SSL-key logging with Pale Moon

Moj Račun
na Open.Tube Instanci Peertube-a
Kompromitiran
Trenutačno, poveznice na, i stranice sa, slikopisima na www.vankina2-10.com kao i na www.croatiafidelis.hr, ne prikazuju se ili se krivo prikazuju. Radim na popravku.

(škodljivo je ometati posjetitelje oglasima putem Mrežnih nadzirateljskih hobotnica)

(Obćenito) Vriedne Mrežne Poveznice

Duck Duck go tražilica

team

Tor Project

Poviest hrvatskog jezika

Peer Tube

odaberi

Peer to Peer

Big Tech

SSL-key logging with Pale Moon

To follow here, one needs to understand the methods I used to document this event, which (methods) are published in my (primitive) programs: uncenz tshark-streams tshark-hosts-conv .

Finally I learned from a Pale Moon volonteer that Pale Moon is capable of logging SSL-keys into $SSLKEYLOGFILE.

The network trace:

dump_161218_2344_g0n.pcap (but pls. also see the corresponding screencast below).

I only anonymized the ethers, and also, after analyzing it with:

tshark-hosts-conv.sh -r dump_161218_2344_g0n.pcap -k dump_161218_2344_g0n_SSLKEYLOGFILE.txt

for which pls. see the:

tshark-hosts-conv_161218_235957.log

I figured out I didn't want to publish my password ;-) , and so that I needed to run:

tshark -r dump_161218_2344_g0n.pcap -Y '!(frame.number==1337)' \
	-w /some-dir-on-my-local-apache/dump_161218_2344_g0n.pcap

so that, after running:

cd <one-or-the-other-dir>
mkdir tStreams
cp -ai <where-ever-were>/dump_161218_2344_g0n.pcap \
	<where-ever-were>/dump_161218_2344_g0n_SSLKEYLOGFILE.txt tStreams
cd tStreams
tshark-streams.sh -r dump_161218_2344_g0n.pcap -k dump_161218_2344_g0n_SSLKEYLOGFILE.txt

on both the original, non-modified trace, and this one that I just published, and with the check by running this loop:

cd /some-dir-on-my-local-apache/tStreams
for i in $(ls -1 /dir-with-the-original-trace/tStreams/); do \
	ls -l /dir-with-the-original-trace/tStreams/$i $i ; read FAKE ; diff \
	/dir-with-the-original-trace/tStreams/$i $i ; read FAKE ; done

I can confirm what I expected, and that is that the sole differing stream in each (showing just the txt's, not the bin's; and some really long lines I manually broke, and deleted some "gibberish") is the tcp.stream==3:

-rw-r--r-- 1 miro miro 157790 2016-12-18 23:49 /dir-with-the-original-trace/tStreams/dump_161218_2344_g0n_s003-ssl.txt
-rw-r--r-- 1 miro miro 156145 2016-12-19 04:59 dump_161218_2344_g0n_s003-ssl.txt

1105,1117d1104
< 721
< POST /ucp.php?mode=login&sid=10f64bd50a1a2408e71b6d49c2b19114 HTTP/1.1
< Host: forum.palemoon.org
< User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.9) Gecko/20100101 Goanna/3.0 Firefox/45.9 PaleMoon/27.0.2
< Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
< Accept-Language: en-US,en;q=0.5
< Accept-Encoding: gzip, deflate
< DNT: 1
< Referer: https://forum.palemoon.org/ucp.php?mode=login&sid=10f64bd50a1a2408e71b6d49c2b19114
< Connection: keep-alive
< Content-Type: application/x-www-form-urlencoded
< Content-Length: 179
< username=miroR&password=<MY-PASSWORD-HERE>&redirect=.%2Fucp.php%3Fmode%3Dlogin
	%26sid%3D10f64bd50a1a2408e71b6d49c2b19114&sid=10f64bd50a1a2408e71b6d49c2b19114
	&redirect=index.php&login=Login
1160,1179d1146
< 459
< GET /ext/derky/sortablescaptcha/styles/prosilver/theme/sortablescaptcha.css?assets_version=51 HTTP/1.1
< Host: forum.palemoon.org
< User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.9) Gecko/20100101 Goanna/3.0 Firefox/45.9 PaleMoon/27.0.2
< Accept: text/css,*/*;q=0.1
< Accept-Language: en-US,en;q=0.5
< Accept-Encoding: gzip, deflate
< DNT: 1
< Referer: https://forum.palemoon.org/ucp.php?mode=login&sid=10f64bd50a1a2408e71b6d49c2b19114
< Connection: keep-alive
< 458
< GET /ext/derky/sortablescaptcha/styles/prosilver/template/js/jquery-ui-touch-punch.min.js?assets_version=51 HTTP/1.1
< Host: forum.palemoon.org
< User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.9) Gecko/20100101 Goanna/3.0 Firefox/45.9 PaleMoon/27.0.2
< Accept: */*
< Accept-Language: en-US,en;q=0.5
< Accept-Encoding: gzip, deflate
< DNT: 1
< Referer: https://forum.palemoon.org/ucp.php?mode=login&sid=10f64bd50a1a2408e71b6d49c2b19114
< Connection: keep-alive

-rw-r--r-- 1 miro miro 160830 2016-12-18 23:49 /dir-with-the-original-trace/tStreams/dump_161218_2344_g0n_s003.txt
-rw-r--r-- 1 miro miro 160092 2016-12-19 04:58 dump_161218_2344_g0n_s003.txt

810,815d809
< 773
< .........Y.4.8i2h <LOTS OF GIBBERISH HERE REMOVED, NOT TO CONFUSE BROWSERS>..
838a833,834
> 36
> [773 bytes missing in capture file].

Pls. notice "username=miroR&password=<MY-PASSWORD-HERE>" (where I can assure you I typed the correct password). So I'm confident enough that I can publish this trace.

I've examined it, and can't figure out why this error, which pls. notice that it reads: "You've exceeded the maximum allowed number of login attempts...", after 0:01:00, when this was my first, and my only one so far, visit by my just installed instance of the Pale Moon browser to the Pale Moon forum, and certainly this was my only attempt at logging into this forum by the Pale Moon browser ever, so far:

Again, this was my sole attempt with Pale Moon to log into the forum, and the complete event is documented here. Was that a fork bomb or something?

I can see that Pale Moon installs its own nss library (Network Security Services), and that it appears to me to be an old version, pasting from the page "about:support":

NSS	3.19.5.0 Basic ECC	3.19.5.0 Basic ECC

And the versions available in portage are quite a few, and all of them newer:

# ls -ltr /usr/portage/dev-libs/nss/
-rw-r--r-- 1 portage portage  9299 2015-10-02 20:06 nss-3.20.ebuild
...[6 more versions listed]...
-rw-r--r-- 1 portage portage  9334 2016-12-01 21:34 nss-3.27.2.ebuild
...
#

Could that have to do with this misbehavior?

The files necessary for this study are listed in: ls-1

dump_161218_2344_g0n_FILTER.ls-1
dump_161218_2344_g0n.pcap
dump_161218_2344_g0n_SSLKEYLOGFILE.txt
Screen_161218_2344_g0n.png
Screen_161218_2344_g0n.webm
tshark-hosts-conv_161218_235957.log

and verify to: ls-1.sum signed by: ls-1.sum.asc