[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Browser traffic interception/inspection



Hi,

On Sun, Jul 7, 2024 at 10:31 PM Max Nikulin wrote:
>
> On 08/07/2024 04:42, Lee wrote:
> > On Mon, Jul 1, 2024 at 11:02 AM Max Nikulin wrote:
> >> On 01/07/2024 13:57, Lee wrote:
> >>>     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842292
> [...]
> >> Is libnss built with logging support ABI compatible with the variant in
> >> Debian repositories? (Or can it be patched to achieve ABI
> >> compatibility?) Instead of asking for changing compile flags for all
> >> users, from my point of view, it is better to suggest alternative
> >> packages with and without logging enabled.
> >>
> >> Browsers are rather sensitive applications, so I find it reasonable that
> >> dumping of encryption keys are not available by default.
> >
> > Maybe I don't know enough to know what's "reasonable" or not.. but I
> > don't see a problem with me being able to inspect the traffic between
> > me and some website.
>
> Is it OK for you that e.g. GnuPG agent disables tracing by default, so
> attaching a debugger or a tool like strace is not so easy? It makes
> harder to debug some issues.

I didn't realize that GnuPG disables tracing by default, so the idea
of it being OK or not has never come up for me.  But my first question
is does it actually improve security or is it more like security
theater?
I don't know how hard it would be to build your own version of GnuPG
that allows tracing, but if it's relatively easy it seems like
disabling tracing is just a minor stumbling block instead of an actual
security enhancement.

>  From my point of view, by default libnss3 should not allow logging of
> private keys. At the same time I do not mind that some users should be
> able to inspect TLS sessions. My idea is an *alternative* package that
> may be optionally installed instead of regular libnss3. Comments to the
> bug report request to enable debugging for *all* and I agree with the
> maintainers who have not do it. You may ask for providing an additional
> package for TLS debugging.
>
> > Anyone else wants to intercept my traffic and they'll have to set an
> > environment variable - which root can do, but who else?
>
> IAny regular user may start browser with this variable set.

Right, but presumably they intended that the variable be set.
I'm asking about malicious use of that variable.  Root can do pretty
much whatever they want to, but how does a non-root attacker set that
variable?

> Some
> unintentionally executed code in a user session may restart browser with
> enabled logging. I would not argue that it is a great trouble if an
> exploit is executed. However some measures may be taken to increase
> attack complexity and disabling TLS logging is a small step in this
> direction.

Well, debian has taken that small step.  It's no big deal for me to
download firefox from mozilla, so I've got my work-around.
And this is on my laptop, so the minor lack of security is only going
to impact me -- nobody else uses this laptop :)

> >> <https://support.mozilla.org/en-US/kb/install-firefox-linux#w_install-firefox-deb-package-for-debian-based-distributions>
> >
> > but I don't know how to evaluate the security
> > implications of modifying apt-get files.  So I just downloaded the
> > binary from mozilla
>
> So you trust mozilla anyway.

Yes, I trust them enough to run their binary.
I lack the knowledge to evaluate the security implications of
following their instructions to add their repository to .. whatever it
is on my machine (I don't even know what it's called.)

"When in doubt, leave it out."  seems applicable here.

> Notice the "Signed-By" key in repository
> configuration: sources.list(5),
> <https://wiki.debian.org/DebianRepository/UseThirdParty>
> <https://wiki.debian.org/SourcesList>
> apt-secure(8), <https://wiki.debian.org/SecureApt>
>
> > tar -xvf firefox-115.12.0esr.tar.bz2
> > sudo mv firefox /opt/firefox-115.12.0esr/
> > sudo ln -s /opt/firefox-115.12.0esr/firefox /usr/local/bin/firefox
>
> I suspect that a regular user owns /opt/firefox-115.12.0esr/ and may
> modify files.

You're right :)  Everything in /opt/firefox-115.12.0esr/ is owned by me.
But again, this in on a laptop that nobody else is going to use so ...
I dunno.. maybe I'll chown everything to root so it can't be
accidentally updated.

> It should allow autoupdates, but I believe, it is an
> administrator task to update browser.

I agree.  I've got it set up that way on my windows machine.  I should
probably fix it so I have to become root to update firefox.

Regards,
Lee


Reply to: