From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id B1516139085 for ; Mon, 19 Dec 2016 17:43:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4255AE0C2D; Mon, 19 Dec 2016 17:43:26 +0000 (UTC) Received: from alt1.smtp5.plusvps.com (alt1.smtp5.plusvps.com [89.201.164.167]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CA64AE0BBD for ; Mon, 19 Dec 2016 17:43:25 +0000 (UTC) Received: from lin16.mojsite.com ([178.218.164.164]) by smtp5.plusvps.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.84) (envelope-from ) id 1cJ1y7-0003k0-24 for gentoo-user@lists.gentoo.org; Mon, 19 Dec 2016 18:43:23 +0100 Received: from 93-138-96-237.adsl.net.t-com.hr ([93.138.96.237]:50736 helo=g0n.localdomain) by lin16.mojsite.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.87) (envelope-from ) id 1cJ1y5-0003TE-Hp for gentoo-user@lists.gentoo.org; Mon, 19 Dec 2016 18:43:21 +0100 Received: by g0n.localdomain (Postfix, from userid 1000) id F20386BC4; Mon, 19 Dec 2016 18:43:53 +0100 (CET) Date: Mon, 19 Dec 2016 18:43:53 +0100 From: Miroslav Rovis To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Reading the (SSL) traffic with Pale Moon Message-ID: <20161219174353.GF31077@g0n.xdwgrp> References: <20161217224455.GA9477@g0n.xdwgrp> <20161217232554.GB9477@g0n.xdwgrp> <20161218015637.GC18283@waltdnes.org> <20161218055009.GA11155@g0n.xdwgrp> <20161218070441.GA19833@waltdnes.org> <20161218181616.GA13242@g0n.xdwgrp> <20161218184347.GB13242@g0n.xdwgrp> <20161218202933.GA23487@waltdnes.org> <20161219111643.GA31077@g0n.xdwgrp> <20161219171701.GE31077@g0n.xdwgrp> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="z0eOaCaDLjvTGF2l" Content-Disposition: inline In-Reply-To: <20161219171701.GE31077@g0n.xdwgrp> User-Agent: Mutt/1.7.2 (2016-11-26) X-PlusHosting-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details, Found to be clean X-PlusHosting-MailScanner-SpamCheck: X-Spam-Status: No, No X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - lin16.mojsite.com X-AntiAbuse: Original Domain - lists.gentoo.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - croatiafidelis.hr X-Get-Message-Sender-Via: lin16.mojsite.com: authenticated_id: miro.rovis@croatiafidelis.hr X-Authenticated-Sender: lin16.mojsite.com: miro.rovis@croatiafidelis.hr X-PlusHosting-MailScanner-Information: Please contact the ISP for more information X-PlusHosting-MailScanner-ID: 1cJ1y7-0003k0-24 X-PlusHosting-MailScanner-From: miro.rovis@croatiafidelis.hr X-Archives-Salt: be36bbe9-51a8-49f4-90b5-95aee4530ac8 X-Archives-Hash: 2fb3a0b8c812edacbdeed9272e3ddaef --z0eOaCaDLjvTGF2l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I need to correct what I wrote... Things are *not* as bad as I misunderstood... On 161219-18:17+0100, Miroslav Rovis wrote: =2E.. > ... >=20 > The NSS library that Palemoon uses (as I posted on that link above) is, > IIUC, ancient (paste from about:support): Nope! But see below... > NSS 3.19.5.0 Basic ECC 3.19.5.0 Basic ECC >=20 > See in your own portage: >=20 > # cd /usr/portage/dev-libs/nss/ > # grep 'bug #' ChangeLog | cut -d# -f2 | sed 's/)//' | sed 's/\.