On 161219-12:16+0100, Miroslav Rovis wrote: > On 161218-15:29-0500, Walter Dnes wrote: ... > First, I installed Pale Moon, but by no means is the task over. > > And not just because I had issues, i.e. couldn't log into Pale Moon forum: > > SSL-key logging with Pale Moon (the current title) > http://www.croatiafidelis.hr/foss/cap/cap-161218-palemoon/ > ( and great if we get some insight here by seniors as to why the > apparent *fork bomb* or something happened ). > > ( Pls. do note that Pale Moon can SSL-key log just fine, except, it's an > old version of the nss library that Pale Moon uses, which is likely not > a good thing. ) ...
The NSS library that Palemoon uses (as I posted on that link above) is,
IIUC, ancient (paste from about:support):
NSS 3.19.5.0 Basic ECC 3.19.5.0 Basic ECC
See in your own portage:
# cd /usr/portage/dev-libs/nss/
# grep 'bug #' ChangeLog | cut -d# -f2 | sed 's/)//' | sed 's/\.//' \
| sed 's/\.//'|sort -u
564834
571086
574848
576862
585372
#
Of the above Gentoo Bugzilla bugs, only the last one (585372) is not about
vulns but
about stable request ("=dev-libs/nss-3.23 stable request").
So all of these:
<dev-libs/nspr-4.10.10, <dev-libs/nss-3.20.1: use-after-poison, buffer
overflow, integer overflow (CVE-2015-{7181,7182,7183})
https://bugs.gentoo.org/show_bug.cgi?id=564834
(CVE-2015-7575, CVE-2016-1938) - <dev-libs/nss-3.21-r2: Weak RSA-MD5
signature allows attack on client certificate authentication (part of SLOTH
attack), miscalculations in bignum lib (CVE-2015-7575, CVE-2016-1938)
https://bugs.gentoo.org/show_bug.cgi?id=571086
dev-libs/nss-3.22[utils] - multilib-minimal_abi_src_install - !!! dobin:
checkcert does not exist
https://bugs.gentoo.org/show_bug.cgi?id=574848
<www-client/firefox{,-bin}-{38.7.0,45.0}
<mail-client/thunderbird{,-bin}-38.7.0 <dev-libs/nss-3.22.2 : multiple
vulnerabilities (CVE-2016-{1950..1979}, CVE-2016-{2790..2802})
https://bugs.gentoo.org/show_bug.cgi?id=576862
[all of the above] speak of serious security risks with the then version of
NSS, and Pale Moon uses a version of the NSS that predates any patches to
those bugs. If I understand correctly.
In the meantime, I have retried to log into Pale Moon forum, same issue
shows up. And yet another time I retired. And it's consistent
behavior... Maybe because now the forum thinks I tried many times
before, which is just not the case by any means!
And for that try, I cleared the cache, and get a cast/trace pair short,
and clean event, no other, or not much other conversations, but those
with the Pale Moon Forum (and its requests, true, which are a lot of
requests...).
No addons/extensions yet (not even the eff-https-everywhere, the browser
functionalities minimized, privacy browsing set to always, though, and
I'll show that too. Ah, no tracking protection in Pale Moon, we'll see
to that... But later I'll make page 2 with that cast/trace pair.
( And, regarding the short post by [email protected]
http://www.gossamer-threads.com/lists/gentoo/user/320794#320794
also something to fake browser fingerprinting, probably start looking from:
https://wiki.gentoo.org/wiki/Tor )
So what should I think of Pale Moon, regarding the SSL-key logging, but
with that ancient NSS?
Aaarggghhh!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature
