1 |
On 161219-12:16+0100, Miroslav Rovis wrote: |
2 |
> On 161218-15:29-0500, Walter Dnes wrote: |
3 |
... |
4 |
> First, I installed Pale Moon, but by no means is the task over. |
5 |
> |
6 |
> And not just because I had issues, i.e. couldn't log into Pale Moon forum: |
7 |
> |
8 |
> SSL-key logging with Pale Moon (the current title) |
9 |
> http://www.croatiafidelis.hr/foss/cap/cap-161218-palemoon/ |
10 |
> ( and great if we get some insight here by seniors as to why the |
11 |
> apparent *fork bomb* or something happened ). |
12 |
> |
13 |
> ( Pls. do note that Pale Moon can SSL-key log just fine, except, it's an |
14 |
> old version of the nss library that Pale Moon uses, which is likely not |
15 |
> a good thing. ) |
16 |
... |
17 |
|
18 |
The NSS library that Palemoon uses (as I posted on that link above) is, |
19 |
IIUC, ancient (paste from about:support): |
20 |
|
21 |
NSS 3.19.5.0 Basic ECC 3.19.5.0 Basic ECC |
22 |
|
23 |
See in your own portage: |
24 |
|
25 |
# cd /usr/portage/dev-libs/nss/ |
26 |
# grep 'bug #' ChangeLog | cut -d# -f2 | sed 's/)//' | sed 's/\.//' \ |
27 |
| sed 's/\.//'|sort -u |
28 |
564834 |
29 |
571086 |
30 |
574848 |
31 |
576862 |
32 |
585372 |
33 |
# |
34 |
|
35 |
Of the above Gentoo Bugzilla bugs, only the last one (585372) is not about vulns but |
36 |
about stable request ("=dev-libs/nss-3.23 stable request"). |
37 |
|
38 |
So all of these: |
39 |
|
40 |
<dev-libs/nspr-4.10.10, <dev-libs/nss-3.20.1: use-after-poison, buffer |
41 |
overflow, integer overflow (CVE-2015-{7181,7182,7183}) |
42 |
https://bugs.gentoo.org/show_bug.cgi?id=564834 |
43 |
|
44 |
(CVE-2015-7575, CVE-2016-1938) - <dev-libs/nss-3.21-r2: Weak RSA-MD5 |
45 |
signature allows attack on client certificate authentication (part of SLOTH |
46 |
attack), miscalculations in bignum lib (CVE-2015-7575, CVE-2016-1938) |
47 |
https://bugs.gentoo.org/show_bug.cgi?id=571086 |
48 |
|
49 |
dev-libs/nss-3.22[utils] - multilib-minimal_abi_src_install - !!! dobin: |
50 |
checkcert does not exist |
51 |
https://bugs.gentoo.org/show_bug.cgi?id=574848 |
52 |
|
53 |
<www-client/firefox{,-bin}-{38.7.0,45.0} |
54 |
<mail-client/thunderbird{,-bin}-38.7.0 <dev-libs/nss-3.22.2 : multiple |
55 |
vulnerabilities (CVE-2016-{1950..1979}, CVE-2016-{2790..2802}) |
56 |
https://bugs.gentoo.org/show_bug.cgi?id=576862 |
57 |
|
58 |
[all of the above] speak of serious security risks with the then version of |
59 |
NSS, and Pale Moon uses a version of the NSS that predates any patches to |
60 |
those bugs. If I understand correctly. |
61 |
|
62 |
In the meantime, I have retried to log into Pale Moon forum, same issue |
63 |
shows up. And yet another time I retired. And it's consistent |
64 |
behavior... Maybe because now the forum thinks I tried many times |
65 |
before, which is just not the case by any means! |
66 |
|
67 |
And for that try, I cleared the cache, and get a cast/trace pair short, |
68 |
and clean event, no other, or not much other conversations, but those |
69 |
with the Pale Moon Forum (and its requests, true, which are a lot of |
70 |
requests...). |
71 |
|
72 |
No addons/extensions yet (not even the eff-https-everywhere, the browser |
73 |
functionalities minimized, privacy browsing set to always, though, and |
74 |
I'll show that too. Ah, no tracking protection in Pale Moon, we'll see |
75 |
to that... But later I'll make page 2 with that cast/trace pair. |
76 |
|
77 |
( And, regarding the short post by Taiidan@×××.com |
78 |
http://www.gossamer-threads.com/lists/gentoo/user/320794#320794 |
79 |
also something to fake browser fingerprinting, probably start looking from: |
80 |
https://wiki.gentoo.org/wiki/Tor ) |
81 |
|
82 |
So what should I think of Pale Moon, regarding the SSL-key logging, but |
83 |
with that ancient NSS? |
84 |
|
85 |
Aaarggghhh! |
86 |
-- |
87 |
Miroslav Rovis |
88 |
Zagreb, Croatia |
89 |
http://www.CroatiaFidelis.hr |