Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Wed Sep 23, 2015 4:28 pm    Post subject: SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Fir Reply with quote

retitling (2015-10-07 13:21+02:00) to:
SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
----------------------------------------------------------------
title:
TLS (SSL) tcp stream decoding in your traffic dumps?
----------------------------------------------------------------

The knowledge is there. Else there wouldn't be no 'XXX' in regard....

Wireshark-users: [Wireshark-users] The SSL tcp stream decoding in Users' Manual?
https://www.wireshark.org/lists/wireshark-users/201509/msg00009.html
[*]

I'm talking about decrypting stuff like when you sent mail and capture traffic, and want to see what, if any, went wrong.

Or when you open sn TLS connection, say from Mutt, which, say, open your Lynx, but can't open the link to Gentoo forums, for some reason...

And stuff like that.

There's really advanced users here on Gentoo Forums. Some of you, I am sure, know how to do it.

Pls., give us at least some hints where to start figuring it out!

If you want more on my attempts (some really successful) at figuring why some things sometimes go badly wrong when you go online, have a look at:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-999436.html

such as, e.g.:

how my previous provider threw my mail to junk:
Code:

ep  4 23:18:46 localhost postfix/smtp[14602]: 29D7B28E1FF:
to=<support@plus.hr>, relay=127.0.0.1[127.0.0.1]:11125, delay=15731,
delays=15731/0.01/0.18/0.52, dsn=5.0.0, status=bounced (host
127.0.0.1[127.0.0.1] said: 550-"JunkMail rejected - 147-226.dsl.iskon.hr
(n4m3.localdomain) 550-[89.164.147.226]:41972 is in an RBL, see 550
http://www.spamhaus.org/query/bl?ip=89.164.147.226" (in reply to RCPT TO
command))

found at:
https://forums.gentoo.org/viewtopic-t-999436.html#7613052

or one instance of undeniable clickjacking, found at:
https://forums.gentoo.org/viewtopic-t-999436.html#7685200

My dream is to learn it, and to teach to newbies how to get hold of their
online time, against attaks, intrusions, illegal accusations by malicious
providers (that's not a pun on words)... and such. Teach myself first, and
then newbies, to get real privacy.

---
[*] I set this in bottom, not to be accuse of crossposting. Pasting from that wireshark message of mine:

In simple search, currently, if you open:

https://www.wireshark.org/docs/wsug_html/

and search the text for 'XXX', then (again: currently) the first
instance you encounter is:

Follow SSL Stream | Same functionality as “Follow TCP Stream” but for
SSL streams. XXX - how to provide the SSL keys?


Last edited by miroR on Wed Oct 07, 2015 11:24 am; edited 2 times in total
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3921
Location: Hamburg

PostPosted: Wed Sep 23, 2015 5:04 pm    Post subject: Reply with quote

https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Wed Sep 23, 2015 5:48 pm    Post subject: Reply with quote

toralf wrote:
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

Thanks!!!
...Studying it!...
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3921
Location: Hamburg

PostPosted: Wed Sep 23, 2015 6:53 pm    Post subject: Reply with quote

miroR wrote:
toralf wrote:
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

Thanks!!!
...Studying it!...
urw
BTW if it solves your question, pls just put a "[solved]" in front of the title of this thread.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Thu Sep 24, 2015 12:37 am    Post subject: Reply with quote

toralf wrote:
miroR wrote:
toralf wrote:
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

Thanks!!!
...Studying it!...
urw
BTW if it solves your question, pls just put a "[solved]" in front of the title of this thread.

Oh, I don't believe. That couldn't happen just that easily. We are talking huge area here...

Don't know if you looked at the clickjacking that I caught. You don't get that without "preying" on your intruders (the regime, probably, in my case, wanting to rig me as spammer)...

What I mean, is, I constantly "uncenz" (read on) my time online.

The uncenz (for uncensorize) is a primitive program of mine:
http://github.com/miroR/uncenz

and I can figure a lot, just not when it's encrypted. But the area is huge: mailing, Dillo (with some not completely implemented TLS), Lynx... past dumps, current dmps to decode real time...

This is likely to protract long in the future....

Next, I did a little research with simple:
# emerge -s ssl
Code:

...
*  net-analyzer/ssldump
      Latest version available: 0.9-r2
      Latest version installed: [ Not Installed ]
      Size of files: 135 KiB
      Homepage:      http://www.rtfm.com/ssldump/
      Description:   An SSLv3/TLS network protocol analyzer
      License:       openssl

...

*  net-analyzer/sslscan
      Latest version available: 1.8.2
      Latest version installed: 1.8.2
      Size of files: 22 KiB
      Homepage:      http://sourceforge.net/projects/sslscan/
      Description:   Fast SSL port scanner
      License:       GPL-3


...

*  net-analyzer/sslsniff
      Latest version available: 0.8-r1
      Latest version installed: [ Not Installed ]
      Size of files: 203 KiB
      Homepage:      http://thoughtcrime.org/software/sslsniff/
      Description:   MITM all SSL connections on a LAN and dynamically generates certs
      License:       GPL-3

...

and it's the sslsniff that appears to do the work of sniffing the certs out.

However, while I was able to install ssldump, no luck I had with sslsniff....

So I think I'll go for the Bugzilla, The GUI Wireshark, where it's obvious they don't want to give it to the non-paying public... just read there about CloudShark that can do it for guiers....

The GUI Wireshark and the logging in that fine tutorial I can only use when I will use Firefox the next time. And Firefox is a harvester browser, like any of the other big browsers, so I don't like to use it.

And so I will probably need the sslsniff.

My mileage here, though, may vary greatly. I have, or had, postponed, and haven't completed other work, and will finish, or had finished, them who knows when, or only months later...

So if I don't go much about this in a matter of days, it will not mean that I desisted from this.

Regards!
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Thu Sep 24, 2015 1:18 am    Post subject: Reply with quote

net-analyzer_sslsniff fails to build
https://bugs.gentoo.org/show_bug.cgi?id=561314

It's a torture to file a bug with Dillo... But at least I'm really safe and calm in respect to when I use Firefox. I don't even want to think of Schmoog's own freeking Chrome or such...
Back to top
View user's profile Send private message
papahuhn
l33t
l33t


Joined: 06 Sep 2004
Posts: 626

PostPosted: Thu Sep 24, 2015 5:42 pm    Post subject: Reply with quote

Do you really expect to get info of how to break a TLS connection?
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sat Sep 26, 2015 1:48 pm    Post subject: Reply with quote

papahuhn wrote:
Do you really expect to get info of how to break a TLS connection?

Yes I do. Now. Actually, I did it, because they, the SANS (will be explained) told the world about it.
Just study the links already given, if you're impatient.

Or, go straight to, in all apperances, a new paper available now to the world of poor users like me who just want to have their privacy, in steps:

The key link:
The SSL tcp stream decoding in Users' Manual?
https://www.wireshark.org/lists/wireshark-users/201509/msg00011.html

where find:
Secure Socket Layer (SSL)
https://wiki.wireshark.org/SSL

and after reading a bit, I went avidly for the PDF file, find the words "Full paper: SSL/TLS:What's under the Hood, written by Sally Vandeven", and, surely, download it:

http://www.sans.org/reading-room/whitepapers/authentication/ssl-tls-whats-hood-34297

I suggest renaming it to:
Code:

$ mv -iv ssl-tls-whats-hood-34297 ssl-tls-whats-hood-34297.pdf

but that is unimportant.

And, once you downloaded it, have a look at the very last page, with the teaching programme, their all in the future, the first on the 2015-09-28, which is the daya after tomorrow! So it's a new paper.

SANS Traning wrote:

Upcoming SANS Training
...
SANS Bangalore 2015 OnlineIN Sep 28, 2015 - Oct 17, 2015 Live Event
...
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sat Sep 26, 2015 1:54 pm    Post subject: Reply with quote

And my breakthroug is, and surely I suggest that to all who do have Apache deployed in their boxes (probably SOHO networks, or other), to try in on their networks, offline, first.

I just successfully got it all working in my Apache, I saw the decrypted traffic, taken with my https://github.com/miroR/uncenz program, of my:

https://my-offline-host/cgi-bin/cgit.cgi/

I have to thank SANS Traning, and also Jeff Morris, subscriber (or more that he is) at Wireshark ML, for this breakthrough!

Regards!
Back to top
View user's profile Send private message
papahuhn
l33t
l33t


Joined: 06 Sep 2004
Posts: 626

PostPosted: Sat Sep 26, 2015 6:19 pm    Post subject: Reply with quote

miroR wrote:
And my breakthroug is, and surely I suggest that to all who do have Apache deployed in their boxes (probably SOHO networks, or other), to try in on their networks, offline, first.


Your goal was to look into SSL traffic of your own webserver or what is the point?

Edit: Chromes sslkeylogfile feature is quite neat I must say. Thanks.
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sat Sep 26, 2015 8:30 pm    Post subject: Reply with quote

I just wrote a post in another topic of mine:

2yrs old maildrop still in portage, OK?
https://forums.gentoo.org/viewtopic-t-1027610.html#7820130

where I thank:
Quote:

...
old guard Mozilla...
...
And to you goes my gratitude for opening up the TLS traffic for us.
...

In the other context I wrote it, and it belongs there.

However, if anybody is already familiar (as I intend to become, but do not expect to become soon) with how the TLS decryption for the poor users like me (see there the exact meaning of the phrase), came to exist, of which read there, but, pls do reply here (I am to blame, but it's already done... tired and also of unstable health...)...

Oh, I have to post that part over in the very next post to this one... I have to do that. Pls. give me a few minutes...

And it anyone is familiar enough to tell to the public about my question in the next post, and that I began in the above linked topic, please share your information with us.

Just a few minutes, please...

Regards!
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sat Sep 26, 2015 8:39 pm    Post subject: Reply with quote

So this is my qualm and my query.

Rephrasin somewhat from the link already posted in my previous post in this topic.

As you can see, I am busy on the TLS decryption that I always thought on the verge of being impossible other than for the Octopuses like Schmoog (y'know: the Schmoogle)... but possible it is, for little Unix's own G. I. Jones like me.

And I have to admit there must be some good ole guard still there in Mozilla, when I see that it is possible for poor users like me, in probably all sessions online, with Firefox...

(
And surely the Schmoog follows suit with their Chrome... Namely it is possible with Chrome too (which I don't use.

Y'know(, Schmoog follows suit), just like the Schmoog was the one that, at the same time when the true discoverers of the Heartbleed bug, some Skandinavian team --can't go in search for links, too busy-- the Schmoog was the one that decided that they need to be the discoverers of the Heartbleed too...

I'll allow it here: [I]f [I] [U]nderstand [C]orrectly. Not for the Heartbleed. That is hardly a matter for discussion. The Schmoog knows more than anyone. Even more that those who they serve painstakingly straining their looks to appear innocent from mass surveillance for them: the NSA...

But IIUC on the Chrome following suit after old guard Mozilla devs apparenty decided to work for the users, for the true interests of the users.

And so to you, old guard Mozilla, to you goes my gratitude for opening up the TLS traffic for us, again, [I]f [I] [U]nderstand [C]orrectly, but I bet that I do.

)

So you see, the world thought unknown to me, and surely not just me, has slowly been opening to me, and many, now.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sun Sep 27, 2015 7:10 pm    Post subject: Reply with quote

Code:

da504f6780bfaad3e40b9c9b6ae90407f24c51857e0026abca7476b0a8edcf01  one-piece-of-data
5ad8d862eb3cef55c2d3f991e943a54ea8a51d6495822927b8dfbcf7da49303f  another-piece-of-data


Talk follows. for the patient, soon enough.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sun Sep 27, 2015 7:34 pm    Post subject: Reply with quote

Ah, things have changed (in a special way), so there's:
Code:

7b1de87c866e9834278560a034a20370d10fc2c4f26f1d8c64d3d470667c329a  yet-another-piece-of-data


Good to have these two posts on these data pieces hashes, esp. since I document with my uncenz program (link given in some of the previous posts). No, not for Gentoo folks (the following action, just read); Gentoo Forums have been honest in all the seven-eight years that I post on the forums, not them. But this method of rubbing the timestamp of when something happened is for other faces...

As I said, talk follows. for the patient, soon enough.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Tue Sep 29, 2015 9:39 am    Post subject: Reply with quote

This will not be anything so special, like I thought at first.
EDIT 2015-10-01 19:41+02:00:
All the files are uploaded:
http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/
EDIT END

EDIT 2015-11-08 11:22+01:00:
And checked: their integrity is verifiable (there was one file, the dLo.sh and its dLo.sh.sig missing, but I'd need to check up my uncenz archive, and would probably find I forgot to upload them.

Pls find and apply the newbie tip for downloading these for testing/practicing at:

< this same topic >
https://forums.gentoo.org/viewtopic-t-1029408.html#7822806
(as it applies here in similar way)

To not edit thie post repeatedly, all the topic up until anything 2015-11 was done with wireshark-1.x (and tshark).

wireshark-2, that I now use, appears to either be still unstable, or to have some changes that I can't figure if they make or don't make any difference in regard to this whole topic. And that is why I'm checking all this topic with wireshark-2. If all I wrote applies for wireshark-2, I don't need to post any notices in this topic, if it does, search at the head of the first post, or in the newest post, as I'll surely report about it.
EDIT END

Something a little suspicious will not be easily denied, but it's not much.

It's not simple to explain, though. Not at all. (And also I haven't researched it all through yet.)

But maybe the comparison btwn my calm and worry-free browsing with Dillo for 856 sec (almost 15 minutes), and my opening of the same one single page during the short online time of browsing the same one page with Firefox for 61 sec (1 minute)[*], will give you a clear feeling of some surprise and bewilderment that overtook me, and made me study primarily these one single minute of my online with Firefox on one single page... ever since shortly before I posted the hashes in my two previous posts. in this topic.

Haven't been doing almost anything but that ever since. Also because I'm still happy I can decrypt the traffic that I thought I maybe never will be able to...

It's two sets of files, about browsing of the same page (and, with the gentle Dillo, it's more browsing of other pages too).

It unnerved me greatly how SourceForge --I wasn't able to find any other possible cause to the problem but the SF-- wouldn't post publicly the attachments to the lurker-users mailing list:

[Lurker-users] Installing Lurker on Gentoo
http://sourceforge.net/p/lurker/mailman/message/34469526/
( and see the thread I started there )

And so I searched for how I posted two years ago, to another mailing list hosted on SourceForge.

That other ML that I posted to was Courier-Maildrop ML, and I decided, on the 21 of Sept 2015, as the timestamp in the filename (read on) will tell you, that I wanted to see if back then it showed (which let's say is hard to know), or, at least, to see if it now shows correctly the attachments sent with that email to the Maildrop list.

First, on what Maildrop is, and why I recommend it for true Unixers-to-be, read here:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-999436.html#7696102

and around.


And, as you will see from the screencast, and be able to verify from the network traffic corresponding to that screencast, lo and behold, it doesn't show the attachments to that old email either!

Even worse! For some reason, as soon as there are attachments in an email, the plain simple text of the email is not shown on SourceForge either!

In this topic, I first do want to make it clear here what my browsing was about. But the topic is about the decrypted traffic related to that browsing.

On the 2015-09-21 I did the search, and you can see (from the screencast) that, with Dillo, I visited a few other pages, other than just that same page as with Firefox.

And, yes, on the 2015-09-27, I opened, with Firefox, only this one page, the same one that I had also opened on the 21st (except on the 21st I opened quite a few other pages as well):

My standalone maildrop configuration files
http://sourceforge.net/p/courier/mailman/message/31585709/

And it stunned me how much traffic, and with miserable usefulness, as explained above, there happened btwn me and a few hosts, not just SourceForge!, during that 61 sec! And with miserable usefulness, unless you count ads and harvesting of data as useful.[**]

These are the two sets of files:
Code:

f713de433baca4fe4745349a8e63b664fbd534303e4718c8184889fa52c50eb3  dump_150921_2332_g0n.pcap
746079a3d60208fd13374e5444560e334aaafbf407e3b6f9f943e3846b5fef45  Screen_150921_2332_g0n.mkv
[**]

and
Code:

da504f6780bfaad3e40b9c9b6ae90407f24c51857e0026abca7476b0a8edcf01  dump_150927_1848_g0n.pcap
5ad8d862eb3cef55c2d3f991e943a54ea8a51d6495822927b8dfbcf7da49303f  Screen_150927_1848_g0n.mkv


Have a look. I'll also show the tshark commands that I used, and if you set you Wireshark up with my sslkey.log,
Code:

7b1de87c866e9834278560a034a20370d10fc2c4f26f1d8c64d3d470667c329a  SSLKEYLOGFILE_150927_1848_g0n.log

you will be able to reproduce and verify all that I will post (but give me --much?-- more time; this is huge work, and the partly examined TLS and SSL streams are likely just run-of-the-mill, or too convoluted Javascript programming pieces in there for me to figure out how they harvest my data).

Just no more instructions on how to set the $SSLKEYLOGFILE up, get it from the linked information where I got it from.

Now before I try and ask on Wireshark if it is possible to post on:

https://ask.wireshark.org/

with Dillo, I'll try and post in my very next post a few summary tshark lines on the two traffic dumps, the dump_150921_2332_g0n.pcap and dump_150927_1848_g0n.pcap.

---
[*] In truth it is some cca. 45 seconds online only, as only after I start [color]uncenz[/color] do I plug in my connectiong physically, and always before I kill [color]uncenz[/color] do I physically unplug the connection.

[**] The timestamps for the set made and carrying timestamp of 150921_2332 should have been:
Code:

$ ls -l dump_150921_2332_g0n.pcap  Screen_150921_2332_g0n.mkv
-rw-r--r-- 1 miro miro   675772 2015-09-21 23:48 dump_150921_2332_g0n.pcap
-rw-r--r-- 1 miro miro 89116406 2015-09-21 23:48 Screen_150921_2332_g0n.mkv

and it was till I decided that saving 50M matters, and reconverted the screencast with FFmpeg's default settings:
Code:

$ ffmpeg -i Screen_150921_2332_g0n.mkv   Screen_150921_2332_g0nR.mkv
$ mv Screen_150921_2332_g0nR.mkv Screen_150921_2332_g0n.mkv

and so now the 'cast is:
Code:

-rw-r--r-- 1 miro miro 36937400 2015-09-29 01:02 Screen_150921_2332_g0n.mkv

Just to prevent any objections about veracity of my statements. My uncenz (linked previously in this topic) surely has ' -preset ultrafast' in its options and produces a little bulky 'casts. Reconversion was due for this larger of the two 'casts.

[***] A note is due. Sure, it's because of the Javascript (that runs, what tests?, what checks?, with all those hundreds and thousands of lines worth of scripts --when expanded, because they're mostly crammed onto single, or just a handful, of lines) that Dillo employs none... But what usefulness is there to that Javascript? Just to show me the page I asked? Really?... I don't think anyone can defend that stance. And also, how does a user remain in control here, with all that plethora of work by such Javascript, on his machine?


Last edited by miroR on Sun Nov 08, 2015 10:35 am; edited 3 times in total
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Tue Sep 29, 2015 9:46 am    Post subject: Reply with quote

EDIT 2015-11-02 13:06+01:00:
Update on including named hosts in the listing exists now.
EDIT END
The same page (along with quite a few other pages) browsed with Dillo:
# tshark -r dump_150921_2332_g0n.pcap -q -z io,stat,0
Code:

====================================
| IO Statistics                    |
|                                  |
| Duration: 856.3 secs             |
| Interval: 856.3 secs             |
|                                  |
| Col 1: Frames and bytes          |
|----------------------------------|
|                |1                |
| Interval       | Frames |  Bytes |
|----------------------------------|
|   0.0 <> 856.3 |   1299 | 633411 |
====================================


The same page (and no other pages whatsoever opened by user, or shown to user,
as the screencast shows[*]) browsed with Firefox:
# tshark -r dump_150927_1848_g0n.pcap -q -z io,stat,0
Code:

==================================
| IO Statistics                  |
|                                |
| Duration: 61.4 secs            |
| Interval: 61.4 secs            |
|                                |
| Col 1: Frames and bytes        |
|--------------------------------|
|              |1                |
| Interval     | Frames |  Bytes |
|--------------------------------|
|  0.0 <> 61.4 |   1878 | 917311 |
==================================


---


With Dillo:
# tshark -r dump_150921_2332_g0n.pcap -q -z conv,ip
Code:

