Done. I was going to ask you about the second Proxblox in the list. Can I just extract directly to my Proxomitron folder or extract it to a temporary folder then drag and overwrite the old file? I was 1/2 kidding but now I'm fully kidding. Thanks for the screenshot. A picture tells a thousand words. @KeyPer, Yes that entry is in FF but when I initially did a search (before installing addon for DataManager) it didn't come up in a search. After installing addon it did. Ive got no idea why that's the case as I copied and pasted the entry name from here. When I (manually) delete the sandbox, DataManager will be gone and I'll have to install from a non sandboxed browser session. When I do I can always try searching again to see if it appears. Thanks for the extra tips.
Heads up regarding HSTS "settings": Don't use PermissionManager to save stuff in nsStrictTransportSecurityService https://bugzilla.mozilla.org/show_bug.cgi?id=775370 Probably a good idea from the "user-driven permissions aren't the same as server-driven permissions" POV.
Other than not saving the settings at all, does a user have any control over this? This seems like a classic example of a solution creating as many problems as it solves, and still doesn't really solve the problem. IMO, HTTPS is fatally flawed by design. Until someone develops a system that doesn't rely on certificate authorities or any other centralized system, it will not be sufficient against any adversary of consequence.
I haven't properly studied the current HSTS behavior or the new patches. What I can say is that, in recent builds through FF31: 1) I have seen sts/use and sts/subd records... also some falsestart-rsa records... automatically accumulate in the permissions database as I browse. These records reveal a portion of the websites I visited via HTTPS, and the expiration information communicates some info about when such visits happened. Firefox doesn't provide a user interface to these types of records, but some extensions do. I was using a private extension to see them. I think SOME users might want to clear these records when Firefox closes (along with other things that are or reveal active browsing history). 2) I've also seen other records in the permissions database, reflecting the cookie, popup, and plugin:flash click-to-play settings that were set via user interface. I think many users would want to retain these records when Firefox closes (including some who want to clear browsing history). 3) Based on the behaviors I saw, I think the "Site Preferences" checkbox within "Settings for Clearing History" controls the clearing of both types of records. IOW, I don't think there is a way to keep #2 items while clearing #1 items (without using an extension or derivative build).
@TheWindBringeth On SeaMonkey, the permissions tab of the data manager shows the sts/use and sts/subd settings, but not much else. Here's a screenshot of it. The extension that you mentioned, does it reveal more than this? Do you happen to know where FF specifically stores this data? I don't have a real or virtual system with FireFox installed.
The extension uses nsIPermissionManager to extract stored permissions... Code: var perm; var pm = Cc["@mozilla.org/permissionmanager;1"].createInstance(Ci.nsIPermissionManager); var enumerator = pm.enumerator; while (enumerator.hasMoreElements()) { perm = enumerator.getNext().QueryInterface(Ci.nsIPermission); processPermission(perm); // Displays or exports or deletes permission depending on context } Prior to visiting https://www.aclu.org it would display no permissions associated with that. After loading that URL it would show: Code: Host, Type, Capability, ExpireType, ExpireTime "www.aclu.org","falsestart-rsa","ALLOW_ACTION","EXPIRE_TIME","Wed, 10 Sep 2014 04:17:15 GMT" "www.aclu.org","sts/subd","DENY_ACTION","EXPIRE_NEVER","Thu, 01 Jan 1970 00:00:00 GMT" "www.aclu.org","sts/use","ALLOW_ACTION","EXPIRE_TIME","Thu, 03 Sep 2015 04:17:14 GMT" If, after visiting that URL with SeaMonkey, do you see its Data Manager displaying those entries? An HTTPS proxy arrangement might interfere with the results, so if interested you might need to do with and without tests. Edit: I switched the URL to plaintext so you are sure to see that it is httpS.
I did a quick test using a virtual XP-SP3 with SeaMonkey 2.26.1. Set Request Policy to temporarily allow everything. First run, SeaMonkey connecting directly. Here's all the data manager shows for ACLU: Second run, SeaMonkey forced through Proxomitron. Filtering HTTPS, all filters active. No data in Permissions tab for ACLU at all. Page not rendered properly. Third run, Disabled all header and webpage filters. No data again for ACLU. Page not rendered properly. Fourth run, Set Proxomitron to bypass. Entries for ACLU are present. If I'm interpreting this correctly, the style sheet isn't obtained by the browser because of certificate errors. When I tried to view the style sheets, I get a "Secure Connection Failed" alert for aclu.global.ssl.fastly.net:443. I don't know whether SeaMonkey doesn't display the dates and additional information you're seeing or if it doesn't store it at all. I'll have to look into it further. I don't see any option on SeaMonkey history to delete that data on closing. The "clear all" option on PrefBar doesn't remove it. On SeaMonkey, it appears that it needs to be manually deleted from the data manager.
Well this is all so interesting. Im totally new to Data Manager and the left field is populated with a huge list of primarily scumware sites. How did they get there, or are they somehow imported from another blacklist I have on the system? TheWindBringeth, may I ask what extension you are using to extract the stored permissions to view?
I would expect some hosts to have been blocked by my config/filters. Main point is that it sounds like we both ended up with sts/use, sts/subd, and falsestart-rsa permissions being created for https://www.aclu.org. As a result of it responding with a Strict-Transport-Security: max-age=31536000 HSTS header and the type of encryption it uses. My starting assumption would be that SeaMonkey has been storing those items in the same way that Firefox has (as permissions that have expiration type and expiration time attributes) via sqlite. Filename permissions.sqlite in the profile folder I think. Which can be copied and examined using a program, SQLite Manager addon, whatever. The extension I mentioned is my "utilities/testing extension". Which isn't in a shareable form ATM. After I post I'm going to take a peek at SQLite Manager. I've been wanting to revisit it anyway.
Noone_particular, I basically get the same as you except your entry at the top. I went to aclu.org not changing anything in Request Policy. XP SP3 FF28. On a bit closer inspection that list on the left seems to have a broad cross-section of blacklisted/blocked sites mixed in with legitimate sites. Just in case you're wondering no, I don't have acne. I love to know how long they've all been there.
Representative snap of SQLite Manager addon displayed info when connected to permissions.sqlite file. Using https://developer.mozilla.org/en-US...sIPermissionManager#Permission_type_constants as a reference... permission column = Permission type constants. Selected row is an ALLOW_ACTION. expireType column = Permission expiration constants. Selected row is a specific EXPIRE_TIME. expireTime = milliseconds since Jan 1 1970 0:00:00. Note: id and expireTime values shown above are not actual ones.
This will take more time than I have at the moment. I haven't messed with SQLite. I'm particularly interested to see if the current version of SeaMonkey and the version I'm using are storing the same data. Based on the file dates, I don't think that they work the same. On my host system, the file is dated 8/2/13. They don't have a version of SQLite Manager that works on my primary browser. Sounds like another virtual system experiment coming that needs access to the host system, if the format of the file hasn't changed. I hope I'm wrong and just haven't looked into this enough, but first impressions of this remind me of index.dat files and Windows in general. The newer it is, the more data it stores. I find it questionable that this data needs to be stored at all, which suggests yet another VPC test, changing the read/write permissions for that file and see what happens.
@Reality Some of those site names look familiar. I'm betting that they're part of a blocklist from something else.
@TheWindBringeth, thanks. There's no way I can count but there's literally hundreds of entries. If I right click an entry I get this... ...why do I get the feeling what they mean by forget and what I mean, are 2 different things?
I can't speak for FF, but on SeaMonkey the "forget" options removes the data from the list. I haven't checked to see if the data is actually removed from the file.
FWIW, Firefox Environment Backup Extension (FEBE) may be another way to approach the subject (on Firefox at least). Near the bottom of http://softwarebychuck.com/febe/FEBEresults.html, I see mention of permissions being backed up to a json file. So I suspect it would be possible to backup just permissions and then examine the json file to see the data for each permission. Question would be: does FEBE backup all permissions it encounters or only those it knows about and considers important to backup? The type of a permission (cookie, popup, sts/use, etc) is a string which can reveal what the permission is for and whether it is a built-in type that your current browser version makes use of. Perhaps some extensions store their own permissions there. If so, I would expect them to use a fairly unique string so as to not clash with the browser's own permissions.
@noone_particular @Reality According to the torproject.org, site-specific or filter-based addons such as AdBlock Plus, Request Policy, Ghostery, Priv3, and Sharemenot are to be avoided. They do use HTTPS-Everywhere, NoScript and PDF.JS extension. Reasons are posted on their website.
The Design and Implementation of the Tor Browser [DRAFT] (March 15,2013) (Tor Browser 2.3.25-5 and Torbutton 1.5.1.) (old) Latest stable Tor browser version 3.6.5 with Firefox 24.8.0esr (Sept. 2, 2014) Latest Torbutton version 1.6.12.1 I think that would be for Tor browser bundle the article was referring to. Don't know if info has changed regarding using no site-specific or filter-based addons such as ones listed.
The Tor Browser is designed and equipped so that they all behave the same. Extensions like RP that allow the user to control cross-site requests change that. When one particular Tor browser blocks a cross-site request that all of the others allow, that unique behavior can be enough to differentiate you from the other users. I understand their reasoning but don't entirely agree with it. Browser fingerprinting is just one of the ways a user can be tracked or profiled. Tor itself prevents the direct linking of this profile or tracking to a specific user. How cross-site requests are handled is a big tradeoff. On one hand, controlling or restricting cross-site requests can make it easier to differentiate your browser from other Tor Browser users. On the other hand, cross-site requests make it possible to target or exploit users with malicious code, ads, or government malware without needing to compromise the actual site that you're visiting. Such malware can completely deanonymize you through leaks in your browser or system. The first few pages of this thread address some of these potential leaks, eg the firewall rules. There's many more to be covered. Ideally, you don't want your browser sessions to look any different than anyone elses. Even so, recognizing your browser in a session is not the same as identifying the user of that browser. A profile of a users activities is of very little value if it doesn't uniquely identify that user. Deanonymizing the user is the goal of most attacks against Tor. The vast majority of these attacks are aimed at the browser, not at Tor itself. Cross-site requests are one of the primary mechanisms used in those attacks. IMO, it's much more important to eliminate vectors that can be used to deanonymize you than it is to blend in with other Tor users.
Default settings in NoScript via TOR 3.6.5 install. Like to control scripts and not allow globally. Also default whitelist is intact. Other settings IMO need to be changed. Did some more testing with TOR 3.6.5 and Firefox 24.8.0ESR Tor default (about:config) settings in Firefox Note: Test conducted at ipcheck.info (JonDoNYM) network.cookie.cookieBehavior (default is 1) Cookie Result: This website may receive cookies from you network.http.sendRefererHeader (default is 2) network.http.sendSecureXSiteReferrer (default is true) Referer Result: Original: Websites may see from which other website you come from! HTTP Session Result: 10 minutes (until your Tor identity is changed) Browser Window Result: (value shows size of browser window - they might contribute to your identification) NoScript - latest update installed noscript.forbidFonts (default is false) Fonts - Do you see strange symbols here? If yes, your fonts are readable! Fonts Result: (yes) Tor Browser 4.0-alpha-2 release: https://blog.torproject.org/blog
Ive been looking at the Kerio Learning thread, in particular where I left off a couple of weeks back. There's lots of info to process there and I want to go through the whole thread again carefully. Also been looking at the Help files in Proxomitron. Just time out cruising the boards yesterday I got a rude reminder of something I'd probably skimmed over or overlooked, more than likely because I was focused on other things. The link below is from following a link in one of Ronjors posts, OpenSSL Publishes its Security Policy which is VERY scary. Computrace! What a flippin nightmare this is. How are you supposed to know if you've got this scum embedded into your BIOS? In my travels on the net yesterday, somewhere it said this thing has been in existence for 20 years. I just can't understand how people can give something like this "the benefit of the doubt" just because it supposedly comes from a legit firm. I'd imagine TLAs would have a field day with this piece of trojanware. https://threatpost.com/millions-of-pcs-affected-by-mysterious-computrace-backdoor-2/107700 Noone_particular, you had an interesting post @ post #28 on "Let me put my tinfoil hat on" https://www.wilderssecurity.com/threads/let-me-put-my-tinfoil-hat-on.352385/page-2#post-2272812 Your interesting Linux comments aside, what you say here is something else to consider. My system is 11+ years old. The architecture specs like bus speeds and other bottle necks are making my system struggle for videos. I can upgrade to 2GB RAM, but I don't think that will cut the mustard even though Im only on 512MB. nVidia 64MB onboard mem. Other than video, my system is quite usable, but video is important to me. If you had to upgrade your system what would you go for?
Regarding the OpenSSL security policy, I don't see what else they can really do. If they don't disclose flaws, the few that know it can take advantage of it. If they do disclose it, everyone can use it. Either way, someone will use it before it's fixed. There's no good answer. I suspect that the Open SSL crew has had a very rude awakening. With the push to using HTTPS and their product on the front line, they are under more pressure than they ever imagined. AFAIC, HTTPS should be regarded as vulnerable at the very least if not completely broken. Regarding Computrace, I haven't looked into this to any degree. Isn't this more for laptops and portable computing devices? This part of the description also caught my attention. Autochk.exe is a component of NT systems. It also uses system services, which makes me think that it's specifically tailored for Windows NT systems, at least the version they mention is. If I'm reading the links correctly, it uses a BIOS component. This makes me think that it can be removed or at least neutralized by reflashing the BIOS. It also relies on Windows components and services, which should make it possible to control or prevent its functioning with a classic HIPS, or by using a different type of OS than the hardware came with. It could also be detected by routing traffic through another PC equipped with Wireshark and look for its traffic. This would work if it always connects out at startup. If the software only responds to a certain signal, it could be very hard to detect. Even if one can't remove the BIOS component, it should be possible to prevent it from installing any other components to different system directories. All of this is a symptom of a much bigger problem, much of which was discussed in the thread that you linked to, specifically, can we trust the hardware, firmware, drivers, etc? There's a definite limit to what we can mitigate. To an extent, one can avoid the hardware that has these abilities. A 10 year old desktop unit most likely doesn't have wireless or WIFI components for instance. On a more extreme example, I wouldn't expect a P5-133 (early Win 95 or Win 3.1 hardware) to have any remote access/control features or built in government bypasses in the hardware at all. Clearly, such a unit would be useless for browsing the web. One heavy webpage could use up all of the RAM in the system. OTOH, such a unit could run Smoothwall 2.0 and function quite well as a hardware firewall. The chances of such a unit being backdoored at a hardware or firmware level are very remote. If such a unit predates built in vulnerabilities/backdoors, it should be sufficient against incoming traffic even if the hardware behind it is vulnerable. No matter what they build into a device or whether it's at a software, firmware, or hardware level, there's still only so many ways that it can work. Most of those will depend on other devices. On the simplest level, networks are devices chained together. In order for a covert backdoor to work, all of the devices in that chain have to pass that traffic. If one device in that chain is a dinosaur that predates that backdoor, the chain is broken. You can take steps to mitigate what is known. On air gapped systems for instance, they've managed to use the built in speakers to bridge the air gap. You could eliminate such a possibility by removing the speaker. No matter what you do or how much you try to address, at some point, you have to trust what you have. That trust will have to be conditional, safe against who and for how long? You can reduce the possibility of backdoored hardware, malicious firmware, unwanted software, etc, but you can't completely eliminate them. You can make yourself a difficult and expensive target to beat. Depending on how important it is to them to compromise you, you might make it so that it's not worth their time and effort. At some point, you have to say that this is the best that you can do. 512MB of RAM is a bottleneck. Even with a stripped down XP unit, I'd still want at least 1GB. I'm not the one who could best advise you on what's needed for good video. My best suggestion would be a video card that was top of the line a few years ago, when XP was the primary system they were building for. Don't assume that the newest drivers will be the best. The newest drivers might be the best for the newest supported OS, but that can come at the expense of performance on earlier systems. I ran into that exact problem with built in Intel graphics on this unit running 98. The newest drivers worked fine on XP, and lousy on 98. When I backed up 2 versions, the drivers for 98 were far better than the latest ones. It wouldn't surprise me at all if the same thing was true now for XP. That depends so much on what you use your system for. I'm not a gamer. Except for a few flash videos, I don't really use a PC for entertainment. For music, my old PC has a much better sound. My choice of operating systems (98SE) seriously restricts my hardware options. I'm pretty well restricted to a single core processor. There was an individual at MSFN working on making dual/multicore processors work with 98. Unless you're gaming or really into videos, I don't see where 98 would really need that. Mine for instance runs on a Pentium 4, 2.4GHZ, weak by todays standards, but far more than 98 ever needed or was designed for. Even with Tor running, my average Processor usage is around 15%. It does go higher with VPC running virtual XP, especially unstripped test systems. I wouldn't mind having 3.0 or 3.2 GHZ, but for most of what I do I don't need it. What I could use is more RAM and hard drive space, both for running virtual systems. Thanks to virtual systems, I am running low on disk space. While 98 itself uses almost no RAM, Tor can use quite a bit when the load gets heavy, as can VPC. With just one of those, the 1GB I have is enough. I'd like to have 2-4GB which would allow for some RAM drive experiments with moving the swap file and running VPC from RAM. On XP, a RAM drive is a good option for a sandbox. If you have or can get RAM cheap, it's worth it.
@noone_particular Reading through some of the back posts - #28 mentioned by Reality (post #173) There is a way to make Pale Moon and I imagine Firefox as well to stop connecting out and to keep the homepage. Pale Moon does want to connect out especially when updating the browser. I have mine set to connect out to my default search engine. If it does somehow want to connect out my firewall notifies me, but I have it pretty much locked down trying to do so. Code: browser.startup.homepage_override.mstone // set to ignore startup.homepage_welcome_url // leave blank startup.homepage_override_url // leave blank There are few more settings for auto updaters and extensions/plugins I set as well. I also found out if you type in the address bar about:credits Pale Moon will connect out to mozilla.org Haven't tried SeaMonkey for any length of time so don't know to much about it.
