From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-174635-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id D709D139085
	for <garchives@archives.gentoo.org>; Mon, 19 Dec 2016 17:18:10 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7446FE0C4C;
	Mon, 19 Dec 2016 17:16:44 +0000 (UTC)
Received: from alt1.smtp5.plusvps.com (alt1.smtp5.plusvps.com [89.201.164.167])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 11EDBE0C45
	for <gentoo-user@lists.gentoo.org>; Mon, 19 Dec 2016 17:16:43 +0000 (UTC)
Received: from lin16.mojsite.com ([178.218.164.164])
	by smtp5.plusvps.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.84)
	(envelope-from <miro.rovis@croatiafidelis.hr>)
	id 1cJ1YC-000Gb4-Gj
	for gentoo-user@lists.gentoo.org; Mon, 19 Dec 2016 18:16:36 +0100
Received: from 93-138-96-237.adsl.net.t-com.hr ([93.138.96.237]:50720 helo=g0n.localdomain)
	by lin16.mojsite.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.87)
	(envelope-from <miro.rovis@croatiafidelis.hr>)
	id 1cJ1Y4-0007mE-W3; Mon, 19 Dec 2016 18:16:29 +0100
Received: by g0n.localdomain (Postfix, from userid 1000)
	id 69C256BC4; Mon, 19 Dec 2016 18:17:01 +0100 (CET)
Date: Mon, 19 Dec 2016 18:17:01 +0100
From: Miroslav Rovis <miro.rovis@croatiafidelis.hr>
To: gentoo-user@lists.gentoo.org
Cc: Taiidan@gmx.com
Subject: Re: [gentoo-user] Reading the (SSL) traffic with Pale Moon
Message-ID: <20161219171701.GE31077@g0n.xdwgrp>
References: <20161217055952.GB13608@waltdnes.org>
 <20161217224455.GA9477@g0n.xdwgrp>
 <20161217232554.GB9477@g0n.xdwgrp>
 <20161218015637.GC18283@waltdnes.org>
 <20161218055009.GA11155@g0n.xdwgrp>
 <20161218070441.GA19833@waltdnes.org>
 <20161218181616.GA13242@g0n.xdwgrp>
 <20161218184347.GB13242@g0n.xdwgrp>
 <20161218202933.GA23487@waltdnes.org>
 <20161219111643.GA31077@g0n.xdwgrp>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="wchHw8dVAp53YPj8"
Content-Disposition: inline
In-Reply-To: <20161219111643.GA31077@g0n.xdwgrp>
User-Agent: Mutt/1.7.2 (2016-11-26)
X-PlusHosting-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details, Found to be clean
X-PlusHosting-MailScanner-SpamCheck: 
X-Spam-Status: No, No
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - lin16.mojsite.com
X-AntiAbuse: Original Domain - lists.gentoo.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - croatiafidelis.hr
X-Get-Message-Sender-Via: lin16.mojsite.com: authenticated_id: miro.rovis@croatiafidelis.hr
X-Authenticated-Sender: lin16.mojsite.com: miro.rovis@croatiafidelis.hr
X-PlusHosting-MailScanner-Information: Please contact the ISP for more information
X-PlusHosting-MailScanner-ID: 1cJ1YC-000Gb4-Gj
X-PlusHosting-MailScanner-From: miro.rovis@croatiafidelis.hr
X-Archives-Salt: 553da798-b93c-49c6-bc6a-a89ca88f41fc
X-Archives-Hash: 69ed772f10244ad32449314ebb4d3c4f


--wchHw8dVAp53YPj8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 161219-12:16+0100, Miroslav Rovis wrote:
> On 161218-15:29-0500, Walter Dnes wrote:
=2E..
> First, I installed Pale Moon, but by no means is the task over.
>=20
> And not just because I had issues, i.e. couldn't log into Pale Moon forum:
>=20
> SSL-key logging with Pale Moon (the current title)
> http://www.croatiafidelis.hr/foss/cap/cap-161218-palemoon/
> ( and great if we get some insight here by seniors as to why the
> apparent *fork bomb* or something happened ).
>=20
> ( Pls. do note that Pale Moon can SSL-key log just fine, except, it's an
> old version of the nss library that Pale Moon uses, which is likely not
> a good thing. )
=2E..

The NSS library that Palemoon uses (as I posted on that link above) is,
IIUC, ancient (paste from about:support):

NSS	3.19.5.0 Basic ECC	3.19.5.0 Basic ECC

See in your own portage:

# cd /usr/portage/dev-libs/nss/
# grep 'bug #' ChangeLog  | cut -d# -f2 | sed 's/)//' | sed 's/\.//' \
	| sed 's/\.//'|sort -u
564834
571086
574848
576862
585372
#

Of the above Gentoo Bugzilla bugs, only the last one (585372) is not about =
vulns but
about stable request ("=3Ddev-libs/nss-3.23 stable request").

So all of these:

<dev-libs/nspr-4.10.10, <dev-libs/nss-3.20.1: use-after-poison, buffer
overflow, integer overflow (CVE-2015-{7181,7182,7183})
https://bugs.gentoo.org/show_bug.cgi?id=3D564834

(CVE-2015-7575, CVE-2016-1938) - <dev-libs/nss-3.21-r2: Weak RSA-MD5
signature allows attack on client certificate authentication (part of SLOTH
attack), miscalculations in bignum lib (CVE-2015-7575, CVE-2016-1938)=20
https://bugs.gentoo.org/show_bug.cgi?id=3D571086

dev-libs/nss-3.22[utils] - multilib-minimal_abi_src_install - !!! dobin:
checkcert does not exist
https://bugs.gentoo.org/show_bug.cgi?id=3D574848

<www-client/firefox{,-bin}-{38.7.0,45.0}
<mail-client/thunderbird{,-bin}-38.7.0 <dev-libs/nss-3.22.2 : multiple
vulnerabilities (CVE-2016-{1950..1979}, CVE-2016-{2790..2802})
https://bugs.gentoo.org/show_bug.cgi?id=3D576862

[all of the above] speak of serious security risks with the then version of
NSS, and Pale Moon uses a version of the NSS that predates any patches to
those bugs. If I understand correctly.

In the meantime, I have retried to log into Pale Moon forum, same issue
shows up. And yet another time I retired. And it's consistent
behavior... Maybe because now the forum thinks I tried many times
before, which is just not the case by any means!

And for that try, I cleared the cache, and get a cast/trace pair short,
and clean event, no other, or not much other conversations, but those
with the Pale Moon Forum (and its requests, true, which are a lot of
requests...).

No addons/extensions yet (not even the eff-https-everywhere, the browser
functionalities minimized, privacy browsing set to always, though, and
I'll show that too. Ah, no tracking protection in Pale Moon, we'll see
to that...  But later I'll make page 2 with that cast/trace pair.

( And, regarding the short post by Taiidan@gmx.com
http://www.gossamer-threads.com/lists/gentoo/user/320794#320794
also something to fake browser fingerprinting, probably start looking from:
https://wiki.gentoo.org/wiki/Tor )

So what should I think of Pale Moon, regarding the SSL-key logging, but
with that ancient NSS?

Aaarggghhh!
--=20
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

--wchHw8dVAp53YPj8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYWBYNAAoJEOqYhIhPuvCu4YQP/2zAxC6rt3OtRahyC8v9wYvY
VSZCJ7Vu4sCPaa/uA1jhVGxmrHXd1RFJXJJieBSNyapJi0n4xQUm4SNhhmZ0AGfg
oo0Jw2KCZOFBKvBrcy0AXynqyts0mNOnWw/zwTJ0p1kdk0xnzaFL1A67WkhKQgs7
JHjgiiHAFeRptYzPgN9j45cJgYUAzClFEs4WWcrmEXPkee9KYpOZOzuybkBt30RH
Aq9LwdtZqzwEPS5oBnd3KZ2ThwugFiW7Ce9OwY4Zn46FqADwUzqFY5hCk/6LGXkn
VLVigCoGfJSvHufdc7emAQnjloiGZLzfBhd+GB8NgmNp2vNrd9vFSOeY2WiyF54B
df9BfwSpAXi4Mu/f9Cvy1qiyri/ulsuhK9hEki6I1dS1Xki9kaF/c+4M2Q5wyp6O
f+1RZfN9wlHV300CP0QtJejYAA7ZyhpbHKxgwTZPjbYzaEzoLTzH5u16l2taiXxI
uPiFqM7blGOcJ5cf+AweL/Tz8F+9lAAK8WLMctiIJaPcd2XMFAttodehkvrZkvG4
31i1Y9Tb5I2FXnGVpHPUl4yLeSgOhPr2Iq+rdz4RlfFSqfG6ZOSQIHMwp4Dvi6Ix
HlU1N8bp363vYqy5tcObVx/LCtP30Bn1DoIWnvTluYXj4zYpTw4knhsMHWxwclFr
xBi0FthF5mCJJ6PKv1Rx
=FZyX
-----END PGP SIGNATURE-----

--wchHw8dVAp53YPj8--