================================================================================
IPv4 Conversations
Filter:<No Filter>
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
192.168.1.3          <-> 46.51.197.89             241    176700     231     33872     472    210572    24.019174000       589.7156
205.134.191.174      <-> 192.168.1.3              145     11238     121    119608     266    130846   338.249268000       195.8425
216.34.181.60        <-> 192.168.1.3              113      9762     112    115825     225    125587   618.279041000       233.4181
192.168.1.3          <-> 137.117.229.219          104    114329     104      8883     208    123212    83.952226000       157.7557
192.168.1.3          <-> 67.158.26.137             26     34744      28      2182      54     36926    57.560851000         0.8682
192.168.1.3          <-> 192.168.1.1                7      1091       8       604      15      1695    57.267513000       280.9814
224.0.0.1            <-> 10.16.96.1                 7       434       0         0       7       434    90.990774000       749.9971
255.255.255.255      <-> 192.168.1.1                1       592       0         0       1       592     0.510912000         0.0000
255.255.255.255      <-> 0.0.0.0                    1       409       0         0       1       409     0.488053000         0.0000
================================================================================


With Firefox:
# tshark -r dump_150927_1848_g0n.pcap -q -z conv,ip
Code:

================================================================================
IPv4 Conversations
Filter:<No Filter>
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
192.168.1.2          <-> 23.63.127.118            397    527674     317     35578     714    563252    32.929597000        22.0994
127.0.0.1            <-> 127.0.0.1                408     39080       0         0     408     39080     0.000000000        61.4484
216.58.209.162       <-> 192.168.1.2               88     10607      98     60515     186     71122    34.602984000         2.9523
216.58.209.194       <-> 192.168.1.2               68      5777      62     65107     130     70884    33.133720000        20.1780
192.168.1.2          <-> 192.168.1.1               40     10925      40      3330      80     14255    30.476933000         7.9108
216.34.181.60        <-> 192.168.1.2               38      3568      37     28778      75     32346    32.363382000        11.3056
216.58.209.193       <-> 192.168.1.2               31      3118      39     39683      70     42801    35.857940000         0.3652
208.117.229.250      <-> 192.168.1.2               26      5645      24      8362      50     14007    33.388199000        22.8297
208.117.229.248      <-> 192.168.1.2               24      2410      23     17141      47     19551    34.879513000         0.3704
192.168.1.2          <-> 54.230.46.170             18     17623      21      1804      39     19427    33.136730000        20.2186
192.168.1.2          <-> 74.125.24.95              15      5580      19      2121      34      7701    32.923574000         1.5411
192.168.1.2          <-> 173.194.44.23             15      5511      17      2084      32      7595    35.448949000         0.3683
192.168.1.2          <-> 173.194.44.19             15      5887      17      2081      32      7968    35.124572000         0.3434
192.168.1.2          <-> 46.137.174.129            10      6364      13      1604      23      7968    34.896746000        20.4715
192.168.1.2          <-> 23.63.139.27               8      2523      11      1190      19      3713    35.064187000        20.1878
192.168.1.2          <-> 46.33.68.128               8      2488      11      1208      19      3696    33.139425000        20.1483
216.34.181.63        <-> 192.168.1.2                6       740       4       442      10      1182    31.386185000        20.6129
216.34.181.81        <-> 192.168.1.2                4       280       3       216       7       496    38.388114000         6.2801
224.0.0.1            <-> 10.16.96.1                 1        62       0         0       1        62    48.812905000         0.0000
255.255.255.255      <-> 192.168.1.1                1       592       0         0       1       592    22.120562000         0.0000
255.255.255.255      <-> 0.0.0.0                    1       409       0         0       1       409    22.101373000         0.0000
================================================================================

[**]

---
[*] It will show, if I manage to post both the screencasts and the traffic dumps publicly, hopefully on ask.wireshark.org.

[**] What is missing, and I don't know how to do it with tshark, is, I'd like to insert a column before the column that is currently the first columm, which inserted-to-be column would hold the resolved host name (such as google for the Schmoog; lots of it in Firefox, the Scmoog is sitting in Fox: not good!, such as akamai, pagead and stuff; ah!, also sourcefirge.net). And I want to ask on Wireshark how to do it.
( EDIT 2015-11-02 13:06+01:00:
Update on including named hosts in the listing exists now.
EDIT END )

[***] Pls. also see the bottom note in the previous post, on the feasibility of user' control of his machine when such browsing, as with the above, with Firefox, Javascript-"enhanced", goes on.


Last edited by miroR on Mon Nov 02, 2015 12:10 pm; edited 1 time in total
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Thu Oct 01, 2015 11:39 am    Post subject: Reply with quote

I want to post what I found out. In June 2015, you can read:

[Dillo-dev] how about if we make a 3.0.5
http://lists.dillo.org/pipermail/dillo-dev/2015-June/010562.html

(3.0.5 is the current released version of Dillo, still as of 2015-10-01)

That summarizes it for people with too little knowledge of C/C++, and time, to delve into the sourcecode, like me.

That is a previous message taken notice of, and replied honestly, with full quote, as FOSS devs should always do with important previous messages. Kudos to Dillo devs!

However, Dillo devs are understaffed. No moneys there, like in the big browsers... And yet Dillo looks like the most promising true FOSS, poor users' privacy-defending browser...

I really hesitate to even send a message with the question on when is NSS (which I believe can be used by other browsers, can it?; NSS stands for Mozilla's Network Security Services, and it is NSS that got us the TLS decryption for Firefox), or some other method, going to be, if ever, deployed in Dillo, so that we can decrypt the TLS traffic?

Because currently there does not seem to be a way to decrypt the TLS traffic with Dillo.

But I will have to ask there about it. At some point in time...

About NSS, it's best to start from here:
https://en.wikipedia.org/wiki/Network_Security_Services

And I see clutches of a few big players that I don't like. It's not just the proverbial Larry and Sergey, the Schmoog the "do-no-evil" paramount associate firm of the top spies firm of the world...

It's also the owner of once-was-FOSS MySQL, and once-was-FOSS Java, who is also, I learned it now only, the proud owner of Sun as well, the Larry Oracle... I learned that when I saw

wikipedia.org wrote:

Applications that use NSS
... Sun Microsystems/Oracle Corporation ...

and those big players co-developed it.

But what is the alternative?

Do we have any?

And our privacy worldwide depends now on those people, brothers in *nix!

---
Also there is some hope, I'm sure, to get some more informaion on these issues with Postfix poeple. I really wish to be able to decrypt my mail communications too. Maybe this is a good start:

http://www.postfix.org/FORWARD_SECRECY_README.html

---
But I have to go and find a way to upload what I promised in my two previous posts to this one.

I would have already done it, but I see how, still, all of my understanding of what is going on when I connect online, is so hollowy (as of most *nix users; most all, other than the very advanced, the wizards or near-wizards, who can cope with all the complex issues there)...

Overwhelmed.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Thu Oct 01, 2015 4:12 pm    Post subject: Reply with quote

Sorry for more waiting next. I wasn't idle at all. And if only you could see the grin on my face, for a reason... But I promise you that you will chuckle with amusement too. More work though...

Just: I will keep to my word.

But I got a scoop. Probably. So first is posting this.

Code:

cf89395d8026e2491cbacbd033b99e0b78ff7c61db0bef107f90520d84aeba6c  dump_151001_1207_g0n.pcap
f7f559adbae55cc4eb6c60faaeec3fbba8ae6dbc0a20386d2ac29e4bccc91b15  Screen_151001_1207_g0n.mkv
8d5a35ef3d9a8e5e1e7887466f18dd7145ac9736b2a09a766be3aadd2d67f643  dump_151001_1248_g0n.pcap
#       TOO BIG, NOT WORTH KEEPING                                Screen_151001_1248_g0n.mkv
b1d9753b84401ad7e434496b5233ea44a2b72e79b3953b69e777b400e6bfb9de  dump_151001_1357_g0n.pcap
3d1ffd7df6bb9fc42f3dcf64e29a0299ca6f2126c97ee646d22cbfcbfa08fbe2  Screen_151001_1357_g0n.mkv
b0a69eec17ca0b77d66e34d54a6cebaea0f4e5084a8109f2a5aea93e70a4ddfa  dump_151001_1358_g0n.pcap
cc4d7086ee898f444269b3714200e6fc1dc5a09c6a27543b2eb585c8f6a0e555  Screen_151001_1358_g0n.mkv
1b40979df0b98fc3e360dbd1e3f44609455e5c22056d41eb5ad9d5cc256349f9  dump_151001_1659_g0n.pcap
682e6a5e335baeca61363b5aa97b10ae88b4107840d70d9a9eedc68a74444215  Screen_151001_1659_g0n.mkv
57887f12a27a7da6f169451259239b8d475c9be8f77b7a0133d2e5c04fa68118  dump_151001_1705_g0n.pcap
5bf4cdb4e12659cd8256a29626b4968dc1520c29d07a6c1f30b5b1ccc941643a  Screen_151001_1705_g0n.mkv
c221abdc47af4fbc03c119abe222944db2ee3b2612a4099269b466ff6d00f44f  dump_151001_1726_g0n.pcap
18ddd5c858ead21890ecce2cd3ea1b926d719b4ad6215cd5a4db9ff8265eb21f  Screen_151001_1726_g0n.mkv
beefad5844cebd2ed4e7435cfe620657178582bf7d72a11e86ba6da648778ceb  dump_151001_1728_g0n.pcap
5dc9c6c09022e9d122a7ccb73295dc7c9c43a1ec1aba2b7f56d29961acacc631  Screen_151001_1728_g0n.mkv #  will be kept
675fb31fddcef9593f29fe537f7f2230ad788e71bfbe8edae98463f07dec3a61  Screen_151001_1728_g0nR.mkv # the replacement, for publishing

First these I post, then fulfill the promise, then come back to explain the scoop.

(Actually the first thing is move these files away into Air-Gapped safe system. Even before posting this.)

Just the why for exceptions above:
Code:

$ ls -l Screen_151001_1248_g0n.mkv
-rw-r--r-- 1 miro miro 181055560 2015-10-01 13:43 Screen_151001_1248_g0n.mkv
$ ls -lh Screen_151001_1248_g0n.mkv
-rw-r--r-- 1 miro miro 173M 2015-10-01 13:43 Screen_151001_1248_g0n.mkv
$ ls -l Screen_151001_1728_g0n*.mkv
-rw-r--r-- 1 80683330 2015-10-01 17:42 Screen_151001_1728_g0n.mkv
-rw-r--r-- 1 32058028 2015-10-01 17:54 Screen_151001_1728_g0nR.mkv
$


Working...
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Thu Oct 01, 2015 8:35 pm    Post subject: Reply with quote

Open in Wireshark the file dump_150927_1848_g0n.pcap.

I know it's not to be taken as Sacred Scriptures (the name resolution can sometimes be brazenly lied to by various subjects), but it's nice to have a fine and still very probable guess on who we are talking to, esp. since most of us, me and the readers are not (yet; some readers will likely be some day) experts. So...

...So Alt-S (or clik on "Statistics") and in the popdown that opened choose: "Show Address Resolution".

Copy and paste just the first less then 200 lines, and paste it into a file, what should we call it? We should call it by the dump we took it out, and give it the infix _RESO, and the extension .txt, I suggest. So paste into dump_150927_1848_g0n_RESO.txt that which you just copied.
Code:

$ cat > dump_150927_1848_g0n_RESO.txt

And after I did what I suggest you to do, it looks like this:

$ cat dump_150927_1848_g0n_RESO.txt
Code:

# Hosts information in Wireshark
#
# Host data gathered from /Cmn/mr/dump_150927_1848_g0n.pcap

205.251.193.85   ns-341.awsdns-42.com
173.194.44.19   www.google.com
216.34.181.81   goparallel.sourceforge.net
208.117.229.244   www-google-analytics.l.google.com
173.194.44.20   www.google.com
205.251.194.181   ns-693.awsdns-22.net
205.251.193.134   ns-390.awsdns-48.com
46.33.68.128   a1158.b.akamai.net
216.239.32.10   ns1.google.com
127.0.0.1   gbn.xdwgrp
208.117.229.245   www-google-analytics.l.google.com
205.251.199.100   ns-1892.awsdns-44.co.uk
195.22.200.158   n2b.akamai.net
46.137.174.129   consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com
216.239.34.10   ns2.google.com
92.122.217.11   n1ce.akamaiedge.net
208.117.229.246   www-google-analytics.l.google.com
104.83.4.15   n7b.akamai.net
54.230.46.170   dd1f6ymc64rwu.cloudfront.net
195.22.200.159   n3b.akamai.net
216.239.36.10   ns3.google.com
104.83.5.158   n6g.akamaiedge.net
92.122.217.12   n3ce.akamaiedge.net
208.117.229.247   www-google-analytics.l.google.com
23.63.139.27   e8218.ce.akamaiedge.net
208.78.70.3   ns1.p03.dynect.net
208.78.71.3   ns3.p03.dynect.net
216.239.38.10   ns4.google.com
104.83.5.159   n7g.akamaiedge.net
208.117.229.248   www-google-analytics.l.google.com
173.194.44.23   www.google.hr
74.125.24.95   googleadapis.l.google.com
216.58.209.193   pagead-googlehosted.l.google.com
173.194.44.24   www.google.hr
208.117.229.249   www-google-analytics.l.google.com
205.251.199.231   ns-2023.awsdns-60.co.uk
216.58.209.162   pagead46.l.doubleclick.net
216.58.209.194   partnerad.l.doubleclick.net
208.117.229.250   www-google-analytics.l.google.com
23.14.93.240   n6ce.akamaiedge.net
205.251.196.123   ns-1147.awsdns-15.org
208.117.229.251   www-google-analytics.l.google.com
2.20.182.166   n2g.akamaiedge.net
54.228.218.185   consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com
205.251.196.29   ns-1053.awsdns-03.org
23.14.93.242   n7ce.akamaiedge.net
104.83.4.21   n6b.akamai.net
195.22.200.165   n4b.akamai.net
23.63.127.118   e872.g.akamaiedge.net
104.83.5.164   n4g.akamaiedge.net
46.33.68.73   a1158.b.akamai.net
23.14.93.243   n4ce.akamaiedge.net
104.83.4.22   n5b.akamai.net
195.22.200.246   n0g.akamaiedge.net
216.34.181.60   sourceforge.net
173.194.44.15   www.google.hr
173.194.44.31   www.google.hr
80.157.149.222   n2ce.akamaiedge.net
173.194.44.16   www.google.com
88.221.81.192   n1b.akamai.net
92.122.214.245   n0ce.akamaiedge.net
204.13.250.3   ns2.p03.dynect.net
88.221.81.193   n1g.akamaiedge.net
176.34.179.148   consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com
173.194.44.17   www.google.com
216.34.181.63   www.sourceforge.net
204.13.251.3   ns4.p03.dynect.net
173.194.44.18   www.google.com
23.14.93.232   n5ce.akamaiedge.net
205.251.194.227   ns-739.awsdns-28.net
195.22.200.251   n3g.akamaiedge.net
2a00:1450:400d:806::2002   pagead46.l.doubleclick.net
2a00:1450:4014:80b::1000   www-google-analytics.l.google.com
2a00:1450:400d:807::2001   pagead-googlehosted.l.google.com
2a00:1450:4016:802::1011   www.google.com
2a00:1450:400b:c02::5f   googleadapis.l.google.com
2a00:1450:4016:802::1017   www.google.hr
2a00:1450:4014:80a::1009   clients.l.google.com


# Address resolution IPv4 Hash table
#
# With 77 entries
#
Key:0x55c1fbcd IP: 205.251.193.85, Name: ns-341.awsdns-42.com
Key:0x132cc2ad IP: 173.194.44.19, Name: www.google.com
Key:0x0 IP: 0.0.0.0, Name: 0.0.0.0
Key:0x51b522d8 IP: 216.34.181.81, Name: goparallel.sourceforge.net
Key:0xf4e575d0 IP: 208.117.229.244, Name: www-google-analytics.l.google.com
Key:0x142cc2ad IP: 173.194.44.20, Name: www.google.com
Key:0xb5c2fbcd IP: 205.251.194.181, Name: ns-693.awsdns-22.net
Key:0x86c1fbcd IP: 205.251.193.134, Name: ns-390.awsdns-48.com
Key:0x8044212e IP: 46.33.68.128, Name: a1158.b.akamai.net
Key:0xa20efd8 IP: 216.239.32.10, Name: ns1.google.com
Key:0x100007f IP: 127.0.0.1, Name: gbn.xdwgrp
Key:0xffffffff IP: 255.255.255.255, Name: 255.255.255.255
Key:0xf5e575d0 IP: 208.117.229.245, Name: www-google-analytics.l.google.com
Key:0x64c7fbcd IP: 205.251.199.100, Name: ns-1892.awsdns-44.co.uk
Key:0x9ec816c3 IP: 195.22.200.158, Name: n2b.akamai.net
Key:0x81ae892e IP: 46.137.174.129, Name: consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com
Key:0xa22efd8 IP: 216.239.34.10, Name: ns2.google.com
Key:0xbd97a5c IP: 92.122.217.11, Name: n1ce.akamaiedge.net
Key:0xf6e575d0 IP: 208.117.229.246, Name: www-google-analytics.l.google.com
Key:0xf045368 IP: 104.83.4.15, Name: n7b.akamai.net
Key:0xaa2ee636 IP: 54.230.46.170, Name: dd1f6ymc64rwu.cloudfront.net
Key:0x9fc816c3 IP: 195.22.200.159, Name: n3b.akamai.net
Key:0xa24efd8 IP: 216.239.36.10, Name: ns3.google.com
Key:0x9e055368 IP: 104.83.5.158, Name: n6g.akamaiedge.net
Key:0xcd97a5c IP: 92.122.217.12, Name: n3ce.akamaiedge.net
Key:0xf7e575d0 IP: 208.117.229.247, Name: www-google-analytics.l.google.com
Key:0x1b8b3f17 IP: 23.63.139.27, Name: e8218.ce.akamaiedge.net
Key:0x3464ed0 IP: 208.78.70.3, Name: ns1.p03.dynect.net
Key:0x101a8c0 IP: 192.168.1.1, Name: 192.168.1.1
Key:0x3474ed0 IP: 208.78.71.3, Name: ns3.p03.dynect.net
Key:0xa26efd8 IP: 216.239.38.10, Name: ns4.google.com
Key:0x9f055368 IP: 104.83.5.159, Name: n7g.akamaiedge.net
Key:0x201a8c0 IP: 192.168.1.2, Name: 192.168.1.2
Key:0xf8e575d0 IP: 208.117.229.248, Name: www-google-analytics.l.google.com
Key:0x172cc2ad IP: 173.194.44.23, Name: www.google.hr
Key:0x5f187d4a IP: 74.125.24.95, Name: googleadapis.l.google.com
Key:0xc1d13ad8 IP: 216.58.209.193, Name: pagead-googlehosted.l.google.com
Key:0x182cc2ad IP: 173.194.44.24, Name: www.google.hr
Key:0xf9e575d0 IP: 208.117.229.249, Name: www-google-analytics.l.google.com
Key:0xe7c7fbcd IP: 205.251.199.231, Name: ns-2023.awsdns-60.co.uk
Key:0xa2d13ad8 IP: 216.58.209.162, Name: pagead46.l.doubleclick.net
Key:0xc2d13ad8 IP: 216.58.209.194, Name: partnerad.l.doubleclick.net
Key:0x160100a IP: 10.16.96.1, Name: 10.16.96.1
Key:0xfae575d0 IP: 208.117.229.250, Name: www-google-analytics.l.google.com
Key:0xf05d0e17 IP: 23.14.93.240, Name: n6ce.akamaiedge.net
Key:0x7bc4fbcd IP: 205.251.196.123, Name: ns-1147.awsdns-15.org
Key:0xfbe575d0 IP: 208.117.229.251, Name: www-google-analytics.l.google.com
Key:0xa6b61402 IP: 2.20.182.166, Name: n2g.akamaiedge.net
Key:0xb9dae436 IP: 54.228.218.185, Name: consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com
Key:0x1dc4fbcd IP: 205.251.196.29, Name: ns-1053.awsdns-03.org
Key:0xf25d0e17 IP: 23.14.93.242, Name: n7ce.akamaiedge.net
Key:0x15045368 IP: 104.83.4.21, Name: n6b.akamai.net
Key:0xa5c816c3 IP: 195.22.200.165, Name: n4b.akamai.net
Key:0x767f3f17 IP: 23.63.127.118, Name: e872.g.akamaiedge.net
Key:0xa4055368 IP: 104.83.5.164, Name: n4g.akamaiedge.net
Key:0x4944212e IP: 46.33.68.73, Name: a1158.b.akamai.net
Key:0xf35d0e17 IP: 23.14.93.243, Name: n4ce.akamaiedge.net
Key:0x16045368 IP: 104.83.4.22, Name: n5b.akamai.net
Key:0xf6c816c3 IP: 195.22.200.246, Name: n0g.akamaiedge.net
Key:0x3cb522d8 IP: 216.34.181.60, Name: sourceforge.net
Key:0xf2cc2ad IP: 173.194.44.15, Name: www.google.hr
Key:0x1f2cc2ad IP: 173.194.44.31, Name: www.google.hr
Key:0xde959d50 IP: 80.157.149.222, Name: n2ce.akamaiedge.net
Key:0x102cc2ad IP: 173.194.44.16, Name: www.google.com
Key:0xc051dd58 IP: 88.221.81.192, Name: n1b.akamai.net
Key:0xf5d67a5c IP: 92.122.214.245, Name: n0ce.akamaiedge.net
Key:0x10000e0 IP: 224.0.0.1, Name: 224.0.0.1
Key:0x3fa0dcc IP: 204.13.250.3, Name: ns2.p03.dynect.net
Key:0xc151dd58 IP: 88.221.81.193, Name: n1g.akamaiedge.net
Key:0x94b322b0 IP: 176.34.179.148, Name: consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com
Key:0x112cc2ad IP: 173.194.44.17, Name: www.google.com
Key:0x3fb522d8 IP: 216.34.181.63, Name: www.sourceforge.net
Key:0x3fb0dcc IP: 204.13.251.3, Name: ns4.p03.dynect.net
Key:0x122cc2ad IP: 173.194.44.18, Name: www.google.com
Key:0xe85d0e17 IP: 23.14.93.232, Name: n5ce.akamaiedge.net
Key:0xe3c2fbcd IP: 205.251.194.227, Name: ns-739.awsdns-28.net
Key:0xfbc816c3 IP: 195.22.200.251, Name: n3g.akamaiedge.net


# Address resolution IPv6 Hash table
#
# With 12 entries
#
IP: fe80::1, Name: fe80::1
IP: 2a00:1450:400d:806::2002, Name: pagead46.l.doubleclick.net
IP: ff02::2, Name: ff02::2
IP: 2a00:1450:4014:80b::1000, Name: www-google-analytics.l.google.com
IP: 2a00:1450:400d:807::2001, Name: pagead-googlehosted.l.google.com
IP: 2a00:1450:4016:802::1011, Name: www.google.com
IP: 2a00:1450:400b:c02::5f, Name: googleadapis.l.google.com
IP: 2a00:1450:4016:802::1017, Name: www.google.hr
IP: ff02::1, Name: ff02::1
IP: 2a00:1450:4014:80a::1009, Name: clients.l.google.com
IP: ff02::1:2, Name: ff02::1:2
IP: fe80::20e:2eff:fee9:89b2, Name: fe80::20e:2eff:fee9:89b2


# Port names information in Wireshark
#
# With 6100 entries
#
Port 8191
     TCP  limnerpressure
    UDP  (null)



The above we just used to be in the clear how many conversations there were in those some 45 seconds...

Now, here's how you can get out of that pcapng file that you still have opened the js that Mozilla uses to get your data. That is surely only one of its mechanisms.

A note (for hasty and impatient readers, not to draw wrong conclusions)[/code]: This is not yet about TLS decryption. This tcp stream is not TLS encrypted.

Type this in the box labeled with "Filter:"
Code:

tcp.stream eq 9

and hit Enter.

The displayed packets will now reduce to just a handful or two or three handful of packets. Well you won't get those packets on the next Christmas, it's different kind of packets, and you won't get them in your hands. Your machine gets them...

All these packets were btwn my machine and the Mozilla cloud. It's a conversation, to and fro:
Code:

54.230.46.170   dd1f6ymc64rwu.cloudfront.net

If you don't see both of at least (if you switched off the name resolution in the Wireshark "Preferences") the numerical address, then you've not been following me correctly or something else is the matter. I'll assume that you have, and that you see.

Right click on any of the packats and click on "Follow TCP stream". What opens to you in a new window contains:
Code:

ET /get?name=notice.js&domain=slashdot.org&c=teconsent&text=true HTTP/1.1

Host: consent-st.truste.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://sourceforge.net/p/courier/mailman/message/31585709/

Connection: keep-alive



HTTP/1.1 200 OK

Content-Type: text/javascript

Content-Length: 15887

Connection: keep-alive

Access-Control-Allow-Origin: *

Cache-Control: max-age=86400

Content-Encoding: gzip

Date: Sun, 27 Sep 2015 02:44:44 GMT

Expires: Mon, 28 Sep 2015 02:44:44 GMT

Pragma: public

Server: TXS

Vary: Accept-Encoding

Age: 50668

X-Cache: Hit from cloudfront

Via: 1.1 b451ce1932d9b97c4ef54f2f37ecb931.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 0hUbsESnHoM6beWEUO_4UZgc9T8EY85vANmfLTe-wXCDU1mOpvi40g==



...........}y..6....)...LZ.ZR..%3...I<.....L......$.)Q&.>.....  ......vw'm.7
..P(,v.?...q...,./..e...n.........D...;..UM._.i.....q.8..........~.....?.
~{...kn.<.....\d.r..]..Tx...O...4\.i.........^......u.m....
Y.hS...Q.......w....o./...+w!...IC.....2.oY...l..[v..7.._,..e.+.n.nY...._....e.....|
.......G?....8\..\k.....,O...t..v.&.c..X+.C.|}..6.I..........-Y..L...c..E.ZW,5.X.
.w..v/;..q..-.c..23..i;.......e....{..t..l....  ][.....(.;.U?...


You can't read the most of it, the second part, after the headers, of which I pasted just a little in the paste above, because it is, as the HTTP header (all that is readable are HTTP-headers, they don't show in the page or be it something else that you're getting from some source, they direct you, the client how to deal with the page, or other content)...

You can't read the most of it, because it is, as the HTTP header tells you (which I'm repasting):
Code:

Content-Encoding: gzip

because it's gzipped.

Save that which you opened as, e.g.: dump_150927_1848_g0n_s09.dump.

You probably could cut out the HTTP headers with some good editor like Vim, XEmacs, Nano... , save that second part with '.gz' extension and gunzip it, but it's better to use hexedit or such hex editor.

So:

Code:

$ hexedit dump_150927_1848_g0n_s09.dump


The string that you need to find, in hex, is "1F8B08". The beginning of the gzipped archive. Read 'man hexedit' and try to select, copy and paste into a new file the whole content from that sting to end of the file.

When (upon hitting Esc-O) you are asked for the name of the new file into which to save what you copied, give it the name dump_150927_1848_g0n_s09.gz.

In my case, after I pasted in that name, this is what it looked like, pasting just these lines:


Code:

00004010   77 24 16 ED  A4 79 88 4A  F6 71 E9 97  08 34 6D 0C  w$...y.J.q...4m.

                                      File name: dump_150927_1848_g0n_s09.gz

00004050   52 17 20 1D  22 08 C4 D1  4B F3 CE C4  22 0A E3 20  R. ."...K..."..


And I hit Enter, and exited hexedit with Ctrl-X.

Apparently I did it right, because:
Code:

$ file dump_150927_1848_g0n_s09.gz
dump_150927_1848_g0n_s09.gz: gzip compressed data, from Unix

And:
Code:

$ gunzip dump_150927_1848_g0n_s09.gz
$ file dump_150927_1848_g0n_s09
dump_150927_1848_g0n_s09       dump_150927_1848_g0n_s09.dump
$ file dump_150927_1848_g0n_s09
dump_150927_1848_g0n_s09: ASCII text, with very long lines
$

(the second line above is just me pressing Tab, to see what I have after "dump_150927_1848_g0n_s09": the "dump_150927_1848_g0n_s09" vanished.)

And here's just part of that huge file, that, BTW, ought to be renamed to what it is:

Code:

$ mv -iv dump_150927_1848_g0n_s09 dump_150927_1848_g0n_s09.js


So here's just parts of it (and I cut the lines which would not wrap, so it's imprecise, this paste):
Code:

function
_truste_eu(){truste=self.truste||{};truste.eu=truste.eu||{};truste.eu.version="v3.12-21";
truste.eu.COOKIE_DAX_NAME="notice_dax_signature";truste.eu.COOKIE_PREF_NAME="notice_preferences";
truste.eu.COOKIE_CATEGORY_NAME="optout_domains";truste.util=truste.util||{};truste.util.getUniqueID=function(){return"truste_"+Math.random()};
truste.util.getIntValue=function(h){h=parseInt(h);return
isNaN(h)?null:h};truste.util.getScriptElement=function(h,k){"string"==typeof
h&&(h=RegExp(h));if(!(h instanceof
RegExp))return null;for(var
a=self.document.getElementsByTagName("script"),d,b=a.length;0<b--&&(d=a[b]);)if((k||!d.id)&&h.test(d.src))return
d;return null};truste.util.initParameterMap=function(h,k){k instanceof
Object||(k={});if(h&&"string"==typeof h.src){var
a,d=k._url=h.src;if(d=(k._query=d.replace(/^[^;?#]*[;?#]/,""))
.replace(/[#;?&]+/g,"&"))for(d=d.split("&"),a=d.length;0<a--;){var
b=d[a].split("="),c=b.shift();k[c]||(k[c]=decodeURIComponent(b.length?b
.join("="):""))}h.id=k.sid=k.sid||truste.util.getUniqueID()}else
k._query=
...[snipped 15 lines]...
self.postMessage?truste.util.addListener(self,"message",
truste.eu.msg.msgListener):truste.eu.msg.poller.callback=truste.eu.msg.msgListenerIE7;truste.eu.mobile=truste.eu.mobile||{isMobile:!1,
checkIfMobile:function(){var
a=self.navigator.userAgent||self.navigator.vendor||self.opera,d=/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a
wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r
|s
)|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s
...[the ugly really long and hardly legible jumbo saussage above cut to remain within the space we have here ;-) ]...
...[Have a look at this one here: all options are on the table!]...
return/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od|ad)|iris|kindle|lge
|maemo|midp|mmp|netfront|nexus (7|s|one)|galaxy.*nexus|opera m(ob|in)i|palm(
os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows
(ce|phone)|xda|xiino/i.test(a)||d.test(a.substr(0,
4))}};truste.eu.mobile.isMobile=truste.eu.mobile.checkIfMobile();truste.eu._listeners=[];truste.eu.cancelCmTimeout=null;truste.eu.cmLoading=
!1;truste.eu.addEventListener=function(a,d){if(a&&"function"==typeof
a){for(var
b=-1,c=0,e=truste.eu._listeners.length;c<e;c++)if(truste.eu._listeners[c]===a){b=c;break}b+1&&d?truste.eu._listeners.splice(b,
1):b+1||truste.eu._listeners.push(a)}};truste.eu._dispatchEvent=function(a,d){for(var
b=truste.eu._listeners.length;0<b--;)try{truste.eu._listeners[b](a,d)}catch(c){}};truste.eu.actmessage=function(a){var
d=truste.eu.bindMap;if(a&&"preference_manager"==a.source)switch(a.message){case
"submit_preferences":if(null!=
a.data){var b=parseInt("object"==typeof
a.data?a.data.value:a.data);isNaN(b)||(d.prefCookie=b,truste.util.trace("changing
preference to:
"+d.prefCookie),truste.util.createCookie(truste.eu.COOKIE_PREF_NAME,
d.prefCookie+":"+d.daxSignature,a.data.expires,!0),truste.
eu.sendclosereport=!1,truste.eu.caIcon&&truste.eu.caIcon.setAttribute("consent",d.prefCookie))}break;case
"cm_loading":truste.eu.cmLoading=!0;break;case "change_panel":"string"==typeof
a.data&&(null!=truste.eu.cancelCmTimeout&&(clearTimeout(truste.eu.cancelCmTimeout),
...[cut out 61 lines here]...
a.parent}catch(e){}a.addEventListener?(a.addEventListener("message",c.messageListener,
!1),a!=b&&b.addEventListener("message",c.messageListener,!1)):(a.attachEvent("onmessage",c.messageListener),
a!=b&&b.attachEvent("onmessage",
c.messageListener))}c.fake.consentDecision=null;c.fake.capabilities.push("getConsentDecision");d.version="3.12";return
d}(truste.eu.noticeLP);self.TRUSTE_CMAPI_DEBUG=self.PREF_MGR_API_DEBUG;truste.cma.debug=truste.util.debug;truste.eu.bindMap?truste.eu.init(null,
1):truste.util.addScriptElement(truste.eu.SOURCE_SERVER+
"?js=1&"+truste.eu.noticeLP._query,truste.eu.init,null,!0)}self._truste&&(self._truste.eu=_truste_eu)||_truste_eu();


