dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
10329
share rss forum feed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits
reply to Mele20

Re: Google disables SSL compression in Chrome against new attack


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to FF4m3

said by FF4m3 :

said by Mele20:

Google wants Proxo dead.

No they don't. Google could care less about Proxo.

Google doesn't want Proxo dead? Then explain to me why they stopped allowing Proxo to fake a Google cookie? Google has become more hostile toward Proxo in the last few years.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

said by Name Game:

Have they told you if proxo with work with Windows 8..I hear it might be compatible but not tested..

You might understand it all more in this thread where scarlettrunner20
shows people how to do a little test at "boh.com" The Bank of Hawaii .
»forums.mozillazine.org/viewtopic···=2310053

Proxo should work on Windows 8. As long as the web is based on HTTP protocol Proxo should work. Some sites may have problems when filtered by Proxo but that has always been the case and SPDY could pose some problems. When Sidki left public Proxo development after his 10/2010 filters gift to us users, he gave his notes, etc. to JJoe and JJoe gave us a filter set updating Sidki's last set in 12/11. I still use Sidki's 10/2010 filters on my host machine and JJoe's on virtual machines.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

You are so funny..then stop using google and stop ranting about it.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Mele20

said by Mele20:

(God forbid that any of us be able to block Google ads).

I use the AdBlock Plus extension in FF and don't see Google or any other ads. But use whatever does, or doesn't, work for you.
--
Don't feed trolls--it only makes them grow!


norwegian
Premium
join:2005-02-15
Outback
reply to Name Game

said by Name Game:

SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

But for Opera this was the problem even in Jan 2012

»my.opera.com/community/forums/to···=1262702

Quite a good link. However it is interesting in this quote:

quote:
The RFC also says that servers MUST accept that clients send extensions (and ignore the ones it cannot handle), and MUST accept that clients may signal a higher version than they support. Unfortunately, what the RFCs say, and what got implemented in the server can be two very different things. There is a reason why RFC 5746 (The Renego patch) includes a reminder about what the RFCs say on those two points.
Well, what can you say. It is all too similar to a lot of Internet browsing.

You have to allow for it to be a reply to a request. What we need to do is create an environment whereby that initial handshake doesn't allow all, doesn't allow by default, looks for certain strings....guess to some extent that may happen already and you to become pwoned....

So to start with not allowing anything but still recognize the link it needs....love to be able to have that signed in my name.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to Name Game

said by Name Game:

TLS 1.1 .... .... should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

That comment seems to have merit. Turning it on has evolved my browsing experience.


caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
WA, USA
kudos:4
reply to Name Game

said by Name Game:

If you use Opera..even many month ago..

SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

Hmm...

I'm still using Opera 11.64 on this box. Even so, when checking under security protocols, there is no SSL v2 listed at all. Only SSL v3 and the TLS variants.



Those are the default settings, I haven't had a need to change them.

--

My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages


FF4m3

@bhn.net
reply to MagnusM

The perfect CRIME? New HTTPS web hijack attack explained:

The so-called CRIME technique lures a vulnerable web browser into leaking an authentication cookie created when a user starts a secure session with a website. Once the cookie has been obtained, it can be used by hackers to login to the victim's account on the site.

The cookie is deduced by tricking the browser into sending compressed encrypted requests for files to a HTTPS website and exploiting information inadvertently leaked in the process. During the attack, the encrypted requests - each of which contains the cookie - are continually modified by malicious JavaScript code, and the changing size of the compressed message is used to determine the cookie's contents character by character.

Punters using web browsers that implement either TLS or SPDY compression are potentially at risk - but the vulnerability only comes into play if the victim visits a website that accepts the affected protocols. Support is widespread but far from ubiquitous.

The researchers worked with Mozilla and Google to ensure that both Firefox and Chrome are protected. Microsoft's Internet Explorer is not vulnerable to the attack, and only beta versions of Opera support SPDY. Smartphone browsers and other applications that rely on TLS may be vulnerable, according to Ars Technica.

"Basically, the attacker is running a script on Evil.com," Rizzo explained to Kaspersky Labs' Threatpost. "He forces the browser to open requests to Bank.com by, for example, adding tags with the src pointing to Bank.com. Each of those requests contains data from mixed sources."

Each encrypted request includes an image file name - a constantly changing detail that is generated by the malicious script; the browser's identification headers, which don't change; and the login cookie, the target of the attack. When the file name matches part of the login cookie, the size of the message drops because the compression algorithm removes this redundancy.

"The problem is that compression combines all those sources together," Rizzo added. "The attacker can sniff the packets and get the size of the requests that are sent. By changing the [file name] path, he could attempt to minimise the request size, ie: when the file name matches the cookie."

This brute-force attack has been demonstrated against several sites including Dropbox, Github and Stripe. Affected organisations were notified by the pair, and the websites have reportedly suspended support for the leaky encryption compression protocols. Ivan Ristic, director of engineering at Qualys, estimates 42 percent of sites support TLS compression.