//' \ > | sed 's/\.//'|sort -u > 564834 > 571086 > 574848 > 576862 > 585372 > # >=20 > Of the above Gentoo Bugzilla bugs, only the last one (585372) is not abou= t vulns but > about stable request ("=3Ddev-libs/nss-3.23 stable request"). >=20 > So all of these: Really not! There is talk of 3.19.2.1 and 3.19.4 ... > overflow, integer overflow (CVE-2015-{7181,7182,7183}) > https://bugs.gentoo.org/show_bug.cgi?id=3D564834 [There is talk of 3.19.2.1 and 3.19.4] on 2015-11-03 20:19:00 UTC here: https://bugs.gentoo.org/show_bug.cgi?id=3D564834#c0 I don't know about this one, but probably it doesn't apply to what Pale Moon either... > (CVE-2015-7575, CVE-2016-1938) - signature allows attack on client certificate authentication (part of SLO= TH > attack), miscalculations in bignum lib (CVE-2015-7575, CVE-2016-1938)=20 > https://bugs.gentoo.org/show_bug.cgi?id=3D571086 This bug #574848 > dev-libs/nss-3.22[utils] - multilib-minimal_abi_src_install - !!! dobin: > checkcert does not exist > https://bugs.gentoo.org/show_bug.cgi?id=3D574848 is entirely local error within Gentoo And there is talk of .19.2.3 ... https://bugs.gentoo.org/show_bug.cgi?id=3D576862#c0 > vulnerabilities (CVE-2016-{1950..1979}, CVE-2016-{2790..2802}) > https://bugs.gentoo.org/show_bug.cgi?id=3D576862 [And there is talk of .19.2.3] on 2016-03-09 14:42:36 UTC here: https://bugs.gentoo.org/show_bug.cgi?id=3D576862#c0 >=20 =2E.. > No addons/extensions yet (not even the eff-https-everywhere, the browser > functionalities minimized, privacy browsing set to always, though, and > I'll show that too. Ah, no tracking protection in Pale Moon, we'll see > to that... But later I'll make page 2 with that cast/trace pair. >=20 > ( And, regarding the short post by Taiidan@gmx.com > http://www.gossamer-threads.com/lists/gentoo/user/320794#320794 > also something to fake browser fingerprinting, probably start looking fro= m: > https://wiki.gentoo.org/wiki/Tor ) >=20 And whether the NSS that Pale Moon uses is fine, maybe some of the devs can tell us, I apologize for for having made too hasty and very probably wrong conclusion in regard... Regards! --=20 Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr --z0eOaCaDLjvTGF2l Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYWBxZAAoJEOqYhIhPuvCu8T4QAIEurkK5TqctMUeuIbBDAI5L DHZhu8nGplK/NRSuJRGkl3zwIikOPS7B1bKjD297kxR7XYiGtJ5JWwLyiRHilJMQ llHp8P+o27+InaNPaEpI71kyEH/dU9P+VrCpZjuMxBAefzIYDSR9z6Isc+ZUOYhL 0R1BHcGzkqu3NXOLN7J2jbIf0zl5EE+mj+pUcWQt0UtOCNbyTrBV4yiNk2B1CCgZ Fpc3kcWrRT19LLwxqWjIHrACeU8SEL8pEgmiJ5CsaD1cbOn+IeD67f91qXd5Hgn6 e/vKf2KN/LoeCLUVFKR5JTVVEaC2wdxRwA+BxO+gQszBA0Y78pC+Tkyle0d+qnJA 8MClYFyR4IqAl+L+DSR76VP4JSfGPCfpTYPurYtXLKplgjSI0uXabCkpWLQ2E97q OZPxPArxQ9FSiOefU+L6vZtDXd3CWOxGk22AYOXJb7x+FnpB2NuQeR3+bWLrXRZr eHr9pCFatZMciIbCHxpSSDX3k4c3LEXGU0xmA1Yyb3KxwOF6SOBT9+G/vCKcNZjR 9VCILRo2BavqpCsrhDOBlUXoN0Hlfo8tM3K3OsLwleb9tqxe33VByxj6+vnqwHhc hd0ohnAr2HFlfVPBRCq9xD1hACdELgtIZaELDWXCv+arH5hxSU7Rg5tLIqTnEveA 8Rn968OiQQDhr4vNrYRJ =n3oS -----END PGP SIGNATURE----- --z0eOaCaDLjvTGF2l--