OK. That's how it generally works. Now let's do it with a decrypted TLS stream. In the next post.

Ah, I forgot. That JS, surely is for me to see the page so perfectly and that I don't complain. It's about the user, right?

No! No! It's about control over me, the poor user! It's about tracking me, knowing all about my machines, and me. I really have no time for Javascript right now, but that is part of a big mosaic of data harvesting that goes on against the users all the time. And that data is sold. So big browsers, big money. The money comes from numbers of users. A few dimes per each is a lot of moneys. But that is such a shady world there! All kinds of games in there...

Make Dillo, make Lynx, make those good browsers strong. Don't let us in the clutches of these big-players-in-control browsers, dear [F]ree [O]pen [S]ource [S]oftware developers!

And you, Mozilla, revert from the Schmoog's ways and leave Schmoog's embrace, Mozilla, if you can! Let the Schmoog alone doing his spying. You don't spy. Be yourself like long time ago, if you can.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Thu Oct 01, 2015 8:39 pm    Post subject: Reply with quote

Now there are 42 tcp streams in that dump_150927_1848_g0n.pcap file.

There needs to be a way to automate the extraction of the tcp strems, those that weren't originally encrypted and those that were encrypted, and can only be decrypted, given the PFS employed (the Perfect Forward Secrecy), if you have its session key.

I have no time to study lua, which Wireshark employs, but if anybody can teach us how to use it, it would be so great!

For that reason, I haven't studied all of the streams. It's too repetitive and turesome! And so I may not have the best example Javascript at hand from the traffic capture.

The method I won't repeat here.

You can close the file and check that you did correctly all that SANS Training explained to you in their PDF linked from the Wireshark Wiki. Revisit the previous post if you got lost.

Now you need to use the keylog file that I posted on:

LINK HERE

(but you already know about it, else you wouldn't have that dump_150927_1848_g0n.pcap opened, would you?

And, exampli gratia, do:
Code:

$ cp -iav SSLKEYLOGFILE_150927_1848_g0n.log ~/.sslkeylogfile.log


It is best that you get that file only read and write permission. No need for execute perms like in the PDF (didn't notice any other faults). So (not chmod 700, but):

Code:

$ chmod 600  ~/.sslkeylogfile.log


Surely there's the SSLKEYLOGFILE environment variable and the setting in the "Preferences" that need to be set correctly too.

And, now when you open that tile again (had you tried previously you wouldn't get anything decrypted). you'll be able to see all honest SSL streams in their decrypted content.


So let's reopen the dump_150927_1848_g0n.pcap file, and let's do:

Code:

tcp.stream eq 5


This time "Follow ssl stream".

Save it as: dump_150927_1848_g0n_s05-ssl.dump (with the infix '-ssl' so you know you got it from following SSL stream).

Here's what should open for you. But again, you'll have to hexedit it. Three files there to extract.
Code:

GET /allura/nf/1443116597/_ew_/theme/sftheme/js/sftheme/modernizr.custom.90514.js HTTP/1.1

Host: a.fsdn.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://sourceforge.net/p/courier/mailman/message/31585709/

Connection: keep-alive



HTTP/1.1 200 OK

Server: nginx

Content-Type: application/x-javascript

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

ETag: "1424736091.61-9496"

Last-Modified: Tue, 24 Feb 2015 00:01:31 GMT

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Vary: Accept-Encoding

Content-Encoding: gzip

Cache-Control: public, max-age=31341714

Expires: Sat, 24 Sep 2016 10:51:06 GMT

Date: Sun, 27 Sep 2015 16:49:12 GMT

Content-Length: 3833

Connection: keep-alive



...........Z[s.8.~?....Q...$...dN6q2..

..[lots of complete gibberish cut out here]...

..'2.......%..GET
/allura/nf/1443116597/_ew_/_slim/css?href=tool%2Fmailman%2Fcss%2Fmailman.css%3Ballura%2Fcss%2Fforge%2Fhilite.css%3Ballura%2Fcss%2Fforge%2Ftooltipster.css
HTTP/1.1

Host: a.fsdn.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0

Accept: text/css,*/*;q=0.1

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://sourceforge.net/p/courier/mailman/message/31585709/

Connection: keep-alive



HTTP/1.1 200 OK

Server: nginx

Content-Type: text/css

Accept-Ranges: bytes

ETag: "1443292082.92-16762"

Last-Modified: Sat, 26 Sep 2015 18:28:02 GMT

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Vary: Accept-Encoding

Content-Encoding: gzip

Cache-Control: public, max-age=31455530

Expires: Sun, 25 Sep 2016 18:28:02 GMT

Date: Sun, 27 Sep 2015 16:49:12 GMT

Content-Length: 3557

Connection: keep-alive



...........[[s.6.~..@..

..[lots of complete gibberish cut out here]...

.AXj............._.99.\.....m3..w.F....l./W....[f......U!zA..GET /allura/nf/1443116597/_ew_/theme/sftheme/images/sftheme/32x32/code_32.png HTTP/1.1

Host: a.fsdn.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://sourceforge.net/nf/tool_icon_css?1443116597

Connection: keep-alive



HTTP/1.1 200 OK

Server: nginx

Content-Type: image/png

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

ETag: "1425517460.08-973"

Last-Modified: Thu, 05 Mar 2015 01:04:20 GMT

Content-Length: 973

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Cache-Control: public, max-age=31341609

Expires: Sat, 24 Sep 2016 10:49:22 GMT

Date: Sun, 27 Sep 2015 16:49:13 GMT

Connection: keep-alive



.PNG

.
...
IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...oIDATx..WK

..[lots of complete gibberish cut out here]...

..f..J.Ur.@??...../.?...q......?....IEND.B`.

The third, the last is a PNG.
Code:

$ hexedit dump_150927_1848_g0n_s05-ssl.dump

and search for hex string '89504E', cut from there to end and save into a new file as dump_150927_1848_g0n_s05-ssl_03.png. Then if necessary go back to search for the same string and truncate the file at that point. Now that file has only two files to extract left.

Go to top. Search for the familiar '1F8B08' string, but take the second one. Select to end, copy, save as dump_150927_1848_g0n_s05-ssl_02.gz. Truncate in the same manner.

Go to top. Search for the familiar '1F8B08' string, there's only one left. Save from there to end in a new file dump_150927_1848_g0n_s05-ssl_01.gz.

The three files (after gunzip'ing the first two, and renaming them):
Code:

$ ls -l dump_150927_1848_g0n_s05-ssl_0?.*
-rw-r--r-- 1 ukra ukra  9497 2015-10-01 22:09 dump_150927_1848_g0n_s05-ssl_01.js
-rw-r--r-- 1 ukra ukra 16762 2015-10-01 22:05 dump_150927_1848_g0n_s05-ssl_02.css
-rw-r--r-- 1 ukra ukra   973 2015-10-01 22:04 dump_150927_1848_g0n_s05-ssl_03.png
$

The JS is the modernizr script, now obsolete, I believe, for HTML5, or related...

Never mind, I hope some will find this not such a bad practice. And if anybody teaches us some Lua scripts, great. Because this is very cumbersome, not having some means to look up the streams quickly. Remember this is just 45 seconds, and I couldn't get to the bottom of if (42 streams! in 45 seconds) at all.

Like I said, my first decrypted online was really not much at all. But I had to keep my promise.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Fri Oct 02, 2015 2:56 pm    Post subject: Reply with quote

EDIT 2015-10-04 16:23+02:00 :
Revised this post for typoes, improved the wording in some sentences, and added the [***] note in bottom.
EDIT END

I'll try and post the files upfront this time, so you can check as soon as you read this and possibly (or should I say hopefully; there will be some feathers ruffled, and maybe adverse consequences/actions against me) [and possibly] in a few next posts. There are issues, and I am not ready to go the Javascript way onto the possibly-Schmoog-friendly ask.wireshark.org in my tiny, and in a peculiar way, regimatic environment (the internet is broken down and control given to smaller entities per the local power/regime, with the master entity, the U.S. (read: the NSA) keeping all the threads, therefore the "in a peculiar way") [*].

The files to look up and run the commands below against, will be on:

http://www.croatiafidelis.hr/foss/cap/cap-151001-legalis-login/

The important file without which you can't decrypt any of te SSL streams, and that needs to be set up as previously explained (in the PDF linked document by SANS Training), is the file with the session keys for all of this set (or even more). [**]

The SSLKEYLOGFILE_151001_1358_g0n.log.