The researchers will present their work at the Ekoparty security conference in Buenos Aires, Argentina next week. In the meantime, Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, has a detailed take on the attack here.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to caffeinator

SSL 2 hasn't been around on Opera since version 10 or earlier I think. Hasn't been, I know for sure, on version 11.0 and above.

I don't know what Name Game See Profile is referring to as the Opera forum link he gives points out the futility of starting with TLS 1.1 or TLS 1.2 as 98% of servers are not able to use it. Opera's main security developer explains Opera's reasoning in that thread.

So, Opera, for PRACTICAL reasons, defaults to SSL 3 and TLS 1.0. Why Name Game See Profile thinks Opera should support a protocol that is not supported yet on the web, except in a tiny minority of cases, I don't understand. Opera should be a guinea pig? Why? I think he should clarify his comment.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

You are still funny and if you used opera..you would have done that last year to mitigate the BEAST..I posted that info in many forums myself and you can see it done here

»answers.yahoo.com/question/index···5AAjCZy5

»www.phonefactor.com/resources/Ci···east.pdf

And that is also why I think your panic over Crime..which still not even presented yet... is mostly FUD..Beast was even a bigger problem and caught many with their pants down. Opera is not a guinea pig..it is a browser that has been out there since 1996 and never is really ready for prime time in all of it's development cycle and new versions.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


evoxllx

join:2007-06-07
Winter Park, FL

2 edits
reply to Mele20

said by Mele20:

SSL 2 hasn't been around on Opera since version 10 or earlier I think. Hasn't been, I know for sure, on version 11.0 and above.

I don't know what Name Game See Profile is referring to as the Opera forum link he gives points out the futility of starting with TLS 1.1 or TLS 1.2 as 98% of servers are not able to use it. Opera's main security developer explains Opera's reasoning in that thread.

So, Opera, for PRACTICAL reasons, defaults to SSL 3 and TLS 1.0. Why Name Game See Profile thinks Opera should support a protocol that is not supported yet on the web, except in a tiny minority of cases, I don't understand. Opera should be a guinea pig? Why? I think he should clarify his comment.

The percentage of sites that don't support it is irrelevant when the sites that DO support it are some of the most sought after when it comes to these types of attacks, not to mention some of the largest sites/services on the internet.

Google, Facebook, PayPal, CloudFlare, etc.

The reason it's so slow to rollout is mostly due to buggy network devices and servers.

That being said, Opera lacks many things that I think are more important, such as HSTS and ECDHE support.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Exactly...So I would suggest to everyone who thinks the developer of their chosen browser is not on top of this issue of CRIME or any other vulnerability ...to hold off and see what they do..but if you are so paranoid and think the developer is behind the power curve..then start disabling "whatever"..at least you will learn more about your internet ride than you did last week... or change your browser.... I'll let Chrome change my oil and filter.



MagnusM
Premium
join:2001-07-07

1 recommendation

reply to MagnusM

Here is a video that shows the CRIME exploit in action:

»www.youtube.com/watch?v=gGPhHYyg9r4

--
Mischel Internet Security - Developer of TrojanHunter


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Thanks here is another one.
»Re: Google disables SSL compression in Chrome against new attack



MagnusM
Premium
join:2001-07-07
reply to MagnusM

Seems you were quicker than me on that one



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

I like your's better since it displays in the thread.



DownTheShore
Honoring The Captain
Premium
join:2003-12-02
Beautiful NJ
kudos:13
reply to FF4m3

said by FF4m3 :

Set as above.

Thanks!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

Click for full size
Sigh. Why are you on such a tear?

The screenshot is from my favorite version of Opera, 10 Preview which I downloaded in Aug 2009. It has no Unite. TLS 1.1 is checked. I've had it checked ever since it first appeared in an Opera version long before Beast attack last year.

You'll note from the screenshot that as far back as August 2009, Opera did not have SSL 2. I caught you out on that so I guess you are trying to get folks to forget that by going on about my being "funny". I believe the description fits you better.

"Panic over Crime"? Where in the world did you get that idea? I am concerned about SPDY because of the possible implications for Proxo and the fact that on Sea Monkey the Fx extension won't install so I can't monitor SPDY usage. My other browsers don't use SPDY. How does this translate to "panic over crime'? Geez...you need to stop posting so much as you appear to be getting things all mixed up.

Stop putting words in my mouth. I never said Opera was a guinea pig. Go back and read what I said. I asked if Opera should be expected to START ACTING LIKE A GUINEA PIG by DEFAULTING to TLS 1.2. I pointed out the EXCELLENT reasons a highly respected security developer gave for why Opera defaults to TLS 1.0. YOU want Opera to be a guinea pig because you fault it for not defaulting to TLS 1.2. I do NOT want Opera to be a guinea pig and it is NOT one.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


MeDuZa

join:2003-06-13
Austria
reply to Name Game

said by Name Game:

Exactly...

