| 1 |
On 161219-12:16+0100, Miroslav Rovis wrote: |
| 2 |
> On 161218-15:29-0500, Walter Dnes wrote: |
| 3 |
... |
| 4 |
> First, I installed Pale Moon, but by no means is the task over. |
| 5 |
> |
| 6 |
> And not just because I had issues, i.e. couldn't log into Pale Moon forum: |
| 7 |
> |
| 8 |
> SSL-key logging with Pale Moon (the current title) |
| 9 |
> http://www.croatiafidelis.hr/foss/cap/cap-161218-palemoon/ |
| 10 |
> ( and great if we get some insight here by seniors as to why the |
| 11 |
> apparent *fork bomb* or something happened ). |
| 12 |
> |
| 13 |
> ( Pls. do note that Pale Moon can SSL-key log just fine, except, it's an |
| 14 |
> old version of the nss library that Pale Moon uses, which is likely not |
| 15 |
> a good thing. ) |
| 16 |
... |
| 17 |
|
| 18 |
The NSS library that Palemoon uses (as I posted on that link above) is, |
| 19 |
IIUC, ancient (paste from about:support): |
| 20 |
|
| 21 |
NSS 3.19.5.0 Basic ECC 3.19.5.0 Basic ECC |
| 22 |
|
| 23 |
See in your own portage: |
| 24 |
|
| 25 |
# cd /usr/portage/dev-libs/nss/ |
| 26 |
# grep 'bug #' ChangeLog | cut -d# -f2 | sed 's/)//' | sed 's/\.//' \ |
| 27 |
| sed 's/\.//'|sort -u |
| 28 |
564834 |
| 29 |
571086 |
| 30 |
574848 |
| 31 |
576862 |
| 32 |
585372 |
| 33 |
# |
| 34 |
|
| 35 |
Of the above Gentoo Bugzilla bugs, only the last one (585372) is not about vulns but |
| 36 |
about stable request ("=dev-libs/nss-3.23 stable request"). |
| 37 |
|
| 38 |
So all of these: |
| 39 |
|
| 40 |
<dev-libs/nspr-4.10.10, <dev-libs/nss-3.20.1: use-after-poison, buffer |
| 41 |
overflow, integer overflow (CVE-2015-{7181,7182,7183}) |
| 42 |
https://bugs.gentoo.org/show_bug.cgi?id=564834 |
| 43 |
|
| 44 |
(CVE-2015-7575, CVE-2016-1938) - <dev-libs/nss-3.21-r2: Weak RSA-MD5 |
| 45 |
signature allows attack on client certificate authentication (part of SLOTH |
| 46 |
attack), miscalculations in bignum lib (CVE-2015-7575, CVE-2016-1938) |
| 47 |
https://bugs.gentoo.org/show_bug.cgi?id=571086 |
| 48 |
|
| 49 |
dev-libs/nss-3.22[utils] - multilib-minimal_abi_src_install - !!! dobin: |
| 50 |
checkcert does not exist |
| 51 |
https://bugs.gentoo.org/show_bug.cgi?id=574848 |
| 52 |
|
| 53 |
<www-client/firefox{,-bin}-{38.7.0,45.0} |
| 54 |
<mail-client/thunderbird{,-bin}-38.7.0 <dev-libs/nss-3.22.2 : multiple |
| 55 |
vulnerabilities (CVE-2016-{1950..1979}, CVE-2016-{2790..2802}) |
| 56 |
https://bugs.gentoo.org/show_bug.cgi?id=576862 |
| 57 |
|
| 58 |
[all of the above] speak of serious security risks with the then version of |
| 59 |
NSS, and Pale Moon uses a version of the NSS that predates any patches to |
| 60 |
those bugs. If I understand correctly. |
| 61 |
|
| 62 |
In the meantime, I have retried to log into Pale Moon forum, same issue |
| 63 |
shows up. And yet another time I retired. And it's consistent |
| 64 |
behavior... Maybe because now the forum thinks I tried many times |
| 65 |
before, which is just not the case by any means! |
| 66 |
|
| 67 |
And for that try, I cleared the cache, and get a cast/trace pair short, |
| 68 |
and clean event, no other, or not much other conversations, but those |
| 69 |
with the Pale Moon Forum (and its requests, true, which are a lot of |
| 70 |
requests...). |
| 71 |
|
| 72 |
No addons/extensions yet (not even the eff-https-everywhere, the browser |
| 73 |
functionalities minimized, privacy browsing set to always, though, and |
| 74 |
I'll show that too. Ah, no tracking protection in Pale Moon, we'll see |
| 75 |
to that... But later I'll make page 2 with that cast/trace pair. |
| 76 |
|
| 77 |
( And, regarding the short post by Taiidan@×××.com |
| 78 |
http://www.gossamer-threads.com/lists/gentoo/user/320794#320794 |
| 79 |
also something to fake browser fingerprinting, probably start looking from: |
| 80 |
https://wiki.gentoo.org/wiki/Tor ) |
| 81 |
|
| 82 |
So what should I think of Pale Moon, regarding the SSL-key logging, but |
| 83 |
with that ancient NSS? |
| 84 |
|
| 85 |
Aaarggghhh! |
| 86 |
-- |
| 87 |
Miroslav Rovis |
| 88 |
Zagreb, Croatia |
| 89 |
http://www.CroatiaFidelis.hr |
Archives