Maybe you can do best to download just the dLo.sh file. Make a dir where you have perms. Enter that dir and run it:

Code:

$ ./dLo.sh


It will download all that is currently in the cap-151001-legalis-login/ .

Download them to be able to run the commands below, and check on the veracity of my claims/help us solve what I can not solve.

Because I also post this because I may need some help to figure out things. If any of you wizards are benevolently reading this, from Wireshark mailing lists, from higher echalons in Gentoo, or elsewhere, and you know how to solve the real hurdles that will be in your plain sight, if those hurdles are at all solvable, do join in with your kind advice. You will have my gratitude, and I am sure, respect from other readers of this topic!

The first set to examine is of the time: 2015-10-01 13:58 CET (as it carries the timestamp 151001_1358, and I live in Zagreb, Croatia).

tshark -r dump_151001_1358_g0n.pcap -q -z expert,note,tcp
Code:

Errors (3)
=============
   Frequency      Group           Protocol  Summary
           2  Malformed                TCP  New fragment overlaps old data (retransmission?)
           1  Undecoded               SPDY  Inflation failed. Aborting.

Warns (37)
=============
   Frequency      Group           Protocol  Summary
          34   Sequence                TCP  Connection reset (RST)
           1  Undecoded                SSL  BER: Dissector for OID not implemented. Contact Wireshark developers if you want this supported
           2   Sequence                TCP  TCP transmission window is now completely full

Notes (267)
=============
   Frequency      Group           Protocol  Summary
          97   Sequence                TCP  TCP keep-alive segment
          88   Sequence                TCP  ACK to a TCP keep-alive segment
          62   Sequence                TCP  This frame is a (suspected) retransmission
          17   Sequence                TCP  Duplicate ACK (#1)
           1  Malformed               HTTP  HTTP body subdissector failed, trying heuristic subdissector
           1   Sequence                TCP  Duplicate ACK (#2)
           1   Sequence                TCP  Duplicate ACK (#3)


A preemption first. Looking back, did anybody see anything faulty in my Gentoo's setup in those network traffic captures on that maildrop-users mailing list hosted on SourceForge?

I'm so glad, now, that I already posted those dumps. See my two previous posts (and maybe read further back if you parachuted in here).

Now if anybody would be trying to sell us the crap that I should need to fix my machine, because it were, in his opinion, broken, such (possible) individual only needs to redirect his/her own attention to how smooth my setup works on internet conversations with honest hosts. Thanks. Period dot.

I can't give detailed analysis of this traffic capture as I don't yet speek Lua (no time to study it now) and it's too much work do it manually, but maybe I could call readers' attention to three particular tcp streams: We'll be pasting, in the filter, first "tcp.stream eq 61" (because the screencast tells us to, even though it's out of order), then "tcp.stream eq 16", and then "tcp.stream eq 56".

I'll post some extracted files in the corresponding folder named after the dump: dump_151001_1358_g0n.d/

1) So you should see how it is that the screencast tells us to look up the stream 61 first, to get a clearer picture. You can see there troubles right at start if you download and view the screencast Screen_151001_1358_g0n.mkv.

WARNING: if your technical interests are strict on this topic, skip to "WARNING END"
But a note is due. I want to try and see if I can ask some legalese on the Croatian Legal Forums (Hrvatski Pravni Portal) in connection with my correspondence with my providers who arbitrarily breached my rights as well as the agreement btwn me and each of them respectively, who censored me based on their baseless false accusations that I sent spam emails, some of which you can read even here on Gentoo Forums in my translation:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-999436.html#7682770

as well as now (hopefully they haven't taken my NGO's site down) on:

http://www.croatiafidelis.hr/foss/cenz/iskon-t-com-miro-rovis/message/20150113.171003.a35398a1.en.html

(but that is the only translated email, the rest is in Croatian; it's:

a Snapshot (taken in a hurry) of Lurker deployed on my SOHO
http://www.croatiafidelis.hr/foss/cenz/iskon-t-com-miro-rovis/
btwn me, Miroslav Rovis, and Iskon, and T-com

that I want to talk legalese to juridical poeple and citizens there).

That is why I am trying to login/register at http://www.legalis.hr , the Croatian Legal Forums.
WARNING END

You can see there, in that screencast, after the first half a minute:
Quote:

A script on this page may be busy, or it may have stopped responding. You can stop the script now, open the script in the debugger, or let the script continue.

Script: http: //rsgde.adocean.pl/files/... <snipping a little>/simpaBanner2.Js:1

I chose to "Debug script" but then very soon decided I wasn't going to delve into it. Too little knowledge of Javascript here.

Anyway, that same script is available in the dump.

$ tshark -r dump_151001_1358_g0n.pcap -z expert,note,tcp | grep rsgde | grep simpaBanner
Code:

1163 34.721663000  192.168.1.2 -> rsgde.adocean.pl HTTP 425 GET /files/akimiqplupg/yileewlqpw/vdmegvlrkn/js/simpaBanner2.js HTTP/1.1


So paste in the filter:
Code:

tcp.stream eq 61


It would even more extend these posts if I repeated the method of extracting content. See previous posts.

The script is in the said folder and it is named: dump_151001_1358_g0n_s61_01_SimpaBanner2.js. What is wrong with the script I can not tell for reasons already stated.


2) tcp.stream eq 16

It decrypts, yes it does. But what is decrypted, is some fragment of some compressed file, or some encrypted matter (so, if this latter is the case, it's encryption upon encryption, and there is no key other than in the Schmoog's own archives, to decrypt the inner encryption, again: if that is the case [***]). Have a look, as I'll post what anybody can decrypt with the setup of his/her Wireshark as we have so far learned:

Follow and save ssl stream, and compare it to this one that you can download (it ought to be exactly the same, to the bit), and then you tell me what you can make of it:

dump_151001_1358_g0n_s16-ssl.dump

The only string that makes some sense to me if I look up that dump with hexedit is "PRI * HTTP/2.0". All else is gibberish.

3) tcp.stream eq 56

This one is fascinating!

The conversation is with some Zucky the great "philantropist"'s Facebook host:

Code:

31.13.84.8   StAr.c10r.facebook.com


It's easy to extract it. Click on any of the lines with TLSv1.2, follow SSL stream, Save as:

dump_151001_1358_g0n_s56-ssl.dump

It's, allegedly (read on) gzip'd.

It's two GET's in there. Second first.

NOTE: 'man hexedit' ...

Search, in hex, for "47455400". Set mark at the second found. Search to end. That will select to end. Copy. Paste into a file, naming that file:

dump_151001_1358_g0n_s56-ssl_02.dump

Reapeat the search (or in some other fashion set the cursor again at the start of the second GET. Truncate.

Set the mark at the first get. Search to end. That will select the entire remaining content from there. Paste into file:

dump_151001_1358_g0n_s56-ssl_01.dump

Open file: dump_151001_1358_g0n_s56-ssl_01.dump

I don't see there could be anything there to extract.

Open file: dump_151001_1358_g0n_s56-ssl_02.dump

Serch in ascii for gzip finds one instance. Move to top. Search in hex for "1F8B08". Mark. Move to end. Copy. Paste into file: dump_151001_1358_g0n_s56-ssl_02.gz

And here we go, here's the fascinating thing!:

Code:

$ ls -l dump_151001_1358_g0n_s56-ssl_02.gz
-rw-r--r-- 1 ukra ukra 5993 2015-10-02 14:42 dump_151001_1358_g0n_s56-ssl_02.gz
$ file dump_151001_1358_g0n_s56-ssl_02.gz
dump_151001_1358_g0n_s56-ssl_02.gz: gzip compressed data, from Unix
$ gunzip dump_151001_1358_g0n_s56-ssl_02.gz

gzip: dump_151001_1358_g0n_s56-ssl_02.gz: invalid compressed data--format violated
$


The kind and philantropist Zucky's Facebook violates the gzip format! Pls do show me, pls. do prove me wrong! I'm really not claiming complete certainty because I'm really not an expert by any means. However, the file is there for everybody to see.

Do tell us why that gzip'd archive can not be extracted and why gzip shouts out so loud that the format has been violated!

I want to see (but not immediately; this is tiring work) what the true experts on Wireshark.org may want to say about this little snippet of content with this credibly (IMO) alleged violation. [***]bis

Anyway, I basically decided that, looking up all the plethora of almost all the world's top surveillors being pulled in by my only trying to open, and possibly login/register with the Croatian Legal Forums... (almost all; I believe there are some who will sorely miss Billy the Senior Philantropist's M$ not pulled in)...

And so I decided I try and do some filtering to see if I can talk to the Croatian Legal Forums without having to deal with than many of the big players' surveilling tentacles.

By filtering some of that plethora of domains out at the input of my iptables, dropping their packets on the floor, with emplying the filtering capability that I compiled in my kernel, and deploying it by adequate filtering rules.

Have a look at how many of those hosts are set to get their tentacles in my machine by my mere opening the initial http://www.legalis.hr page and trying to login/register in:

dump_151001_1358_g0n_RESO.txt

I'll continue this story in the next post.

---
[*] I'd really kindly ask the inventor Tim Berners Lee whether (1) he knew ahead of his invention that such would be the case, and I'd kindly ask him (2) not to keep boasting with the benefits of the internet; nothing is better for it, unless the big brains, and big players, don't engage against (the first), or stop surveillance (the second), surveillance the cancer of the internet, like, exampli gratia, Bruce Schneier does, of the world's true intellectual internet elite; but does anyone know of any big players refraining from spreading this cancer?

[**] I really have nothing to hide currently, and yet few readers will doubt that I am fighting so that we, the poor users, especially the FOSS *nix users (too little hope for M$, Apple and such, users), be able to hide our personal correspondence, our browsing habits, and anything we want to hide. Because it is our time, our life, our streets in our cities (and not, say, Schmoog's), our friends and our communities, and it does not pertain to the surveillors, to control any of it, to track, to inspect and hoard data about, any of it, by any constitution of any country of the world that is at least somewhat free. You can start from the Constitution of the United States of America, this important amendment granting they are not allowed to control you:

https://en.wikipedia.org/wiki/Fourth_Amendment_to_the_United_States_Constitution
and I can tell you that the right to hide my communications, as I please, is in the Constitution of the Republic of Croatia, as well. Just the hiding that I talk as legitimae here, is not hiding things and you move you code into people's computors like Facebook appears to have done above. I don't approve of such hiding of things. Because that's not privacy, that's attack on other people's property what FB apparently does. In this note I remotely paraphrase Eric Google's, in 201x, repeating of Göbels', in 194x, soundbite: "If you have nothing to hide, you have nothing to worry about!", if the kind reader hasn't noticed.

[***] and [***]bis It is more study that is needed, of the HTTP2 standard (as well as of SPDY), as I explain in the later posts in this topic, starting from:
https://forums.gentoo.org/viewtopic-t-1029408.html#7823392
as well as on Wireshark ML:
https://www.wireshark.org/lists/wireshark-users/201510/msg00000.html
to see if these packets really carry concealed content, which IMO would be breach of my privacy, because the ground is mine, not Schoog's, not Facebook's nor any others', it's my machine. It's like entering somebody's home with a concealed gun, if it really can not be decrypted without Quantum PC power, what they put in those packets...


Last edited by miroR on Sun Oct 04, 2015 3:51 pm; edited 2 times in total
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sat Oct 03, 2015 9:47 pm    Post subject: Reply with quote

This is not yet the next post I planned.

But a necessary addendum.

I figured out that I will need to understand more concepts and learn to apply them to decrypt some of the traffic.

In the previous post there is the line
Code:

          1  Undecoded               SPDY  Inflation failed. Aborting.


SPDY (pronounced Speedy), is Schmoog's enhancement for the HTTP1x protocol, upon which (and that's the other line --but in context--:

Code:

PRI * HTTP/2.0


upon which (upon the SPDY) the HTTP2 was developed.

Once I study those, I might be able to decrypt such traffic too.

A good start:

Why are the headers of this SPDY SYN_STREAM sample apparently uncompressed?
http://stackoverflow.com/questions/27454189/why-are-the-headers-of-this-spdy-syn-stream-sample-apparently-uncompressed

and

https://wiki.wireshark.org/HTTP2
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sun Oct 04, 2015 10:50 am    Post subject: Reply with quote

More on the necessary digression. This is still not in the planned line of presentation.

I'm reluctunt to try things SPDY offline in my Apache. Have a look at what is very telling about SPDY:
Code:

# emerge -tuDN mod_spdy

These are the packages that would be merged, in reverse order:

Calculating dependencies    ... done!                             
[ebuild  N    #] www-apache/mod_spdy-0.9.4.3::gentoo  USE="-debug {-test}"
7,162 KiB
[ebuild     UD ]  www-servers/apache-2.2.31:2::gentoo [2.4.16:2::gentoo]
USE="doc ssl suexec -debug -ldap (-selinux) -static -threads (-alpn%)"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm
authn_default%* authn_file authz_dbm authz_default%* authz_groupfile
authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock
deflate dir disk_cache%* env expires ext_filter file_cache filter headers
include info log_config logio mem_cache%* mime mime_magic negotiation rewrite
setenvif speling status unique_id userdir usertrack vhost_alias -asis
-auth_digest -authn_dbd -cern_meta -charset_lite -dbd -dumpio -ident -imagemap
-log_forensic -proxy -proxy_ajp -proxy_balancer -proxy_connect -proxy_ftp
-proxy_http -proxy_scgi -reqtimeout -substitute -version (-access_compat%)
(-authn_core%*) (-authz_core%*) (-authz_dbd%) (-cache_disk%)
(-lbmethod_bybusyness%) (-lbmethod_byrequests%) (-lbmethod_bytraffic%)
(-lbmethod_heartbeat%) (-macro%) (-proxy_fcgi%) (-proxy_wstunnel%)
(-ratelimit%) (-remoteip%) (-slotmem_shm%) (-socache_shmcb%*) (-unixd%*)"
APACHE2_MPMS="-event -itk% -peruser -prefork -worker" 5,542 KiB
[ebuild     UD ]   app-admin/apache-tools-2.2.31::gentoo [2.4.16::gentoo]
USE="ssl" 0 KiB

Total: 3 packages (2 downgrades, 1 new), Size of downloads: 12,704 KiB

Would you like to merge these packages? [Yes/No] No

Quitting.


I bet you saw my reply to tthe question in bottom: "No" (without quotes).

What is also very telling is the

Distribution of web servers among websites that use SPDY
http://w3techs.com/technologies/segmentation/ce-spdy/web_server

and I'll paste it in here, since those numbers change. So the current numbers
(see the timestamp of this post) are:
Code:

Nginx is used by 73.9% of all the websites whose web server we know and that
use SPDY as site element.

Code:

Nginx         73.9%
LiteSpeed     23.1%
Apache         2.3%
Node.js        0.4%
Google_Servers 0.3%


Take a look at how the Schmoog trust their own invention. how Nginx is stuck with it (good luck to anyone believing in and trusting the Schmoog!), and they must be cursing the former, and how the Apache folks never really trusted it.

Or were the Schmoog upfront using it for some shady purposes along? Who can tell? True experts only (and I'm certainly not one), and who are honest along being expert, but honest truly: very rare; I have met some, yes, but too rare those kind of experts... Aarrgh.. The world is waiting for a Schmoog whistleblower to tell us more about the Octopus... Ever, anyone?

There's more.

Really I cheered when I read to the end of this e-mail
Code:

HTTP Working Group <ietf-http-wg@w3.org>

, and when I understood that Poul-Henning Kamp [*] was the author of that open letter which I enjoyed reading and recognize (to some extent: I'm just an advanced user) its arguments, and many among you readers of this topic will too:

Why HTTP/2.0 does not seem interesting
https://www.varnish-cache.org/docs/trunk/phk/http20.html

The letter talks about SPDY as well. find the line:
Poul-Henning Kamp wrote:

Overall, I find the design approach taken in SPDY deeply flawed.


My problem is, that I need to figure out how to decrypt these freaking packets (mosly Schmoogle's but others' too), that use either SPDY or HTTP2. Because I must be in control of my machine, and not the Schoogle's kind.

Else, they will be able to set me up as spammer and be able to censor me, as they already did, for long months, which I mentioned in some of the first posts (links there to documented events of censorship, like clickjacking).

(and that is just the last big censorship event of their making on me. If you want more, and on how Google helps regimes like in my country, have a look at why I have all the reson to detest Google:
Really? The Surveillance Engine Terminated All My Videos
http://forums.debian.net/viewtopic.php?f=3&t=113059
).

When is that idiotic Octopus going down, if really it does not intend to behave?

--
[*] I like to spread valuable info. I don't remember having listened to anything as impressive as this Poul-Henning Kamp's speech at FOSSDEM Conference 2014. It was previously elsewhere, and if you can't download the entire 46 minutes, as I can not currently from my quaters (but I do have a lousy provider), do tell! Here:

NSA operation ORCHESTRA Annual Status Report
https://commons.wikimedia.org/wiki/File:NSA_operation_ORCHESTRA_Annual_Status_Report.webm

It is not important because of me, as I have already archived it previously for myself, but for others, to spread the truth to others as well.


Last edited by miroR on Sun Oct 04, 2015 4:53 pm; edited 3 times in total
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sun Oct 04, 2015 12:46 pm    Post subject: Reply with quote

Still can not move on without the understanding of these issues. But maybe we get to know more on these special concealed (to majority of users at least) packets. I wrote to Wireshark ML:

Wireshark-users: Re: [Wireshark-users] The SSL tcp stream decoding in Users' Manual?
https://www.wireshark.org/lists/wireshark-users/201510/msg00000.html
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Tue Oct 06, 2015 4:49 pm    Post subject: Reply with quote

A note: in the email there, I'm referring to the link to my last email to Wireshark ML, in the post immediately before this one, you can see that I actually can decode SPDY and HTTP2. More on my research on SPDY and HTTP2 in the next post. I mean really next (and only then the posts promised quite-a-few-posts-back; those had already been written).

Just: my research resulted, in my pretty clear understanding that it is good for me, at least for now, since no benefit for me (nor to users generally, just to big-business) from SPDY and HTTP2, only possibly more trouble, like CRIME (but on that in the next post), [that it is good for me] to disable SPDY and HTTP2 in my Fox.

Read all, don't just follow this post; this is partly, very partly only, a failed test!

Save your ~<you>/.mozilla/firefox/<your-salt-here>.default/prefs.js, say
like:
Code:

$ cp -iav ~<you>/.mozilla/firefox/<your-salt-here>.default/prefs.js prefs.js_$(date +%s)_$(hostname)

so you can compare what you got with the GUI changes you will make.

Close if previously you had Firefox opened.

Start Firefox. Don't open any pages with it. Do this work first.

Type in about:config in Firefox.

In the Search box type in 'spdy' (without quotes).

Wherever you see 'true' doubleclick on it. It will turn to 'false'

I hope now spdy and http2 are disabled.

Comparing my ~ukra/.mozilla/firefox/<my-salt-here>.default/prefs.js

with the changed profile, and disregarding the changes that Fox makes on every start/exit in your pref.js, these are the changes necessary to rid of the CRIME-enabled SPDY and HTTP2:

$ cat prefs.js.diff
Code:

> user_pref("network.http.spdy.allow-push", false);
> user_pref("network.http.spdy.coalesce-hostnames", false);
> user_pref("network.http.spdy.enabled", false);
> user_pref("network.http.spdy.enabled.deps", false);
> user_pref("network.http.spdy.enabled.http2", false);
> user_pref("network.http.spdy.enabled.v3-1", false);
> user_pref("network.http.spdy.enforce-tls-profile", false);


And I believe (

I clone my systems:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-999436.html#7613044

)
...

And I believe that (since I clone my systems), that doing this same GUI change, but doing it the non-GUI way, on another of my systems which has until now been on defaults regarding SPDY and HTTP2, will be a proof of concept.

On the other system (a clone, on same type/model hardware), I copy its pref.js where I can, first, view it in some details.

Now on that copied pref.js (but really, it can be done on the original, just Fox must NOT be running), I did:

Code:

$ cat prefs.js.diff | sed 's/> //'  >> prefs.js
$ mv -iv prefs.js prefs.js_NEW


The diff btwn the prefs.js_NEW and the orig prefs.js on this other system, is the same as on the GUI-experimented one.

So:
Code:

cp -iav prefs.js_NEW ~<me>/.mozilla/firefox/<my-salt-here>.default/prefs.js


And if I start Fox now, open 'about:config' and in the Search box type in spdy, I should see the same SPDY and HTTP2 entries disabled.

No. I was wrong. Upon starting Fox, I had it all at defauls, like before. Why is that?

Never mind. I did the clicking as, obviously, I am supposed to, then I exited Fox, restarted it, and this time it holds: these failed standards, in the sense that they are not catching with the non-big-business internet people, are disabled.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum