Building Your Own Privacy Package

Discussion in 'privacy technology' started by Reality, Aug 5, 2014.

  1. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Open the certificate manager, go to authorities. Select "Import". navigate to Proxomitrons folder. Select proxcert.pem. Then locate it in the certificate list, click edit, and select This certificate can identify websites.

    Arstechnica should be an HTTP site. The certificate shouldn't matter. Did you take Proxomitron out of bypass mode? If yes, are the web page filters, outgoing and incoming headers all enabled (checked)? If yes, is javascript enabled in the browser, prefbar, and NoScript?
     
  2. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    To be clear, I intend my direct browsing to consist of FF 28.0 > Proxomitron > Internet. Not sure which browser you are using with your instructions but I as soon as I selected "select proxcert.pem" I had a dialog screen come up in which I had to make a selection or cancel out. One of those was similar to This certificate can identify websites. so I chose that. I checked the list and found it in there.

    The only reason I couldnt get onto Ars is because I didn't have the url in the first place. I tried to get it from Startpage which gave me an untrusted connection page. I bypassed proxomitron and got the url from startpage search, took bypass off, went to Ars and no 2 icons anywhere to be seen on proxomitrons interface.
    SO, as you said before, we need to get this clear about Proxblox being properly installed before proceeding.

    Yes to all except noscript is disabled. Apparently since FF 23, FF has done away with the setting for Javascript on/off unless you go to about:config and set it there. Whilst I am running these tests noscript will be disabled but while Im not I'll enable it until Proxomitron gets sorted. For example, I can't post here on wilders even though Im logged in, unless I bypass. I can't access hush unless I bypass.

    We need to back up and see why those 2 icons aren't showing.
     
  3. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    Web developers have the option to turn off JavaScript temporarily.
    Open the Web Console (Ctrl-Shift-K shortcut) and click on the icon. (far left)
    Here you find disable JavaScript under advanced settings. This disables it only for the
    current session though. Just thought I let you know.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Lets make sure that Proxomitron is working before we check if NoScript or some other setting is interfering with it.
    These are screenshots of the web page and header filters. Compare to yours. Does yours have the ProxBlox entries at the top?
    proxblox-webpage.png proxblox-headers.png
    Do you see these in the lists?
    Proxblox-lists.png
     
  5. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    Some more info:

    (about:config) setting in browser
    security.xpconnect.plugin.unrestricted (default is true)
    Setting it to false, plugins can't use external (not trustable) scripts with XPCOM or XPconnect.

    XPConnect is a bridge between JavaScript and XPCOM. With XPConnect, you can use XPCOM components
    from JavaScript code, and interact with JavaScript objects from within XPCOM components. XPConnect
    is part of Firefox and is actively used in XUL applications.

    XPCOM is a cross platform component object model, similar to Microsoft COM. It has multiple
    language bindings, allowing XPCOM components to be used and implemented in JavaScript, Java, and
    Python in addition to C++. Interfaces in XPCOM are defined in a dialect of IDL called XPIDL.

    Favorites folder in XP: (Internet URL connections to Microsoft.com)
    Should be listed in ' Search ' (Search Results -> Favorites) also.
     
  6. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Your 3 screenshots are identical to whats listed in my Proxomitron.
    Thanks. To me, Mozilla seems to be making it harder on purpose for folks to disable it if they don't have something like noscript installed, which most ordinary folk I know wouldn't have a clue about, much less look at the settings.
    Thanks for your explanations. I just plain didn't know about this. Great learning curve this all is :). May I ask, what are XUL applications?
    I didn't know exactly what you meant by this so I poked around in Start >search. WOW, thankyou for reminding me how easy it is for the average person to miss how IE is tightly woven into the OS. I just missed the connection of how my Favourites in IE explorer days are still there. :ouch: . Another cleaning up job to do. These are from waaay back.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Most likely it's NoScript or a browser setting that's interfering with ProxBlox. By chance do you have Request Policy or another site whitelisting extension installed? Some extensions may require you to whitelist Proxomitron and/or its own javascript. I haven't used NoScript in ages so I don't know what it might require. I'd have to set up another virtual unit to test the interaction between FireFox/NoScript and Proxomitron.

    Did you ever decide if you were going to install SeaMonkey or another browser, possibly a FireFox variant like PaleMoon? It might be simpler to sort this out using another browser that doesn't have extensions installed.
     
  8. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Heres a list of possibles. - Yes I have "Request Policy" and theres a small whitelist in "Origins to destinations" but I can't see how you would whitelist Proxomitron there. - There's a small whitelist in "Self destructing cookies" - Again, No Script will be dis-enabled on testing with Proxomitron. Another question to ask, surely disabling these would serve as enough to test? I don't really want to uninstall them. - I'm going to test each one disabled and see what I come up with.
    Yes I have SeaMonkey but that's waiting in the wings for when we go the TOR route. Just an over view of my intentions:
    For direct browsing: FF >Proxomitron>internet.
    Anon browsing: SeaMonkey > Proxomitron>SocksCap>Tor>internet
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That's most likely the problem. I had to allow connections to Proxomitron to get the ProxBlox component to work. The screenshots below show how it's done. These are from version 0.5.22. Not sure how that compares to the version you're using.
    RequestPolicy-ProxBlox1.png RequestPolicy-ProxBlox2.png
     
  10. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Well you pipped me at the post noone. Heres my little battery of tests, which typically comes down to a process of elimination.

    2 sections consists of browser restart unnecessary, and restart necessary, respectively.
    1/ I disabled everything in my addons. I Enabled and refreshed Ars after each, AdblockPLus, Self Destructing Cookies, in that order , Icons showed up.

    2/ Have done the same in this order except NoScript left til last:
    Better Privacy - Icons show on Ars
    NoScript -Icons appeared (after I temporarily allowed )
    HTTPS Everywhere -Icons show on Ars
    Req Policy restart - No Icons until I temproarily allowed "arstechnica.net" and "local.ptron" in that order.

    Edited some mistakes.
     
    Last edited: Aug 31, 2014
  11. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    My Request Policy is 0.5.27.
    One thing I misconstrued was where those icons appeared. From your screenshot back on page 5 though the flat black background didn't make sense, it was probably the size threw me off... I thought the icons appeared on the Proxomitron interface, and thats where I was looking for them. OK so now the work begins of getting me to understand how to configure it.
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    You'll need to allow "local.ptron" permanently for all sites. Because the ProxBlox javascript is local on your hard drive, Request policy correctly regards it as a separate destination. Can I assume that the 2 icons are now visible and that the ProxBlox menu is available via the green "A" button? If it is, before you start whitelisting anything, shut Proxomitron off and make a backup of its entire folder. I zip or 7z archive would do nicely. This way you'll always have an easy way back to the original working setup.

    There is some overlap between Proxomitron and RP (Request Policy), but for the most part they complement each other. For both Proxomitron and RP, the way they function is similar to how classic HIPS treats parent-child permissions, except that Proxomitron does it with content while RP does it with links to sites. Together, the 2 can apply a default-deny policy to the web. When they're viewed that way, it can make setting permissions simpler. Treat the site that you navigate to as the parent site, in this case "arstechnica.com". "Arstechnica.net" can be regarded as a child site, as can the sites that RP blocks (Google, Adobe. Linwd, parslet, etc).

    Don't get into too big of a hurry to get your whitelists going. Proxomitron also has the ability to white/blacklist sites, adservers, etc. RP is more suited for enforcing a whitelist on a per-site basis while Proxomitrons lists are more global.

    Proxomitron also interacts with PrefBar. Disabling javascript with PrefBar breaks the ProxBlox component. If you're using the PrefBar drop boxes for spoofing the user agent or referrer, these will affect how Proxomitron works. When a user agent or referrer is present in the browser headers, Proxomitron will modify it. This particular configuration file is set to send the same user agent as Tor Browser. For the referrer, it sends the site a reference to itself. If you set up PrefBar to send no user agent or referrer at all, there's no user agent or referrer for Proxomitron to modify. This isn't something that you need to worry about now. I just wanted to make you aware of some of the possible interactions. As you get time, read the various blocklists. Most of them contain detailed information about how they work.
     
  13. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Here's something I want to slot in...
    Im looking for suggestions equal to or the closest to "pulling the plug". For the times I want to do computer work which I don't necessarily want to involve the internet, pulling the plug leaves me feeling the most secure, at the very least reduces the attack surface, and best of all is easy to understand. It's what Ive always done when I want to backup to external HDD or use a USB stick or just work on certain files. Any ideas that give me the same confidence while leaving the plug in are welcome.

    What about this? R Click Kerios taskbar icon and click "stop all traffic" how close would that be to pulling the plug?

    KerioTraffic DB.png
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    As far as I know, that does stop all of the traffic in both directions. I haven't verified this with WireShark and a separate PC, but I've never got anything to work when "stop all traffic" was enabled. Just about drove me nuts on a virtual system when I didn't realize that it was enabled.
     
  15. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Great post noone and good to know about those interactions. I know it's been slow, but I'm pleased with my progress. Yes I will kick back a bit and look at those blocklists. Sometimes I have much more time to spend with this than others. My weekends are usually pretty busy, but generally there's some days in the week I can give it some real quality time. I still want to go to the Kerio learning thread which I haven't done yet.

    I wouldn't mind getting this sorted sooner rather than later. I'm woefully lacking about instantiating certificates and that side of things, but Ive learned a lot since this thread started. How do I get the Hushmail cert into the system?

    Editing to add:
    Yes. I did allow Wilders so I could post.
     
    Last edited: Aug 31, 2014
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Proxomitron doesn't have an easy way to import certificates. It also has trouble with some of the new certificate practices like HTTP Strict Transport Security. At the proxomitron forum, they're working on a Proxomitron SSL Helper Program called ProxHTTPSProxy. I haven't had an opportunity to look at it. As I understand it, it takes over the certificate duties from Proxomitron. More on this here.
     
  17. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    So other than using bypass, how do I deal with that "untrusted connection" page when I go to Hush.
    Also before I do that save I did allow Wilders. Where do I go to undo that.

    Edited to add:
    I just tested StartPage again and another regular site I go to and both gave that same untrusted connection. The latter had an extra option to allow it and add it to a whitelist, but not so with Hush and StartPage. It was just that "get me out of here" thing.

    I'm Pretty sure yesterday I did a save configuration after getting ProxBlox in. When I went to shut down it gave me the option to save as well which I did.
     
    Last edited: Aug 31, 2014
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm not sure how similar FireFox and SeaMonkey will be regarding how things are worded in "about:config". Hopefully FF has the same entry. In about:config, look for:
    browser.xul.error_pages.expert_bad_cert
    Set this to true. Does this give you the option to add exception where it wasn't present before?

    You may run into pages like startpage and check.torproject.org where you'll get the dialog to add exception, but the page never progresses any farther. On SeaMonkey, this can be worked around from the data manager. Does FF have a data manager that's accessible from the menu? if it does, is there a permissions tab or equivalent? On SeaMonkey, the entry for StartPage looks like this. Hopefully FF is similar.
    data manager-STS2.png
    Note the data entry for startpage.com, sts/use with "allow" selected on the far right. STS refers to Strict Transport Security which Proxomitron doesn't understand. Changing the option to "block" will disable STS and allow the page to load. Hopefully the SSL helper program I mentioned 2 posts back will fix this issue. At present, this is a tradeoff. It's up to you if you want to filter HTTPS that uses STS. For myself, I have very little trust in HTTPS against any adversary beyond a script kiddie.
     
  19. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Just backing up a little before I flesh out your last post noone... I did some digging around and saw one entry for wilders, in Blockfile Tab > \lists\ProxBlox.txt. Can I just delete that whole entry?
     
  20. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
  21. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    If I were to suggest a Mozilla-based browser (fork) my first choice would be Pale Moon.
    Second choice would probably be SeaMonkey. I've tried several other browsers, but for now
    Pale Moon seems easy to configure and runs fine. I think at one time I did have Firefox
    and Pale Moon installed and running.
    NOTE: You can also migrate a Firefox profile to Pale Moon although I've never tried that.

    I haven't tried Proxomitron with Pale Moon, but have used it with Firefox many years ago.
    Have tested NoScript and Request Policy in a sandboxed (Sandboxie) Pale Moon browser and so
    far no real problems have transpired.

    I like Pale Moon for several reasons:

    ♦ Load images for the originating server only (set in the Options dialog box)
    ♦ Done away with Google Safe Browsing (no calling home)
    ♦ Does not use the Windows maintenance service and does not update silently in the background.
    ♦ No Crashreporter and telemetry data gathering (user privacy issue)
    ♦ Integrated PDF reader but disabled by default
    ♦ Social API, but disabled by default (look under social in about:config)
    ♦ Still has the integrated status bar
    ♦ No "Australis" interface and sounds like no plans to do so
    ♦ Updates are not tied to Firefox rapid release cycle. Security risks and occasional point-release
    for critical issues are addressed and fixed in a timely manner, but updates just for what I call
    "COSMETIC CHANGES" seem to be avoided. (hint! hint! _ _ _ _ _ _ _ developers)

    In the end though it comes down to personal preference and what you want to accomplish.
     
  22. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Heres an update from your last post noone...
    1/ Did an about:config ...browser.xul.error_pages.expert_bad_cert... nothing came up
    2/ Found out you could type in about: Permissions. Looked pretty minimal and very basic.
    3/ Found there's an addon for DataManager in FF. Installed, did an about:config ... browser.xul.error_pages.expert_bad_cert.... its there. Set it to true.
    4/ Navigated to Hush. I got an extra option to add exception with this dire warning. I looked at "View" and cancelled out knowing I can
    go back and add the exception. First, I'd like to know what the implications are about these warnings.

    Hushmail AddSec Exc1.png
     
  23. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Thanks KeyPer, will come back soon.
    They have 3 settings in FF and if I remember correctly were enabled by default. No wonder noone keeps talking about the feature creep in FF. When I get done with all this, you never know, I might upgrade to Windows 98.
     
    Last edited: Sep 1, 2014
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    You can delete all of the entries in both ProxBlox lists. I pulled those from my test system. Forgot that I'd already made entries.
    If you click on "View" in the screenshot you posted, you'll see Proxomitrons certificate, not Hushmails. The browser only sees Proxomitrons certificate. Proxomitron sees the certificates from the websites. Proxomitron will display its own warning when it sees a certificate problem. This is one from Wilders due to the self signed certificate.
    Prox-cert error1.png
    This brings me to yet another issue that I overlooked. Proxomitron needs a more recent certificate store. This thread at the Proxomitron forum explains some of the certificate issues with Proxomitron better than I can. In post #22, you can get the most recent certificate store for Proxomitron. The store Proxomitron comes with is over 10 years old and needs replacing.
    I hope that you're kidding. 98 needs a lot of modifying to make it worthwhile and it comes with tradeoffs. The again, you could install a pre-MS copy of VPC on 98 and run virtual XP systems on it.
     
  25. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    about:config in Pale Moon (browser.xul.error_pages.expert_bad_cert
    and browser.ssl_override_behavior)

    From kb.MozillaZine.org

    If you set browser.xul.error_pages.expert_bad_cert to true:

    Unhide the "add exception" button on the SSL error page, allowing users to directly accept
    a bad certificate.

    If set to false:

    Hide the advanced UI, requiring users to click through explanatory dialogs before adding
    an exception.

    NOTE: If you set this to false you may want to set browser.ssl_override_behavior to 2
    to pre-fetch the certificate.

    Are you sure it's not listed in Firefox? @Reality

    Didn't get to use Windows 98 so unfamilar with the OS.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.