Not quite so Exactly.
- Opera(12) has HSTS support. evoxllx is wrong.
- Regarding ECDHE support:

quote:
Opera support Forward Secrecy in the form of the Ephemeral Diffie-Hellman (DHE) cipher suites, but not the Elliptic Curve DHE method Google selected to prioritize (At present Opera does not support Elliptic Curve crypto). Google seem to prioritize the ECDHE and RSA/ARC4 above the DHE methods (there is no DHE_RSA/ARC4 ciphersuite defined, which may explain that part; ARC4 is less costly than AES). AFAICT Google does not support the DHE_RSA methods on their server.

In the list of ciphersuites that Opera sends the server, the DHE_RSA ciphersuites are listed as more preferred than the corresponding RSA ciphersuite, so if the DHE method is not selected it is because the server either does not support the cipher suites (as is the case on google.com), or decided not to select it based on its own list of prioritized ciphersuites.
--
Reality corrupted. Reboot universe? (Y/N)


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2

said by MeDuZa:

said by Name Game:

Exactly...

Not quite so Exactly.
- Opera(12) has HSTS support. evoxllx is wrong.
- Regarding ECDHE support:

quote:
Opera support Forward Secrecy in the form of the Ephemeral Diffie-Hellman (DHE) cipher suites, but not the Elliptic Curve DHE method Google selected to prioritize (At present Opera does not support Elliptic Curve crypto). Google seem to prioritize the ECDHE and RSA/ARC4 above the DHE methods (there is no DHE_RSA/ARC4 ciphersuite defined, which may explain that part; ARC4 is less costly than AES). AFAICT Google does not support the DHE_RSA methods on their server.

In the list of ciphersuites that Opera sends the server, the DHE_RSA ciphersuites are listed as more preferred than the corresponding RSA ciphersuite, so if the DHE method is not selected it is because the server either does not support the cipher suites (as is the case on google.com), or decided not to select it based on its own list of prioritized ciphersuites.

ECC needs to become the standard already. It is much more efficient than RSA (it uses much smaller keys, but they are equally secure at a smaller size). Instead of a 2048 bit RSA key, you can get equivalent strength from a 224 bit ECC key, which makes it much faster and efficient.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

Some people are still using older versions of Opera just like you are still using Firefox versions 4.0.1 28.
You also have the new Sea Monkey 2.12.1 which became available 10 September, 2012 which now has Spdy.
so get an older version
»dev.oldapps.com/seamonkey.php?ol···key=8200

This SPDY thing you are on about trying to destroy Proxo is still funny and the only guinea pigs (no caps needed) I know with Opera are the users who try to get their final releases to work over the years. That's why many stick with older versions. Sound familiar ?
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to MagnusM

I already have older versions of SeaMonkey. I have several versions of every browser.

As for Opera, yes, Opera made a bad decision to try and keep up with other browser makers insane schedule. Since 11.0 Opera has been producing seriously buggy final versions which was never the case before 11.0. But Opera, I suppose, has felt the need to do this. They, like Mozilla, are scared of the crappy Chrome browser. And they have to worry about the vast majority of computer users who like Chrome for the very reasons that most (not you though) knowledge computer users dislike it, and avoid it, or at least use Iron.

The ignorance of the masses has, as usual, forced terrible problems for those who bother to educate themselves. A less rapid release schedule is far superior to the garbage we get now with all the browsers in this insane race to be faster in the release schedule out of the real fear that the ignorant of computer users will believe that only the fastest to release new versions browser is a good one. That, of course, is absurdly ridiculous, and a lie, but it is easy to fool those who refuse to take any responsibility to educate themselves about computers but still insist on using them!
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Well I think I am correct in assuming that the highest level of OS you run is XP and maybe still only SP2 and that really limits one to browser choices and even how those choices really run in XP compared how they run on newer OS's offered by Microsoft. Yes many of those other browsers will run on XP and they are advertised that way..but I think in reality they might not be that safe just because of the XP architect.
I have the same problem with so many of my friends and family that I help..but at least they have the latest SP's for XP and then all the other updates to make it as secure as possible.

They are not rocket scientist..and just want two things..to enjoy the internet and all it's features on the sites they frequent..and not to get infected. They don't have time to run and install other plugins or proggies to keep them safe and would not even understand why they need them..so options are limited.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM

This should be a good tweet to follow to it's final resolution.

Why firefox could not load the css correctly whereas chrome does?
Is there something wrong with the site? Chrome won't let me visit it.
We're investigating Google Chrome and some other services flagging our CDN as suspicious.
FireFox is blocking our CSS on the back end because of the same warning Chrome is displaying.

»twitter.com/VergeSupport

»www.theverge.com/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/