Food for thought: safe browsing and blocking scripts

I've been buying and selling on the internet for years now. If I didn't have real money depending on my internet connection, I wouldn't take security so seriously and keep trying to learn more about it. It's one thing if a security breach embarrasses you a little, it's another thing altogether if it costs you some of your hard earned money.

The only time I've ever had a financial breach, it wasn't through my connection or browser, it was a comprised card reader inside a gas pump that I got gas from late at night when the gas station was closed. A hardware MITM attack, something which was not uncommon around here back then. At the time, I was running a small open air stall and buying supplies with that debit card. It took months for the bank to do its investigation and clear me for a new card. During that time, I needed to pay my supplier up front and sending a check took days. I was saved because I had a paypal account and I just transferred the money in my bank account into paypal to keep things rolling. If not for the internet side of things remaining secure, I would have been put out of business because my bank and Visa had a security breach.

 

An option I would like to see in uMatrix, to make it easier for some sites and users.

Now we have options to allow all with that button when we are lazybirds. The hosts file remain though and their protection is global.
If that all button does not work, then the only choice now is to go whitelist the blacklisted or disable matrix filtering alltogether for that scope. It is an acceptable solution for sure. As it is. The way to untick hosts files is instead a global option what we can do and as such not so practical.

But what if instead there we had an option to just disable the hosts files for that site/scope? We would still have what we had in our global category rules like frames, possibly cookies etc. blocked. So it would not be as "bad" as disabling matrix filtering all together.

To not clutter the interface it could perhaps be implemented in that disable matrix filtering button. Now I don't have any idea how gorhill has coded uMatrix and how easy it would be to implement. Just something I liked to be able to have as a choice.

uMatrix is already the best blocker in Chrome in my opinion.

 

None needed. I don't have PaleMoon on XP but do have an older version on 98. Hopefully they haven't moved things too much.
Go to "options" on the menu, click advanced, then the encryption tab. Click on "view certificates". Click Authorities tab, select Import. Navigate to the Proxomitron folder and select proxcert.pem. The trust settings interface for the certificate should open. Check "this certificate can identify web sites", then click OK.

On some sites, it might be necessary to block STS. This is done from the browsers permission manager on a per-site basis. On some sites that use STS for content delivery networks CDNs, the added content such as images may still be blocked. The intercept is one such site.

 

May have to start over as may have downloaded wrong files. Do you have a list of all the files needed including
any updates to get Proxomitron working? Links to actual files I would need.

Won't be testing until sometime later so no hurry. Thanks

 

Are you working with the original version of Proxomitron or the hex edited version? It won't matter for the filters or certificates, just the SSL files.

 

I didn't do no hex editing of Proxomitron so must be original. What would be better? There are several zip
files on the forum so need number and any patches. Everything to make Proxomitron functional. Can add
other filters later.

 

What timing! They just posted the patch as an executable. No need to hex edit.
http://www.prxbx.com/forums/showthread.php?tid=2179&pid=18388#pid18388
Grab both the patch and the DLLs. The patch is intended for this version of Proxomitron. The DLLs go in the Proxomitron folder.

Grab proxcert.pem from here. Import this into your browser.

Get the certs.pem here. It's the list of certificates Proxomitron will use. Converted from Windows root certificate update.

Edit:
Zip file with patcher also contains a newer certs.pem and proxcert.pem. Use these.

 

So were looking at either using proxcert.pem150101.zip or proxcert2025_01_25.zip file.
Certs132311.zip file and I already have from previous download ProxN45J.zip file.
Also Patch2ProxN45j+SSL+RWIN.zip and the OpenSSL_1_0_2_a_win32_DLLs.zip is needed. Correct.

If certs.pem was converted from Windows root cert update it might be old. (Nov.2013)?

 

My mistake. The included certs.pem appears to be newer but is from Mozilla. Apparently Mozilla doesn't accept near as many certificates as Microsoft. Your choice which you prefer. That date is probably correct, roughly 1 and a half years old. Not sure how often MS updates these.

I haven't tried the 10 year proxcert.pem. That's also quite new. I've always made my own with the makeproxcert utility. Your choice.

Just tried the patcher. The MD5 and SHA256 hashes for patched executable match the hex edited version. The 1.0.2 DLLs are for the patched version. The unpatched version will use these DLLs.

 

Probably better although I'm having some issues with cert validation. (OCSP server fails treat cert as invalid)
I thought there was a more current update for MS certs (2014?) but not sure. When I did updates before I
only seen ones from 2013 being offered. Will see if after gathering all files I can get Proxomitron up and running
and post back if I run into any problems. Thanks again for the help.

 

I'm getting Proxo error message ( Sorry but I need SSLeay32.dll & libeay.dll to do this) I previously
added those 2 files to proxomitron folder from the OpenSSL_1_0_2_awin32_DLLS zip folder.

I ran the Proxomitron patch (ProxN45j+SSL+RWIN.exe) and it successfully patched.
Moved all files into the created Proxomitron folder.

Imported the proxcert.pem into Pale Moon certificate manager and Proxomitron is listed
as certificate that can identify web sites.

 

I rechecked the patched executable with the new DLLs. It's working here. You'll see that error message if it's the wrong combination of components, missing components, or if they're in the wrong location.

For the patched executable:
The patcher will create a new executable named ProxN45j+SSL+RWIN.exe. This needs to be copied to your Proxomitron folder. Proxomitron.exe is the original and doesn't work with the new DLLs.
The hashes for the patched version of the file are
MD5 d675477025d6af758f10ed1b87a366e6
SHA-256 5a6160c7f6eeb28b10de7fc698f115176c8e579e44b4e209b088942f12e33425

The DLLs contained in OpenSSL_1_0_2_a_win32_DLLs.zip need to be extracted directly into the Proxomitron folder. Extracting the archive itself to the Proxomitron folder will result in the DLLs being placed in a sub-folder, which does not work.
Hash values for the new DLLs:
libeay32.dll
MD5 cb1f13218b31baa9b1f2b6e1b837acbd
SHA-256 dd02eaaea193fe428c64a814287f2328d1f66d1ea567442a7e516c42e3531e44

ssleay32.dll
MD5 fd268b5a640106c279aaecb65a2af5fc
SHA-256 23b83a41105cac582258abcff6ac59f0f3edd7ac05b7a50dc52df0980a7e9e02

For the original unpatched version of Proxomitron.exe
hash values:
MD5 f2867bee7180cdc839f7636fddc1aa74
SHA-256 7adc0296d97e24417000c5cac53c8dfb34a5e6ddedceec168ffe45648803285b

This version needs the patched versions of OpenSSL 0.9.8 linked above.
hash values:
libeay32.dll
MD5 0153e2adff5bd04e5c32a15188baaf51
SHA-256 40bf950dcdb88deb66a355fe9838049c2b77f80872763f66238c71311352910e

ssleay32.dll
MD5 b68cfaeaf9482fdf1d27cabdba16f66d
SHA-256 ac0aa31a5914f4fffc8b826851374642eab1e12a25878a971d5d1f87d2be77e9

 

Probably better If I go through this step by step since currently I have 5 zip folders.
ProxN45J
certs132311
procert150101
OpenSSL_1_0_2_a_win32_DLL
Patch2ProxN45j+SSL+RWIN

Should I first extract the ProxN45J zip folder and place it in it's own folder and does anything need to be changed
or deleted from this folder? ( seeing 5 folders and 13 files)

 

OK.
Extract ProxN45J to its permanent location, preferably a subfolder in program files.
Extract Patch2ProxN45j+SSL+RWIN to its own folder. The desktop will do as this folder is temporary.
Copy Proxomitron.exe from its program files directory to the Patch2ProxN45j+SSL+RWIN directory.
Run Patch2ProxN45j+SSL+RWIN.exe. This will create ProxN45j+SSL+RWIN.exe in that directory. This is the patched version.
Copy ProxN45j+SSL+RWIN.exe to the Proxomitron directory.
Copy certs.pem and proxcert.pem from Patch2ProxN45j+SSL+RWIN to the Proxomitron directory. Overwrite the originals.
Extract OpenSSL_1_0_2_a_win32_DLL.zip to a temporary directory.
Copy ssleay32.dll and libeay32.dll from the temporary directory to the Proxomitron folder.
Run ProxN45j+SSL+RWIN.exe from the Proxomitron folder. It should accept the new DLLs when HTTPS filtering is enabled.

Assuming everything works, you can replace the original version with the patched, rename the files, or run them as is.

 

I found this site in a thread on the uBlock github site:

https://sites.google.com/site/appleclubfhs/support/advice-and-articles/browser-popup-hijack-safari

The interesting thing is that not only Safari is affected. When I opened one of the sites in that list, namely

nothing happened. However, after allowing scripts for that site in µMatrix and clicking the buttons presented thereafter, Chrome stalled completely (not only the respective tab - all open tabs). I had to kill the browser manually.

Another example that blocking scripts by default has its benefits.

 

Can't do this at the moment since running in restricted account so are these all the steps
in the right order to get Proxomitron and SSL filtering working? Then I don't need to use
certs132311 and procert150101 zip folders?

 

The steps should be in the right order. The only other thing you'll need to do is import Proxomitrons certificate into the browser. Any of the proxcert.pem files will work. The only differences are the expiration dates. For certs.pem, one is based on Microsofts list. The other is based on Mozilla's. Microsoft appears to trust more "authorities" than Mozilla. Which is better depends on your point of view.

 

Ok. I'll try it again and hopefully be back with everything working.

 

Proxomitron Filters and Documentation.
All of the Proxomitron filter sets include documentation, including those included in the original package. Documentation can be found in the "Docs" and "help" subfolders, various readme files, and in the files contained in the "Lists" subfolder. The individual lists explain the syntax used. There's also some documentation contained in individual filters. This is not material that you can master with a single reading. Proxomitron is not a "set and forget" application. Like classic HIPS and rule based firewalls, Proxomitron should be matched to your needs. If you regard classic HIPS and rule based firewalls as too complicated or too demanding on the user, Proxomitron will seem like a nightmare.

Every filterset is made up of individual filters. Some are free-standing. Others work in groups. Many are optional. In spite of the age, most of the filters are still relevant. All are useful for learning to write your own. As far as I know, no one is maintaining a complete filterset any more. It's too much work for a small user base. In order to keep Proxomitron effective and relevant, you'll need to be able to write your own, or at least how to manipulate existing filters and import new ones.

The last complete filterset I'm aware of is prox-config-sidki_2011-12-22rc1.zip. This is a large and complicated set with a lot of options. It's powerful but can be overwhelming. Currently, it's as close to a "ready to use" set as is available. On old hardware, this filterset can slow down the browser.

For those who want a NoScript type of ability, there's the ProxBlox addition.

ProxBlox is not a configuration set. It's an addition that's merged into an existing filterset. It's described and available here. Please read the page before downloading. If not used with the Sidki filterset, an additional list file, count.ptxt will be required, available on the same page.

The JD-List filterset is old but is an excellent filterset to explore and dismantle, with good documentation. It and others are available here. In the prxbx forums, there's many individual filters and improvements to existing ones that can be copied and imported. The ETag removal filter is one such example.

 

Can't seem to get SSL to filter as shown by screenshot. Followed everything as posted. Hash values are same also.

 

Odd.
You are running the patched version of Proxomitron, MD5d675477025d6af758f10ed1b87a366e6?
The new ssleay32.dll and libeay32.dll are in the same folder?

Do you have some software restriction policy in place that prevents the use of DLLs in an applications folder?

 

There may be a problem with those DLLs. Try these and let me know if it changes. They're version 1.01L

 

My apologies. I thought I had copied the latest DLLs to the Proxomitron directory. I was still running the previous versions.

 

Yes same Hash value on patched version of Proxomitron. Do use SRP, but TransparentEnabled in reg I think handles the DLL'S for rule evaluation.
0= no enforcement
1= exclude DLL'S in evaluation
2= include all files in evaluation
Currently it is set to 0

Got message about other DLL's to try.

 

Okay the OpenSSL_1_0_1_L_win32_DLLs worked and Proxomitron is using OpenSSL filtering setting.
Now I take it I have to add exceptions to any SSL website/search engine (e.g.duckduckgo and
techsupportalert) to Proxomitron since it states certificate is only valid for Proxomitron.

Also as before I imported the proxcert.pem file from the Patch2ProxN45j+SSL+RWIN to browser
cert manager. Checked the bypass setting in Proxomitron and seems to work.
Now comes the hard part. Making it work with Sandboxie since everything was run through
an unsandboxed browser. Back to the old proxy server is refusing connections screen.

Was able to for now get Sandboxie to work with Proxomitron. Not exactly what I want for the settings
in Sandboxie . Had to create separate sandbox with many settings removed. Was able though to force
browser, restrict Internet and Start/Run Access and run everything in LUA.