[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Browser traffic interception/inspection

On 08/07/2024 04:42, Lee wrote:

On Mon, Jul 1, 2024 at 11:02 AM Max Nikulin wrote:

On 01/07/2024 13:57, Lee wrote:

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842292

[...]

Is libnss built with logging support ABI compatible with the variant in
Debian repositories? (Or can it be patched to achieve ABI
compatibility?) Instead of asking for changing compile flags for all
users, from my point of view, it is better to suggest alternative
packages with and without logging enabled.

Browsers are rather sensitive applications, so I find it reasonable that
dumping of encryption keys are not available by default.


Maybe I don't know enough to know what's "reasonable" or not.. but I
don't see a problem with me being able to inspect the traffic between
me and some website.
Is it OK for you that e.g. GnuPG agent disables tracing by default, so attaching a debugger or a tool like strace is not so easy? It makes harder to debug some issues.
From my point of view, by default libnss3 should not allow logging of private keys. At the same time I do not mind that some users should be able to inspect TLS sessions. My idea is an *alternative* package that may be optionally installed instead of regular libnss3. Comments to the bug report request to enable debugging for *all* and I agree with the maintainers who have not do it. You may ask for providing an additional package for TLS debugging. 


Anyone else wants to intercept my traffic and they'll have to set an
environment variable - which root can do, but who else?
IAny regular user may start browser with this variable set. Some unintentionally executed code in a user session may restart browser with enabled logging. I would not argue that it is a great trouble if an exploit is executed. However some measures may be taken to increase attack complexity and disabling TLS logging is a small step in this direction. 


<https://support.mozilla.org/en-US/kb/install-firefox-linux#w_install-firefox-deb-package-for-debian-based-distributions>


but I don't know how to evaluate the security
implications of modifying apt-get files.  So I just downloaded the
binary from mozilla
So you trust mozilla anyway. Notice the "Signed-By" key in repository configuration: sources.list(5), 
<https://wiki.debian.org/DebianRepository/UseThirdParty>
<https://wiki.debian.org/SourcesList>
apt-secure(8), <https://wiki.debian.org/SecureApt>


tar -xvf firefox-115.12.0esr.tar.bz2
sudo mv firefox /opt/firefox-115.12.0esr/
sudo ln -s /opt/firefox-115.12.0esr/firefox /usr/local/bin/firefox
I suspect that a regular user owns /opt/firefox-115.12.0esr/ and may modify files. It should allow autoupdates, but I believe, it is an administrator task to update browser.
Reply to: