moon repo...

E.g. there are never even any tags at all on:

https://github.com/deuiore/palemoon-overlay/tags

If I understand correctly. <-- pls. note.

All this in the wake of my asking Gentoo devs about the verifiability in
git:

Is it safe to switch from webrsync to the git repo now?
http://www.gossamer-threads.com/lists/gentoo/dev/320922

Really thanks a lot.
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Re: Reading the (SSL) traffic with Pale Moon [ In reply to ]
Thanks! I'll be studying the links that you gave!
(I just replied to your other, later mail, first, in this thread, both
the mails, and I marked both important in my Mutt.)

On 161219-18:33-0500, Walter Dnes wrote:
> On Mon, Dec 19, 2016 at 06:43:53PM +0100, Miroslav Rovis wrote
>
> > And whether the NSS that Pale Moon uses is fine, maybe some of the devs
> > can tell us, I apologize for for having made too hasty and very probably
> > wrong conclusion in regard...
>
> See the 2nd post in https://forum.palemoon.org/viewtopic.php?t=8971
>
> Moonchild (the lead developer)
> > The moment I am given access to the MozSec bugs after each 6-week
> > release, I perform a full security audit on the bugs and code
> > for applicability. If a vulnerability exists in Pale Moon that is
> > addressed by these bugs, it is patched in the next release, with
> > chemspill releases for urgent security issues pushed out asap in a
> > point release.
>
> There is some informal slang here that you may not understand...
> * "chemspill" ==> an emergency similar in nature to a hazardous chemical
> spill, requiring immediate response
> * "asap" ==> an acronym for "As Soon As Possible"
>
> 3rd post in same thread
> Matt Tobin (developer)
> > One thing to keep in mind is that just because there is a vulnerability
> > in a codebase doesn't mean that there always was a vulnerability. As
> > most know, Mozilla has been rewriting code (refactoring) at a rabid
> > pace and has actually introduced more security flaws just by
> > refactoring and rewriting the code badly than were previously there
> > in the older incarnation of a chunk of code.
>
> Short summary...
> * Pale Moon is an independant fork
> * Pale Moon started out with a snapshot of Firefox code
> * Pale Moon has made its own set of changes
> * Mozilla (Firefox) has made a different set of changes
> * the two browsers' source code is different enough that a problem that
> affects Firefox may not affect Pale Moon; see...
> https://forum.palemoon.org/viewtopic.php?f=1&t=13984
> * if there are real problems, there are point releases. That's one
> reason why Pale Moon 27.0.1 and 27.0.2 and 27.0.3 have been released.
> E.g. see "Security-related and crash fixes:" in
> https://forum.palemoon.org/viewtopic.php?f=1&t=14223
>
> --
> Walter Dnes <waltdnes@waltdnes.org>
> I don't run "desktop environments"; I run useful applications
>

Thanks!

--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Re: Reading the (SSL) traffic with Pale Moon [ In reply to ]
On 161220-03:00-0500, Walter Dnes wrote:
> On Mon, Dec 19, 2016 at 01:25:19PM +0100, Miroslav Rovis wrote
>
> > And I'm very curious to learn how to install in Air-Gapped, from git,
> > through intermediary action, that is acceptable, but in a verifiable
> > way, as I asked in my other reply email to this message.
>
> The Pale Moon project is located at...
> https://github.com/MoonchildProductions/Pale-Moon
That is certainly also what the official overlay uses, the one listed in:
https://overlays.gentoo.org/
which has updated, as I attempted to work with your scripts. Just
pulled:

miro@g0n /Cmn/src/palemoon-overlay $ git pull
remote: Counting objects: 8, done.
remote: Total 8 (delta 6), reused 6 (delta 6), pack-reused 2
Unpacking objects: 100% (8/8), done.
From https://github.com/deuiore/palemoon-overlay
237160b..d0b6f90 master -> origin/master
Updating 237160b..d0b6f90
Fast-forward
www-client/palemoon-bin/Manifest | 3 +
www-client/palemoon-bin/palemoon-bin-27.0.3.ebuild | 112
++++++++++++++++++++++++
www-client/palemoon/Manifest | 3 +-
www-client/palemoon/palemoon-27.0.2.ebuild | 6 +-
www-client/palemoon/palemoon-27.0.3.ebuild | 239
++++++++++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 359 insertions(+), 4 deletions(-)
create mode 100644
www-client/palemoon-bin/palemoon-bin-27.0.3.ebuild
create mode 100644 www-client/palemoon/palemoon-27.0.3.ebuild

But I spent hours studying your scripts, and their fine, but my system
is hardened, and the /usr/src/ where I put pmmain/ failed. It was that
gcc couldn't even create let alone the conftest, but not even conftest.c
was created.

And the Pale Moon that I have installed works just great (except for
logging into the forum, but that's not its fault; btw, I logged into
github, no problem...).

And the overlay looks good, and all set properly... And it's official,
more reliable than homemade.

I'll try and see next how the updating will go with the official.

... Doing it now.

The line that I use, as admin (root is not much more poweful than just a
regular user in grsecurity-hardened), ah, didn't need that, I only need
that when there are more packages, this logs the same as what you have
later in /var/log/portage/ ...:

# emerge -tuDN palemoon 2>&1 | tee emerge-tuDN_palemoon_$(date +%y%m%d_%H%M)_g0n

These are the packages that would be merged, in reverse order:

Calculating dependencies .. . .... done!
[ebuild U ] www-client/palemoon-27.0.3::miro [27.0.2::miro] USE="alsa gstreamer gtk2 official-branding optimize -dbus -gtk3 -jemalloc -necko-wifi -pulseaudio -shared-js -system-libs -valgrind -webrtc" 0 KiB

Total: 1 package (1 upgrade), Size of downloads: 0 KiB

Would you like to merge these packages? [Yes/No]
>>> Verifying ebuild manifests
>>> Running pre-merge checks for www-client/palemoon-27.0.3
* Checking for at least 7 GiB disk space at "/var/tmp/portage/www-client/palemoon-27.0.3/temp" ...
[ ok ]

>>> Emerging (1 of 1) www-client/palemoon-27.0.3::miro
>>> Unpacking source...
* Fetching git://github.com/MoonchildProductions/Pale-Moon.git ...
git fetch git://github.com/MoonchildProductions/Pale-Moon.git +refs/tags/27.0.3_Release:refs/tags/27.0.3_Release
remote: Counting objects: 362, done.
...

And more than 4 threads is fine:

top - 01:03:03 up 3 days, 6:32, 9 users, load average: 14.08, 10.22, 7.75
Tasks: 171 total, 9 running, 160 sleeping, 2 stopped, 0 zombie
%Cpu(s): 85.0 us, 11.3 sy, 3.7 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 16398240 total, 1935348 free, 3362256 used, 11100636 buff/cache
KiB Swap: 0 total, 0 free, 0 used. 12842124 avail Mem

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15934 portage 20 0 292768 243536 15284 R 56.8 1.5 0:02.12 cc1plus
15930 portage 20 0 352412 305772 15360 R 50.2 1.9 0:02.83 cc1plus
15921 portage 20 0 369724 321532 15332 R 49.2 2.0 0:03.66 cc1plus
15938 portage 20 0 200696 150028 15360 R 41.9 0.9 0:01.26 cc1plus
31169 miro 20 0 442208 69132 20408 S 23.9 0.4 6:28.81 ffmpeg
15942 portage 20 0 139212 90380 15064 R 16.9 0.6 0:00.51 cc1plus
15955 portage 20 0 96876 56996 14292 R 9.6 0.3 0:00.29 cc1plus
15952 portage 20 0 82248 46356 15008 R 9.0 0.3 0:00.27 cc1plus
11468 miro 39 19 605396 153748 19432 R 3.7 0.9 1404:00 ffmpeg

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

And this is my itch, verification of these:


/usr/portage/distfiles/git3-src/:
total 4
drwxr-xr-x 6 portage portage 4096 2016-12-18 22:27 MoonchildProductions_Pale-Moon.git

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git:
total 32
-rw-r--r-- 1 portage portage 66 2016-12-18 22:20 config
-rw-r--r-- 1 portage portage 73 2016-12-18 22:20 description
-rw-r--r-- 1 portage portage 114 2016-12-21 00:58 FETCH_HEAD
-rw-r--r-- 1 portage portage 23 2016-12-18 22:20 HEAD
drwxr-xr-x 2 portage portage 4096 2016-12-18 22:20 hooks
drwxr-xr-x 2 portage portage 4096 2016-12-18 22:20 info
drwxr-xr-x 4 portage portage 4096 2016-12-18 22:20 objects
drwxr-xr-x 5 portage portage 4096 2016-12-18 22:24 refs

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/hooks:
total 44
-rwxr-xr-x 1 portage portage 478 2016-12-18 22:20 applypatch-msg.sample
-rwxr-xr-x 1 portage portage 896 2016-12-18 22:20 commit-msg.sample
-rwxr-xr-x 1 portage portage 189 2016-12-18 22:20 post-update.sample
-rwxr-xr-x 1 portage portage 424 2016-12-18 22:20 pre-applypatch.sample
-rwxr-xr-x 1 portage portage 1642 2016-12-18 22:20 pre-commit.sample
-rwxr-xr-x 1 portage portage 1239 2016-12-18 22:20 prepare-commit-msg.sample
-rwxr-xr-x 1 portage portage 1348 2016-12-18 22:20 pre-push.sample
-rwxr-xr-x 1 portage portage 4951 2016-12-18 22:20 pre-rebase.sample
-rwxr-xr-x 1 portage portage 544 2016-12-18 22:20 pre-receive.sample
-rwxr-xr-x 1 portage portage 3610 2016-12-18 22:20 update.sample

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/info:
total 4
-rw-r--r-- 1 portage portage 240 2016-12-18 22:20 exclude

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/objects:
total 8
drwxr-xr-x 2 portage portage 4096 2016-12-18 22:20 info
drwxr-xr-x 2 portage portage 4096 2016-12-21 00:58 pack

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/objects/info:
total 0

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/objects/pack:
total 270812
-r--r--r-- 1 portage portage 5090828 2016-12-18 22:24 pack-a682fc2224953122b74e217a9ca3773304b49d94.idx
-r--r--r-- 1 portage portage 271104986 2016-12-18 22:24 pack-a682fc2224953122b74e217a9ca3773304b49d94.pack
-r--r--r-- 1 portage portage 14540 2016-12-21 00:57 pack-d957d5915ac5c98443a78373f3e25c5433d1dba2.idx
-r--r--r-- 1 portage portage 1090901 2016-12-21 00:57 pack-d957d5915ac5c98443a78373f3e25c5433d1dba2.pack

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/refs:
total 12
drwxr-xr-x 3 portage portage 4096 2016-12-18 22:24 git-r3
drwxr-xr-x 2 portage portage 4096 2016-12-18 22:20 heads
drwxr-xr-x 2 portage portage 4096 2016-12-21 00:58 tags

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/refs/git-r3:
total 4
drwxr-xr-x 3 portage portage 4096 2016-12-18 22:24 www-client

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/refs/git-r3/www-client:
total 4
drwxr-xr-x 3 portage portage 4096 2016-12-18 22:24 palemoon

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/refs/git-r3/www-client/palemoon:
total 4
drwxr-xr-x 2 portage portage 4096 2016-12-21 00:58 0

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/refs/git-r3/www-client/palemoon/0:
total 8
-rw-r--r-- 1 portage portage 30 2016-12-21 00:58 __main__
-rw-r--r-- 1 portage portage 41 2016-12-21 00:58 __old__

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/refs/heads:
total 0

/usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/refs/tags:
total 180
-rw-r--r-- 1 portage portage 41 2016-12-18 22:24 24.5.1_beta4

... [cut 40 lines here] ...

-rw-r--r-- 1 portage portage 41 2016-12-18 22:24 27.0.2_Release
-rw-r--r-- 1 portage portage 41 2016-12-21 00:58 27.0.3_Release
-rw-r--r-- 1 portage portage 41 2016-12-18 22:24 GUID_working_base
-rw-r--r-- 1 portage portage 41 2016-12-18 22:24 Milestone_25

The above is pretty clearly the Pale Moon repo, because this file, just
3 lines above here:

-rw-r--r-- 1 portage portage 41 2016-12-21 00:58 27.0.3_Release

contains:

cat /usr/portage/distfiles/git3-src/MoonchildProductions_Pale-Moon.git/refs/tags/27.0.3_Release

cff1b1447aa25e27b7294bb6986e79c98ae04a03

the SHA1 hash name of the 27.0.3.

I'm half true compiling it, and the above dir is not a problem hashing
it, tar'ing it and moving it to Air-Gapped machine, the problem is
verification of every single component of the process...

Regards!

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Re: Reading the (SSL) traffic with Pale Moon [ In reply to ]
On Wed, Dec 21, 2016 at 01:17:18AM +0100, Miroslav Rovis wrote
>
> I'm half true compiling it, and the above dir is not a problem hashing
> it, tar'ing it and moving it to Air-Gapped machine, the problem is
> verification of every single component of the process...

Sorry, I'm not knowledgable about the level of security that you're
looking for. Maybe you should be asking your questions in a specialized
linux security forum.

--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
Re: Reading the (SSL) traffic with Pale Moon [ In reply to ]
On 2016-12-20 21:30, Walter Dnes wrote:

> Sorry, I'm not knowledgable about the level of security that you're
> looking for. Maybe you should be asking your questions in a
> specialized linux security forum.

Perhaps the tails distribution may be relevant here?

https://tails.boum.org/

--
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html
Re: Re: Reading the (SSL) traffic with Pale Moon [ In reply to ]
On 161224-09:38-0800, Ian Zimmerman wrote:
> On 2016-12-20 21:30, Walter Dnes wrote:
>
> > Sorry, I'm not knowledgable about the level of security that you're
> > looking for. Maybe you should be asking your questions in a
> > specialized linux security forum.
>
> Perhaps the tails distribution may be relevant here?
>
> https://tails.boum.org/
>

Air-Gapped install is a completely different story, pretty complemetary
to Tails' offering.

Air-Gapped is an offline peace of mind in complete quiet from the
bustling frenzy... until...

...Until, that is, you have to go online with the cloned system, then
the bustle, with all that the openness implies, returns.

And there is the need to get stuff from online into the Air-Gapped
machine... And that...

And that is what I have achieved with my Palemoon install, after
some trial and error, in the other subthread of this same topic, just I
renamed it to:

Pale Moon Air-Gapped portage EAPI 6 Install
.

--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr