| View previous topic :: View next topic |
| Author |
Message |
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
 Posted: Tue Oct 06, 2015 6:30 pm Post subject: |
 |
|
In the first place, HTTP2 is just a remake of SPD2, and also, as Poul-Henning Kamp says, feels more like HTTP1.2.
It hasn't, and hardly is it expected to, catch on. So it looks to me as just a failure.
You can read also what PHK wrote previously on SPDY:
What SPDY did to my summer vacation
https://www.varnish-cache.org/docs/trunk/phk/spdy.html
So PHK, an expert who spent quite some time studying it, and I really didn't go into details of that page, I only searched, as it is not there to be easily found, what to do about it... The Google's and such businesses that "own" the internet propaganda is such that you would think it's the next big thing, the SPDY, and now the HTTP2.
So PHK, an expert who spent quite some time studying it, claims SPDY is "deeply flawed", as I quoted him some two posts ago.
I even looked up the linked from there:
Varnish User Group Meeting 6 (VUG6 London)
https://www.varnish-cache.org/vug6
and read some of the paper linked in there:
PHK's Keynote (on HTTP/2.0)
https://www.varnish-cache.org/sites/default/files/02_VUG6-PHK_Keynote.pdf
and I'll only suggest page 18 of that paper, where PHK claims:
| Code: |
HTTP/2.0 is an uncertain target
No realistic timeline
Very unclear featureset
May not even catch on when done
|
And let's see now if HTTP2 caught on. Because that VUG6 event took place in early October 2012. which is just about 3 (three) years ago.
Maybe that PHK is not such an expert. Maybe that he was wrong... Let's see.
...Aargh. I searched so much, and read lots of it, that it is not even a quick task to find the page, which is the most indicative od all...
Wait...
Ah! Here we go:
On this page:
Comparison of web server software
https://en.wikipedia.org/wiki/Comparison_of_web_server_software#Features
you can see that of all the numerous software that some thirty different servers support, lots of green there, but also, for some entries, such as Java Servlets, more red than green, but...
But, at the end of the software features enumerated, there's the Google's fabulous, fabulous HTTP/2 !
Supported by only three of all the servers, the rest probably never bothered to even think about supporting it. Not even consider HTTP2! Bravo, Google!! Such an incredible success!!
I hope other Gentoo users, and whoever finds this page (Google will probably not put it upfront for finding, even if it does have all the entries that people will give to that surveillance --the real purpose-- and also search engine), will lose less time on this idiotic standards than I have.
What huge amount of time this research took me! What a waste of time these standards, SPDY and HTTP2. Yes they do have their usefulness for the big business, but, and it's also PHK who said it somewhere (but I'm done with them, I hope, can't search for the exact document to quote him), but for users there is no benefit whatsoever.
SPDY and HTTP2 are, I hope, done for me. Only I have to make sure that I disable them successfully in my Firefox.
I also mentioned CRIME. Here:
https://en.wikipedia.org/wiki/CRIME
and
https://en.wikipedia.org/wiki/Transport_Layer_Security#CRIME_and_BREACH_attacks
And surely remember that the surveillance engine and its friends may very well have their other reasons, not available anywhere, because not published, completely secret, for SPDY and HTTP2. Can not claim that, surely. I'm waiting for a Google whistleblower like many thinking people.
Regards!
--
EDIT 2015-10-06 22:31+02:00 :
Only after already having posted this post have I understood what PHK meant when he cited his own email of 1999. in the (link also already in the top of this post):
| PHK wrote: |
My one lucky break was the bikeshed email where I actually did sit down and compose some of my thoughts, thus firmly sticking a stick in the ground as one of the first to seriously think about how you organize open source collaborations.
|
In that bikeshed email you can read what Larry Google, Sergey Google and Eric Google (where Google stands for "the Schmoog"), and friends, should carefully read, and there you can find the treatment that they should be had.
PHK understood it ahead of time. Just as he writes in the paragraph previous to the already cited paragraph. He saw, by mere logic of the totally flawed design (well you probably can't push some surveillance hooks in there for the NSA, and make a standard that does the right thing fro what it is nominally made for, can you?) of SPDY and HTTP2. That is the meaning of the opening paragraph of that "What SPDY did to my summer vacation" article of his. Here:
| PHK wrote: |
It's dawning on me that I'm sort of the hipster of hipsters, in the sense that I tend to do things far before other people do, but totally fail to communicate what's going on out there in the future, and thus by the time the "real hipsters" catch up, I'm already somewhere different and more interesting. |
And that is why he cited his, by that time (September 2012), thirteen years old email of his.
This is my paraphrasing of that email of his:
Why Should I Care What Color the Bikeshed Is?
http://bikeshed.org/
, for the Larry (both Google and and Oracle), Sergey and Eric and the cameraderie of theirs:
| Code: |
Your standard is about to be presented/suggested/imposed on to several hundred
thousand people, who will have to spend at least 10 minutes reading about it
before they can decide what to do about it.
...[snip]...
Are you absolutely sure that your standard is of sufficient importance to
bother all these people ?
[YES] [REVISE] [CANCEL]
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Warning: You have not considered all the existing standards and the real
issues that ought to be dealt with.
[CANCEL]
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Warning: Your dedicated teams have not even considered half of what has been
suggested to them by true internet experts. Logically it follows that you
yourselves, the "big" boys of ths internet, cannot possibly have considered
and understood all the important issues, breakages, hardships that you will
have created if you, "big" as you are, successfully push it by your propaganda.
A cool off timer for this standard will prevent you from
pushing any standards onto the internet for the next fifteen years
[Cancel]
----------------------------------------------------------------------------
|
EDIT END |
|
| Back to top |
|
 |
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Fri Oct 16, 2015 4:08 pm Post subject: |
|
|
More than two weeks ago, at this address of this topic you are reading:
https://forums.gentoo.org/viewtopic-t-1029408.html#7822806
I wrote (and I myself need to try and pick up the narrative first)
The following is, first some parts of the two-weeks old post, by the intended plan of presentation, just as in the link above posted, and then I will continue from where I had left off.
Most of the new text below I wrote two weeks ago, and need only to correct and adapt it a little.
So I had written... | Quote: |
I'll try and post the files upfront this time, so you can check as soon as you read this and possibly ...[snip]... [the] next posts.
...[snip]...
The files to look up and run the commands below against, will be on:
http://www.croatiafidelis.hr/foss/cap/cap-151001-legalis-login/
The important file without which you can't decrypt any of te SSL streams, and that needs to be set up as previously explained (in the PDF linked document by SANS Training), is the file with the session keys for all of this set (or even more). ...[snip]...
The SSLKEYLOGFILE_151001_1358_g0n.log.
|
The dLo.sh below, as well as the SUMS and the SUMS.sig's, will, in cases of additions and/or changes (changes to the listing, not the particular SHA256 hashes), [will] be updated, but old SUMS and SUMS.sig's will be in the PREV/ directory ('PREV' for previous), just in case someone wanted to check up on the consistency of my methods/statements.
| Quote: |
Maybe you can do best to download just the dLo.sh file. Make a dir where you have perms.
|
(Also move dLo.sh into that dir.)
| Quote: | Enter that dir and run it:
It will download all that is currently in the cap-151001-legalis-login/ .
Download them to be able to run the commands below, and check on the veracity of my claims/help us solve what I can not solve.
...[snip]...
The first set to examine is of the time: 2015-10-01 13:58 CET (as it carries the timestamp 151001_1358, and I live in Zagreb, Croatia).
tshark -r dump_151001_1358_g0n.pcap -q -z expert,note,tcp
| Code: |
Errors (3)
=============
Frequency Group Protocol Summary
...[snip]...
|
I'll post some extracted files in the corresponding folder named after the dump: dump_151001_1358_g0n.d/
|
The same method of naming will apply for the other files in cap-151001-legalis-login/ .
| Quote: |
1) So you should see how it is that the screencast tells us to look up the stream 61 first, to get a clearer picture. You can see there troubles right at start if you download and view the screencast Screen_151001_1358_g0n.mkv.
...[snip]...
You can see there, in that screencast, after the first half a minute:
| Quote: |
A script on this page may be busy, or it may have stopped responding. You can stop the script now, open the script in the debugger, or let the script continue.
Script: http: //rsgde.adocean.pl/files/... <snipping a little>/simpaBanner2.Js:1
|
...[snip]...
$ tshark -r dump_151001_1358_g0n.pcap -z expert,note,tcp | grep rsgde | grep simpaBanner
| Code: |
1163 34.721663000 192.168.1.2 -> rsgde.adocean.pl HTTP 425 GET /files/akimiqplupg/yileewlqpw/vdmegvlrkn/js/simpaBanner2.js HTTP/1.1
|
So paste in the filter:
...[snip]...
|
At this point I had described how I extracted that exact script. Pls. see the complete post for that.
| Quote: |
The script is in the said folder and it is named: dump_151001_1358_g0n_s61_01_SimpaBanner2.js. What is wrong with the script I can not tell for reasons already stated.
|
However, I had posted the script, into which I had previously interpolated a few newlines, for my easier reading. That modified one is now named dump_151001_1358_g0n_s61_01_SimpaBanner2e.js (with the infix 'e' for 'edited') and what exactly you can get, with the methods described, out of that file, bears now the original name dump_151001_1358_g0n_s61_01_SimpaBanner2.js, as it should.
| Quote: |
2) tcp.stream eq 16
It decrypts, yes it does. But what is decrypted, is some fragment of some compressed file, or some encrypted matter (so, if this latter is the case, it's encryption upon encryption, and there is no key other than in the Schmoog's own archives, to decrypt the inner encryption, again: if that is the case ...[snip]... ). Have a look, as I'll post what anybody can decrypt with the setup of his/her Wireshark as we have so far learned:
Follow and save ssl stream, and compare it to this one that you can download (it ought to be exactly the same, to the bit), and then you tell me what you can make of it:
dump_151001_1358_g0n_s16-ssl.dump
The only string that makes some sense to me if I look up that dump with hexedit is "PRI * HTTP/2.0". All else is gibberish.
|
That HTTP2, as well as SPDY is what I took much closer look at in the meatime btwn that old post and this new post.
This was my first encounter with this despicable standard.
Obviously, as seen now even from the very title of this topic ("SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox"), I intend to try and, hopefully, for some forseeable future, live without SPDY and HTTP2 despicable standards and the intrusions they enable.
Read about it in the posts btwn the one quoted here (and linked in the top), and this very one you are reading right now.
| Quote: |
3) tcp.stream eq 56
This one is fascinating!
The conversation is with some Zucky the great "philantropist"'s Facebook host:
| Code: |
31.13.84.8 StAr.c10r.facebook.com
|
It's easy to extract it. Click on any of the lines with TLSv1.2, follow SSL stream, Save as:
dump_151001_1358_g0n_s56-ssl.dump
It's, allegedly (read on) gzip'd.
...[snip]...
And here we go, here's the fascinating thing!:
| Code: |
$ ls -l dump_151001_1358_g0n_s56-ssl_02.gz
-rw-r--r-- 1 ukra ukra 5993 2015-10-02 14:42 dump_151001_1358_g0n_s56-ssl_02.gz
$ file dump_151001_1358_g0n_s56-ssl_02.gz
dump_151001_1358_g0n_s56-ssl_02.gz: gzip compressed data, from Unix
$ gunzip dump_151001_1358_g0n_s56-ssl_02.gz
gzip: dump_151001_1358_g0n_s56-ssl_02.gz: invalid compressed data--format violated
$
|
...[snip]...
And so I decided I try and do some filtering to see if I can talk to the Croatian Legal Forums without having to deal with that many of the big players' surveilling tentacles.
By filtering some of that plethora of domains out at the input of my iptables, dropping their packets on the floor, with emplying the filtering capability that I compiled in my kernel, and deploying it by adequate filtering rules.
Have a look at how many of those hosts are set to get their tentacles in my machine by my mere opening the initial http://www.legalis.hr page and trying to login/register in:
dump_151001_1358_g0n_RESO.txt
I'll continue this story in the next post.
...[snip]...
|
And as you can see, I'm finally continuing. It's really the continuation of the same story. And I needed to refresh my own memory of what I wrote so far.
Now, the dump_151001_1358_g0n_RESO.txt file, in the corresponding dir (by the infix-timestamp), contains:
| Code: |
# Hosts information in Wireshark
#
# Host data gathered from /Cmn/mr/dump_151001_1358_g0n.pcap
...
|
and it's a 16K file, and it is just part (actually I didn't look much into the ports and firmware parts, which is huge, just the hosts part) of the complete file which you can in Wireshark get by going Statistics > Show Address Resolution, and copying and pasting it like I did (there is a way to do it with tshark, but I did it that way then). Every traffic capture has its own listing like that. And for the dump_151001_1358_g0n.pcap it's 134 lines only up to the first IPv6 address:
| Code: | $ cat dump_151001_1358_g0n_RESO.txt | grep -B400000000 '2a03:2880:f007:8:face:b00c:0:1[[:space:]]scontent.xx.fbcdn.net' | wc -l
134
$ |
If you grep that one further for any of the strings 'akam|face|goog|zilla|pagead|smartad' separately or combined, you get a few or a lot of lines.
You get lots of output if you grep if for 'ns' (mostly if not all something to do with the old historical Mozilla 'Netscape' browser label, I believe).
You get 8 lines all belonging to 'd22io8ipz38kkf.cloudfront.net' if you grep it for just 'cloud'.
You get a few 'pagead', 'smartad' and such. And you get lots more minor hosts.
I won't paste it here, as it is in the said dir. But I'll try and remember how I extracted the line for my iptables rules, to block out a few of those far too many surveillors for just one portal accessed.
(Or do I really have to open my machine for whoever wants to snoop in a little? If I only want to visit a site, and maybe login/register?)
It's not so hard to sort and awk and cut and paste together that list of hosts (I'm talking about the unix commands: sort awk cut paste which I used) to get what I wanted, which was, for the first step, this:
| Code: |
104.83.4.100 n6b.akamai.net
104.83.4.103 n1g1.akamai.net
104.83.4.117 n6g1.akamai.net
104.83.4.125 n6dspl.akamai.net
104.83.4.15 n7b.akamai.net
104.83.4.21 n5g1.akamai.net
104.83.4.22 n5b.akamai.net
104.83.5.156 n0dspe1.akamaiedge.net
104.83.5.157 n6g.akamaiedge.net
104.83.5.158 n6dspe1.akamaiedge.net
104.83.5.159 n7dspe1.akamaiedge.net
104.87.51.180 e3821.dspe1.akamaiedge.net
152.115.75.210 track-eu.adform.net
152.115.75.218 track-eu.adform.net
166.88.18.58 ns2.zoneedit.com
173.239.79.201 ns1.eff.org
173.239.79.210 observatory6.eff.org
178.218.165.165 ns2.mojsite.com
178.218.169.132 engine.xclaimwords.net
178.218.169.162 hr-engine.xclaimwords.net
178.218.169.163 hr-engine.xclaimwords.net
178.218.172.172 ns1.mojsite.com
184.26.161.66 a14-66.akam.net
184.85.248.65 ns5-65.akam.net
185.86.139.19 itx4.smartadserver.com
185.86.139.29 itx4.smartadserver.com
188.125.93.156 l.gycs.b.yahoodns.net
188.125.93.157 l.gycs.b.yahoodns.net
#188.40.29.90 www.legalis.hr
193.108.91.240 ns1-240.akam.net
193.108.91.96 a1-96.akam.net
193.47.99.4 ns3.second-ns.de
195.191.92.140 ns1.ns-serve.net
195.191.93.140 ns2.ns-serve.net
195.22.200.158 n3b.akamai.net
195.22.200.165 n1b.akamai.net
195.245.255.29 canopus.oglasnik.hr
195.245.255.9 www.posao.hr
204.13.250.28 ns2.p28.dynect.net
204.13.251.28 ns4.p28.dynect.net
205.251.193.93 ns-349.awsdns-43.com
205.251.194.25 ns-537.awsdns-03.net
205.251.197.254 ns-1534.awsdns-63.org
205.251.198.243 ns-1779.awsdns-30.co.uk
208.117.229.212 www.google.com
208.117.229.213 www.google.com
208.117.229.214 www.google.com
208.117.229.215 www.google.com
208.117.229.216 www.google.com
208.117.229.217 www.google.com
208.117.229.218 www.google.com
208.117.229.219 www.google.com
208.78.70.28 ns1.p28.dynect.net
208.78.71.28 ns3.p28.dynect.net
213.133.106.251 ns1.your-server.de
213.189.48.235 ns1.gemius.pl
213.239.204.242 ns.second-ns.com
216.239.32.10 ns1.google.com
216.239.34.10 ns2.google.com
216.239.36.10 ns3.google.com
216.239.38.10 ns4.google.com
216.58.209.161 pagead-googlehosted.l.google.com
216.58.209.162 pagead46.l.doubleclick.net
216.58.209.194 pagead.l.doubleclick.net
2.20.182.162 n3dspe1.akamaiedge.net
2.20.182.164 n1dspe1.akamaiedge.net
2.20.182.165 n2g.akamaiedge.net
23.14.93.233 n7ce.akamaiedge.net
23.14.93.235 n5ce.akamaiedge.net
23.14.93.241 n4ce.akamaiedge.net
23.14.93.242 n6ce.akamaiedge.net
23.211.61.67 a22-67.akam.net
23.35.116.174 e6603.g.akamaiedge.net
23.54.107.27 e8218.ce.akamaiedge.net
31.13.84.4 scontent.xx.fbcdn.net
31.13.84.8 StAr.c10r.facebook.com
46.101.18.226 ns12.zoneedit.com
46.33.68.128 a1158.b.akamai.net
46.33.68.32 a1603.g1.akamai.net
46.33.68.40 a1603.g1.akamai.net
46.33.68.72 a1158.b.akamai.net
54.230.44.105 d22io8ipz38kkf.cloudfront.net
54.230.44.14 d22io8ipz38kkf.cloudfront.net
54.230.44.20 d22io8ipz38kkf.cloudfront.net
54.230.44.40 d22io8ipz38kkf.cloudfront.net
54.230.44.48 d22io8ipz38kkf.cloudfront.net
54.230.44.54 d22io8ipz38kkf.cloudfront.net
54.230.44.56 d22io8ipz38kkf.cloudfront.net
54.230.44.58 d22io8ipz38kkf.cloudfront.net
62.168.111.101 ns2.gemius.pl
63.245.217.138 aus4.vips.phx1.mozilla.com
63.245.217.219 aus4.vips.phx1.mozilla.com
63.245.217.43 aus4.vips.phx1.mozilla.com
68.142.254.15 yf4.a1.b.yahoo.net
68.180.130.15 yf3.a1.b.yahoo.net
69.171.239.11 a.ns.xx.fbcdn.net
69.171.255.11 b.ns.xx.fbcdn.net
69.50.225.156 ns2.eff.org
72.21.80.5 ns1.phicdn.net
72.21.80.6 ns2.phicdn.net
72.246.46.65 a4-65.akam.net
78.46.77.4 www.mojposaomarketing.net
80.157.149.215 n0ce.akamaiedge.net
80.237.178.232 wlt-adpilotgroup.adspirit.info
81.0.212.193 ns3.gemius.pl
81.4.121.49 procyon.oglasnik.hr
84.53.139.64 ns4-64.akam.net
84.53.139.65 a11-65.akam.net
87.237.206.243 hr.hit.gemius.pl
87.237.206.245 rsgde.adocean.pl
87.237.206.249 hr.hit.gemius.pl
88.221.81.192 n0dspl.akamai.net
88.221.81.193 n2b.akamai.net
88.221.81.195 n3ce.akamaiedge.net
92.122.206.37 n4b.akamai.net
92.122.206.38 n0b.akamai.net
92.122.214.238 n1ce.akamaiedge.net
93.184.220.29 cs9.wac.phicdn.net
95.101.2.26 a2047.dspl.akamai.net
95.101.2.32 a2047.dspl.akamai.net
95.101.2.33 a2047.dspl.akamai.net
95.101.2.40 a2047.dspl.akamai.net
95.101.2.48 a2047.dspl.akamai.net
95.101.2.51 a2047.dspl.akamai.net
95.101.2.56 a2047.dspl.akamai.net
95.101.2.57 a2047.dspl.akamai.net
95.101.2.66 a2047.dspl.akamai.net
96.7.49.64 a3-64.akam.net
96.7.49.66 ns7-66.akam.net
|
I won't go into figuring out which exact hosts I left out from this list, and which I decided to try and block, with absolute precision. But I remember I started drastically blocking nearly all but the:
| Code: |
54.230.44.xx d22io8ipz38kkf.cloudfront.net
|
Zilla just has to connect to its cloud to send to all it tat it has harvested from me... Aaarghh, I don't like it, but OK.
And I left the 'mozilla'-named lines, so:
| Code: |
63.245.217.xxx aus4.vips.phx1.mozilla.com
|
I didn't block either.
Surely I left any of the hosts with 'eff.org' in their names. I hope I wasn't lied to by EFF. and that Electronic Frontier Foundation are good guys (although I have too little personal understanding, haven't studied enough their stuff).
I also left most of the hosts containing 'ns' (but not the ns lines which also contain fb --I don't trust Zucky, and if you do, you try and tell me they're honest, but pls. some other time).
And my first try, IIRC, to connect to http://www.legalis.hr with lots of those hosts blocked was based on this purged list:
| Code: |
104.83.4.0/24 akamai.net
104.83.5.0/24 akamaiedge.net
104.87.51.180 e3821.dspe1.akamaiedge.net
152.115.75.0/24 track-eu.adform.net
184.26.161.66 a14-66.akam.net
184.85.248.65 ns5-65.akam.net
185.86.139.19 itx4.smartadserver.com
185.86.139.29 itx4.smartadserver.com
188.125.93.156 l.gycs.b.yahoodns.net
188.125.93.157 l.gycs.b.yahoodns.net
193.108.91.240 ns1-240.akam.net
193.108.91.96 a1-96.akam.net
193.47.99.4 ns3.second-ns.de
195.191.92.140 ns1.ns-serve.net
195.191.93.140 ns2.ns-serve.net
195.22.200.158 n3b.akamai.net
195.22.200.165 n1b.akamai.net
195.245.255.29 canopus.oglasnik.hr
195.245.255.9 www.posao.hr
208.117.229.0/24 www.google.com
213.133.106.251 ns1.your-server.de
213.189.48.235 ns1.gemius.pl
216.239.0/18 ns[X].google.com
216.58.209.0/24 pagead* (googlehosted or doubleclick.net)
2.20.182.0/24 akamaiedge.net
23.14.93.0/24 akamaiedge.net
23.211.61.67 a22-67.akam.net
23.35.116.174 e6603.g.akamaiedge.net
23.54.107.27 e8218.ce.akamaiedge.net
31.13.84.0/24 scontent.xx.fbcdn.net
46.33.68.0/24 akamai.net
62.168.111.101 ns2.gemius.pl
68.142.254.15 yf4.a1.b.yahoo.net
68.180.130.15 yf3.a1.b.yahoo.net
69.171.239.11 a.ns.xx.fbcdn.net
69.171.255.11 b.ns.xx.fbcdn.net
72.21.80.5 ns1.phicdn.net
72.21.80.6 ns2.phicdn.net
72.246.46.65 a4-65.akam.net
78.46.77.4 www.mojposaomarketing.net
80.157.149.215 n0ce.akamaiedge.net
80.237.178.232 wlt-adpilotgroup.adspirit.info
81.0.212.193 ns3.gemius.pl
81.4.121.49 procyon.oglasnik.hr
84.53.139.0/24 ns4-64.akam.net
87.237.206.243 hr.hit.gemius.pl
87.237.206.245 rsgde.adocean.pl
87.237.206.249 hr.hit.gemius.pl
88.221.81.0/24 akamai.net
92.122.206.0/24 n4b.akamai.net
92.122.214.238 n1ce.akamaiedge.net
93.184.220.29 cs9.wac.phicdn.net
95.101.2.0/24 dspl.akamai.net
96.7.49.0/24 a3-64.akam.net
|
I surely can't dedicate much time to iptables here, but I gave some hints in the topic:
Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-999436.html#7613044
(starting from that post, and also in later posts in that topic)
where I find what I used:
http://gentoovps.net/configuring-iptables-firewall/
(just not the ulogd, which is obsolete), and surely man iptables, surely even more man iptables-extensions and http://netfilter.org ... I know some senior Gentooers use the shorewall package, but this worked fine for me, apparently)
And so a few awk and tr lines (talking about the unix awk tr commands) on the sorted list (the unix sort command), and eventually I added these two lines to my iptables rules.sh (just for the purposes of posting this on phpBB-powered Gentoo Forums, I had to split it into more lines, but these below are only two lines in my then script for my iptables, each of the two lines starting with '$ipt -A INPUT'):
| Code: |
$ipt -A INPUT -p tcp -s
104.83.4.0/24,104.83.5.0/24,104.87.51.180,152.115.75.0/24,184.26.161.66,184.85.248.65,185.86.139.19,
185.86.139.29,188.125.93.156,188.125.93.157,193.108.91.240,193.108.91.96,193.47.99.4,195.191.92.140,
195.191.93.140,195.22.200.158,195.22.200.165,195.245.255.29,195.245.255.9,208.117.229.0/24,213.133.106.251,
213.189.48.235,216.239.0/18,216.58.209.0/24,2.20.182.0/24,23.14.93.0/24,23.211.61.67,23.35.116.174,
23.54.107.27,31.13.84.0/24,46.33.68.0/24,62.168.111.101,68.142.254.15,68.180.130.15,69.171.239.11,
69.171.255.11,72.21.80.5,72.21.80.6,72.246.46.65,78.46.77.4,80.157.149.215,80.237.178.232,81.0.212.193,
81.4.121.49,84.53.139.0/24,87.237.206.243,87.237.206.245,87.237.206.249,88.221.81.0/24,92.122.206.0/24,
92.122.214.238,93.184.220.29,95.101.2.0/24,96.7.49.0/24
-j LOG --log-level error --log-prefix mrfw_schm_etal
$ipt -A INPUT -p tcp -s
104.83.4.0/24,104.83.5.0/24,104.87.51.180,152.115.75.0/24,184.26.161.66,184.85.248.65,185.86.139.19,
185.86.139.29,188.125.93.156,188.125.93.157,193.108.91.240,193.108.91.96,193.47.99.4,195.191.92.140,
195.191.93.140,195.22.200.158,195.22.200.165,195.245.255.29,195.245.255.9,208.117.229.0/24,213.133.106.251,
213.189.48.235,216.239.0/18,216.58.209.0/24,2.20.182.0/24,23.14.93.0/24,23.211.61.67,23.35.116.174,
23.54.107.27,31.13.84.0/24,46.33.68.0/24,62.168.111.101,68.142.254.15,68.180.130.15,69.171.239.11,
69.171.255.11,72.21.80.5,72.21.80.6,72.246.46.65,78.46.77.4,80.157.149.215,80.237.178.232,81.0.212.193,
81.4.121.49,84.53.139.0/24,87.237.206.243,87.237.206.245,87.237.206.249,88.221.81.0/24,92.122.206.0/24,
92.122.214.238,93.184.220.29,95.101.2.0/24,96.7.49.0/24
-j DROP
|
However that was too drastic. In fact, that envolved blocking their (is it hoster or is it close partner of some kind?) 'mojposao.hr' (probably an alias of 'www.mojposaomarketing.net'), as the loading stuck at it.
How do I know? It's all in the screencast and in the traffic dump. A quick look in the Screen_151001_1659_g0n.mkv and quick open of dump_151001_1659_g0n.pcap (no SSL session keys needed, since no SSL traffic at all).
Use the updated dLo.sh script (re-download it) to download what is missing in your local cap-151001-legalis-login/ (or with the name you gave it), just into the same dir that you already downloaded previously (if you are one of the first few dozen of readers of this topic). The wget command that does the downloading won't redownload what you already downloaded, and the respective SUMS and SUMS.sig files are extended with the new uploads.
So you can look up the pair Screen_151001_1659_g0n.mkv and dump_151001_1659_g0n.pcap. And understand that the iptables line was too drastic.
Ah, and starting at 1:25 of the screencast you see all those big and small players' hosts' packets being dropped on the floor by my grsecurity-mended-and-defended and netfilter-enabled kernel. That is my /var/log/messages being tailf'ed (I always run:
| Code: |
# tailf /var/log/messages
|
and keep an eye on what syslog-ng tells me (
I had my doubts about syslog-ng, and I'm still not sure, but I'm inclined to think now, that it was not a trouble of their making, the issues that I had, as described in:
Syslog-ng from Delay Logging to BrokenPipe/no Logging
https://forums.gentoo.org/viewtopic-t-1001994.html
but I haven't found time to unmask and check the new versions of syslog-ng
NOTE: There is another issue that posted in the meantime:
to which I still haven't found a solution or workaround. Don't even have much understanding of time clock in the kernel, to be honest:
Time drift after hibernate-ram
https://forums.gentoo.org/viewtopic-t-1030266.html
)
).
One of the most sacred things that I keep since I was falsely accused of spamming by my provider is the logs, of all my time online.
And sorry I can't usually post those, but I am prepared to, in case that I would need to prove that what I published somewhere absolutely conicides with what the logs will tell about a particular timestamped event that I published about, such as this attempt of mine to access http://www.legalis.hr page; but to access that page without having to submit to as complete mass surveillance tools as there can be crammed into an internet portal page... What an idiotic portal setup!
Extremely intrusive portal setup, yes! Sorry, Legalis.hr. And please fix that! If you really want to offer Zucky's and Larry and Sergey's and such logins and stuff (which we'll, hopefuly, see later, in the next traffic dumps in this topic), you must not impose it on those who don't want to have anything to do with Larry and Sergey's and Zucky's. I want to browse www.legalis.hr not google.hr and not facebook.com and other minor players' stuff.
Of this kind plea lots of internet sites should be aware of! We the honest freedom-loving users are losing our privacy because of you!...
And I also have net-firewall/conntrack-tools installed. So I can see some more info in /var/log/conntrackd-stats.log as well.
But it's overwhelming. I haven't really mastered all these techniques. Still at the basics of most of these.
And so, at this point, I went and unblocked that one mojposao.hr first, and then also a few more hosts from the rules of my iptables.
And what I tried next follows in the next post.
Last edited by miroR on Sat Oct 17, 2015 12:01 pm; edited 1 time in total |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Fri Oct 16, 2015 9:41 pm Post subject: |
|
|
I have tried again, and from the traffic captures and screencasts with the timestamps:
and
(for 2015-10-01 17:05 and 17:26) it is clear that I didn't succeed.
But in those with the timestamp:
I almost succeeded. But for reasons that I am now not sure were what I rushed to tell in the screencast (and which in short, consist of my typing of: 'Schmoog, you're lying!'; you can see at the very end of that screencast how I literally typed those words in). Because google was probably not able to reach back to my machine, because I had blocked it. So I shouldn't have rushed with my judgement.
(No escape though. I already posted the hashes of all that happened two days ago. My picking some from all the listed and hashed documents in this previous post is only to show what is a little more worth presenting and what is more easily explainable. It's already grown a lot, this topic.)
Still the thing appears to be, that without connecting to the Schmoog, and more precisely, without the Schmoog being allowed into my machine, legalis.hr is unable to even register new arrivals (or old re-logins and such).
And gets to the wrong conclusion. I typed in my perfectly correctly spelled address, miro [dot] rovis [at] croatiafidelis [dot] hr, but I got back, as you can see:
| legalis wrote: |
You have not entered an email address that we recognize. Please try again or contact the administrator (at 13:00 of Screen_151001_1728_g0n.mkv).
|
Because it waited for Schmoog to process the data, see (back around 12:10 and 12:20) that it contacts:
which is very, very bad. Selling Schmoog as good, as acceptable by default, is a crime. Crime against privacy.
In the dump_151001_1728_g0n_RESO.txt (in the dir dump_151001_1728_g0n.d/) I see nothing that contains the string googletag though.
And I believe I'm a little amazed and perplexed as to whether akamai is just a mask for google?
NOTE at proofreading. It's not:
https://en.wikipedia.org/wiki/Akamai
Because it's everywhere like google is, and it's, this case shows, particularly this set of my uncenz capture (the 'cast and the pcap with stamp '151001_1728') that legalis.hr was waiting for www.googletagservices.com but the only TLSv1.2 in the capture is from akamai.
NOTE at proofreading. See the note just above.
Just type in 'ssl' (without quotes) in the filter, and see for yourself.
And there is the 'Connecting to www.googletagservices.com..' notice in bottom of the Fox (in the status bar, on the left). So...
Anyway, I noticed that I have, yes, blocked all those in the INPUT chains, but my machine is attempting to connect to them (because Fox is all set up for the Schmoog, sadly; like one of the preferred wives of a sultan; all of hers is open to the emperor Octopus!)...
[Anyway, I noticed that I have, yes, blocked all those in the INPUT chains, but my machine is attempting to connect to them], because I did not add a rule to block my machine connecting to them in the OUTPUT chains (some of those at least I need to add blocking rules to).
Apparently, and see how long all this study took me (and I'm not a beginner here)... I will have to connect to the emperor Octopus of the internet if I want to just register/login to http://www.legalis.hr .
No, I don't hate the Octopus without a reason. They ruined all of my work, of more than 5 yrs of posting videos on Youtube, and invented copyright breaches to terminate my account. You can read more about it on:
Really? The Surveillance Engine Terminated All My Videos
http://forums.debian.net/viewtopic.php?f=3&t=113059
and my public reply and some questions put to Google (where Google stands for the Schmoog of course), you can read at:
https://github.com/miroR/flowstamp/blob/master/flowstamp_HR_U_2.txt
But that only led me to look more closely what that company does, and while my religion does not allow me to hate people, I do hate what that idiotic company does.
This story (however few people that can get so far as to understand these issues) is far from over.
Because now I see what the probably cause is that I just couldn't log into my pages with Fox on the http://www.plus.hr server where my NGO's http://www.CroatiaFidelis.hr website is hosted! It was a few months ago, and I wondered what all the akamai and google were doing there during all of my attemps (all failing) to log in!
Most firms, most sites, sell their customers to the Schmoog right away. So many login services are from the bosom of the Octopus!
I never would have thought I would be seeing this ugliness so widespread (if I'm not mistaken in my understanding and if my assumptions are correct: not all is provable what I concluded, but do give us clearer and more complete explanations, if you know, and only if you do know, better).
Not done, this topic is not done yet. And I originally (I'm adding this at proofreading time) I even thought I could not postpone it, because I needed some of the services that I was in vain trying to access here, as well as elsewhere... But it's so hard, so complex, by the nature of the tech, and by some deliberate convolution by the already blamed big players... It's so hard!
I am posting here partly out of despair for my inability to solve these things and know exectly what is going on...
But there seems to be some amount of dishonesty among the knowledgeable (no I don't mean just Schmoog and such employees, it's much wider).
Just look at this thread on Wireshark mailing lists. I'll give you my message, because I don't like blaming persons directly (other than public personages like Larry's --both Google and Oracle-- and such):
dissecting HTTPS traffic
https://www.wireshark.org/lists/wireshark-users/201510/msg00018.html
and you go back from there and deduce from the previous messages how people at numerous companies like to set up MitM attacks to break into their users SSL encrypted communications.
If I ever reach good and in depth understanding, I will try and teach openly to the newbies, and not hide from them and profit on them like some of the knowledgeable do, but teach them how to defend themselves from surveillance.
"Defend" is not wrong to say. Surveillance is for the sake of control. It's true aim is control you. And that's imposition of others' will on you, so something to defend yourself from.
I will next make some analysis on the set timestamped 151001_1728 and put some more of the resulting files, if any, into the dump_151001_1728_g0n.d/ dir.
Last edited by miroR on Sat Oct 17, 2015 12:03 pm; edited 1 time in total |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Fri Oct 16, 2015 9:42 pm Post subject: |
|
|
At 5:52 of screencast Screen_151001_1728_g0nR.mkv you can see that I'm opening another page. I'll start from there, as I don't have time to research the entire dump.
On that page you can read:
| legalis wrote: |
The two email addresses that you entered did not match.
To korisničko ime se već koristi ili nije pogodno za korištenje. Ako ste vi miroR i zaboravili ste vašu zaporku, kliknite ovdje.
|
Entire text in translation:
| legalis wrote: |
The two email addresses that you entered did not match.
That username is already in use or is not adequate for using. If you are miroR and you forgot your password click here.
|
being there a link underneath "here". I want to find that text in the dump.
BTW, the two email addresses were not same, if you go back to 1:47 you can see that when I typed the first one, the key for the letter 's' didn't do the work (probably I didn't press it hard enough).
It's good having 'casts, because it tells you the page that loaded (but you can only see it loaded later, when I, at 9:18, decide to click into the tab of that page).
I fill in that page my miro [dot] rovis [at] croatiafidelis [dot] hr address, supply the corrct answer to the the question ("Kako se zove glavni grad Hrvatske?" means "What is the name of the capital of Croatia?"), and at 9:56 I click on "Zatraži korisničko ime i zaporku" which means "Request username and password".
You can see that I release that button after I pressed it, at
That you can see in bottom left of the screen, because my tailf'd /var/log/messages are being shown, and the lines in the log start with the time of day in that format.
Also during most of this time you can see in Firefox's status bar "connecting to www.google-analytics.com..".
The page that I will try and find in the tcp streams didn't show before 6:45, and when I click on its tab at 9:18 it is already loaded.
If
9:56 -> 17:38:15
then
6:45 -> 17:34:04
So I need not search through the tcp streams that start before 17:34, I believe.
I followed and saved more streams, but this one is in the dir: dump_151001_1728_g0n_s068.dump
However, it's only HTTP headers, no other content. It's related to the point in the screencast, because it has:
| Code: |
Referer: http://www.legalis.hr/forum/login.php?do=lostpw
|
where obviously lostpw stands for lost password. Good admins don't name things wrong, unless... Unless, like Facebook, some two posts back, they decide to play tricks such as violate gzip format, to hide things. (That was playing tricks, else it could be that Facebook are incompetent in these matters, but hardly anyone could claim the latter with any credibility...)
And that one happens (it's all in the medium pane of the Wireshark), btwn 17:34:10.7 and 17:34:25.8 (
which matches fine. The screencast is 14:06, while the pcap is 13:50 in duration, look up the uncenz code in the github, and also understand that I am not online constantly, but in only rare intervals of time, each from just after I fire up uncenz-1st to just before I issue the uncenz-kill command. Only. (Remember they falsely accused me of spamming. I can't let them control my machine. I have to control it!). And also ffmpeg is killed after the dumpcap, let alone that the dumpcap runs on empty, no packets really, at first, and mostly also before all is killed ('kill' is just unix terminology; I didn't invent it)
).
Surely that's not the page yet.
But it's only less than 4 minutes to search for the page that I want to see from the traffic.
The 'google-analytics.com' are all empty streams 70, 71, and 72.
There is again, some content that I can not make anything out of: tcp stream 73 (just that it says: connect.facebook.net and also spdy/3.1 and http/1.1), which ssl stream is empty. The conversation is with:
104.87.44.107 e3821.dspe1.akamaiedge.net
I searched, but it's tiresome, and at this time I don't know how to employ Lua to do the stream extraction automatically for me.
But I found the message: "You have not entered an email address that we recognize. Please try again or contact the administrator."
It's in stream 102 from which I extracted: dump_151001_1728_g0n_s102_01.html
You can see that message in video at 12:59.
At that point in the video, you can see the "CLIENT RANDOM..." lines thrown out in the terminal. It's because I have in that terminal this job running:
| Code: |
$ tailf ~/.sslkeylogfile.log
|
But I don't think any of the session keys decrypt anything sensible. Mostly the decrypted SSL contents are empty.
A partial resumé on all of these legalis-sets is:
While you can see some important info I understood and, I believe, correctly diagnosed (the situation is idiotically sick, yes it is, and it is so in global terms)...
Still, you can also see, that I need to find a way to automate the processes here somehow. This sole 14 minutes set has 130 tcp stream in it. Doing all of them manually is too much work.
If anyone has any advice on how to do it, where is anything really good to start from to learn the knowhow, pls. do so. I believe other readers will be grateful too.
And in case I'll be destined to wait till I by an eventual kind short advice like on the Wireshark mailing list, get quickly what I was wondering if it ever existed (I'm talking about the NSS decryption of SSL streams, which was the main topic in the first posts of this topic)...
...And after all the loong months of not knowing about it...
And in case I'll be destined to wait till I figure it out myself, I promise that I'll try and share my knowledge with you, the readers here. Because while some of the readers are as selfish as some of those in the thread I linked to above, lots of the readers are worth the trouble of spreading the Free Open Source methods and knowhow to, lots of you the readers are worth the (little) trouble (the big touble is getting the knowhow, not so much the sharing of it).
Also I don't know whether to continue with analyzing exactly these sets at all, since the most important info is, it appears to me (but do correct me if you, and only if you, know better) clear and I posted it.
Anyway, the time I can dedicate to these matters is limited...
Regards! |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Sat Oct 31, 2015 3:44 am Post subject: |
|
|
If anybody wants more of SSL decryption, there is another really hard to solve issue (at least so it appears to me):
current title: Some issue with network
should be: Mozilla Cloud not-decryptable Download
https://forums.gentoo.org/viewtopic-t-1031758.html
(but I will only change the title after a few more views, the hashes... I don't like touching the posts where I post hashes)... |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Mon Nov 02, 2015 12:04 pm Post subject: |
|
|
| In this previous post I wrote: | [**] What is missing, and I don't know how to do it with tshark, is, I'd like to insert a column before the column that is currently the first columm, which inserted-to-be column would hold the resolved host name (such as google for the Schmoog; lots of it in Firefox, the Scmoog is sitting in Fox: not good!, such as akamai, pagead and stuff; ah!, also sourcefirge.net). And I want to ask on Wireshark how to do it.
|
Here's how.
Into an empty dir where you have all privs. Copy in there some dumps. E.g. i'll copy these that are (hopefully) still publicly available (read earlier, links there and all):
| Code: |
empty/dir-with-priv $ ls -l
total 1616
-rw-r--r-- 1 miro miro 675772 2015-09-21 23:48 dump_150921_2332_g0n.pcap
-rw-r--r-- 1 miro miro 978916 2015-09-27 18:50 dump_150927_1848_g0n.pcap
empty/dir-with-priv $
|
And now:
| Code: |
for i in $(ls -1 *.pcap|sed 's/\.pcap//'); do echo tshark -q -r $i.pcap -z hosts; tshark -q -r $i.pcap -z hosts | egrep -v '^#' | egrep '[[:alpha:]]'| sed 's/[[:space:]]/(/' |sed 's/\(.*\)/\1)/' > $i.hosts ; read FAKE; done;
|
Also:
| Code: |
for i in $(ls -1 *.pcap|sed 's/\.pcap//'); do echo tshark -q -r $i.pcap -z hosts; tshark -q -r $i.pcap -z hosts | egrep -v '^#' | egrep '[[:alpha:]]' | awk '{print $1}' > $i.hosts-N ; read FAKE; done;
|
And:
| Code: |
for i in $(ls -1 *.pcap|sed 's/\.pcap//'); do echo tshark -q -r $i.pcap -z conv,ip ; tshark -q -r $i.pcap -z conv,ip > $i.conv-ip; read FAKE; done;
|
And the final longish line that will do the substitution that I wondered how to do it back a few posts ago
| Code: |
for h in $(ls -1 *.pcap|sed 's/\.pcap//') ; do for i in $(cat $h.hosts-N) ; do echo $i; j=$(grep $i $h.hosts); echo $j; read FAKE ; grep $i $h.conv-ip ; sed -i.bak "s/$i/$j/" $h.conv-ip ; read FAKE; diff $h.conv-ip $h.conv-ip.bak ; read FAKE ; done ; done ;
|
No time for explanations, details, embelishments, tabbing, et cetera.
So, with that bash (primitive) processing, you get:
With Dillo:
# tshark -r dump_150921_2332_g0n.pcap -q -z conv,ip
(but the additions of the resolved hosts are with the bash above inserted
| Code: |
================================================================================
IPv4 Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
192.168.1.3 <-> 46.51.197.89 241 176700 231 33872 472 210572 24.019174000 589.7156
205.134.191.174(marc.info) <-> 192.168.1.3 145 11238 121 119608 266 130846 338.249268000 195.8425
216.34.181.60 <-> 192.168.1.3 113 9762 112 115825 225 125587 618.279041000 233.4181
192.168.1.3 <-> 137.117.229.219(www.dovecot.org) 104 114329 104 8883 208 123212 83.952226000 157.7557
192.168.1.3 <-> 67.158.26.137(wonkity.com) 26 34744 28 2182 54 36926 57.560851000 0.8682
192.168.1.3 <-> 192.168.1.1 7 1091 8 604 15 1695 57.267513000 280.9814
224.0.0.1 <-> 10.16.96.1 7 434 0 0 7 434 90.990774000 749.9971
255.255.255.255 <-> 192.168.1.1 1 592 0 0 1 592 0.510912000 0.0000
255.255.255.255 <-> 0.0.0.0 1 409 0 0 1 409 0.488053000 0.0000
================================================================================
|
With Firefox:
# tshark -r dump_150927_1848_g0n.pcap -q -z conv,ip
(but the additions of the resolved hosts are with the bash above inserted
| Code: |
================================================================================
IPv4 Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
192.168.1.2 <-> 23.63.127.118(e872.g.akamaiedge.net) 397 527674 317 35578 714 563252 32.929597000 22.0994
127.0.0.1 <-> 127.0.0.1 408 39080 0 0 408 39080 0.000000000 61.4484
216.58.209.162(pagead46.l.doubleclick.net) <-> 192.168.1.2 88 10607 98 60515 186 71122 34.602984000 2.9523
216.58.209.194(partnerad.l.doubleclick.net) <-> 192.168.1.2 68 5777 62 65107 130 70884 33.133720000 20.1780
192.168.1.2 <-> 192.168.1.1 40 10925 40 3330 80 14255 30.476933000 7.9108
216.34.181.60(sourceforge.net) <-> 192.168.1.2 38 3568 37 28778 75 32346 32.363382000 11.3056
216.58.209.193(pagead-googlehosted.l.google.com) <-> 192.168.1.2 31 3118 39 39683 70 42801 35.857940000 0.3652
208.117.229.250(www-google-analytics.l.google.com) <-> 192.168.1.2 26 5645 24 8362 50 14007 33.388199000 22.8297
208.117.229.248(www-google-analytics.l.google.com) <-> 192.168.1.2 24 2410 23 17141 47 19551 34.879513000 0.3704
192.168.1.2 <-> 54.230.46.170(dd1f6ymc64rwu.cloudfront.net) 18 17623 21 1804 39 19427 33.136730000 20.2186
192.168.1.2 <-> 74.125.24.95(googleadapis.l.google.com) 15 5580 19 2121 34 7701 32.923574000 1.5411
192.168.1.2 <-> 173.194.44.23(www.google.hr) 15 5511 17 2084 32 7595 35.448949000 0.3683
192.168.1.2 <-> 173.194.44.19(www.google.com) 15 5887 17 2081 32 7968 35.124572000 0.3434
192.168.1.2 <-> 46.137.174.129(consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com) 10 6364 13 1604 23 7968 34.896746000 20.4715
192.168.1.2 <-> 23.63.139.27(e8218.ce.akamaiedge.net) 8 2523 11 1190 19 3713 35.064187000 20.1878
192.168.1.2 <-> 46.33.68.128(a1158.b.akamai.net) 8 2488 11 1208 19 3696 33.139425000 20.1483
216.34.181.63(www.sourceforge.net) <-> 192.168.1.2 6 740 4 442 10 1182 31.386185000 20.6129
216.34.181.81(goparallel.sourceforge.net) <-> 192.168.1.2 4 280 3 216 7 496 38.388114000 6.2801
224.0.0.1 <-> 10.16.96.1 1 62 0 0 1 62 48.812905000 0.0000
255.255.255.255 <-> 192.168.1.1 1 592 0 0 1 592 22.120562000 0.0000
255.255.255.255 <-> 0.0.0.0 1 409 0 0 1 409 22.101373000 0.0000
================================================================================
|
|
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Mon Nov 02, 2015 5:37 pm Post subject: |
|
|
The lines of a future script in the previous post, worked perfectly before going on the wire...
But when I copies and pasted, esp. the "longish" line, from that post just above here, and wanted to use those lines, it didn't work.
I discovered what happened, and if it don't works for you, plc. correct the lines, if this:
phpBB Strange White Space problem
https://forums.gentoo.org/viewtopic-t-1032010.html
after your inspection, happens to be the case. And those lines will work.
Regards! |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Sun Nov 08, 2015 4:35 pm Post subject: |
|
|
Filed a bug:
wireshark-2 saves different tcp streams (non-decryptable/non-gunzip'able)
https://bugs.gentoo.org/show_bug.cgi?id=565152
because these procedures that I described can not be reproduced, or are reproduced incorrectly, and SSL/plain streams non-decryptable/non-gunzip'able.
Regards! |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Sun Nov 29, 2015 5:12 pm Post subject: |
|
|
I have been working a lot on reading the traffic. For people who found interest in reading this topic (and, judging by the number of vews, the interest does not seem to be waining), currently 5190 views), there could be some of these topics of interest, as they are related to SSL decryption:
How to extract content from tshark-saved streams? [[ where find, at the current end, link to my script to extract all the tcp and ssl streams with one command, and more ]]
https://forums.gentoo.org/viewtopic-t-1033844.html
More non-Decryptables (from Mozilla Cloud) [[ but read the news about reimplemented disconnect of, say, Schmoog's own tracking by Mozilla devs ]]
https://forums.gentoo.org/viewtopic-t-1034140-highlight-.html#7848104
(and I wrote more in other topics these days), but these are the most useful.
Regards! |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Mon Mar 28, 2016 12:27 pm Post subject: |
|
|
I keep learning as I use Wireshark/Tshark, and maybe this tip, buried a little in other infromation:
kernel panic not anymore logged as it used to be
https://forums.gentoo.org/viewtopic-t-1041336.html#7898382
can be useful, or even the script itself could suffice for many:
http://www.croatiafidelis.hr/foss/cap/cap-160327-nft/tshark-http-uri.sh
where it reads:
| Code: |
#!/bin/bash
if [ $# -eq 0 ]; then
echo "Must give a PCAP file (and I won't check if it is one)."
echo "Use this at your own risk!"
echo "Pls. read some more in the script."
exit 0
fi
raw=$1
i=$(echo $raw|sed 's/\.pcap//') #obviously, if the ext of your PCAP not
# '.pcap', modify
#This line sorts the uri's alphabetically
tshark -q -r $i.pcap -T fields \
-e 'http.request.full_uri' | sort -u > ${i}-http-request-full_uri.txt
#This line only greps for lines with founds -- no alpha after numbers and
# space, not grep'ed in. Good for looking up that frame number in Wireshark
tshark -q -r $i.pcap -T fields \
-e 'frame.number' -e 'http.request.full_uri' | grep \
-E '^[0-9]{1,9}[[:space:]][[:alpha:]]' \
> ${i}-frame-http-request-full_uri.txt
|
but check it and verify it at:
http://www.croatiafidelis.hr/foss/cap/cap-160327-nft/
Regards! |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Mon Mar 28, 2016 12:33 pm Post subject: |
|
|
Another note. I had in the meantime learned that the advice that I vaguely arrive at, cleverer people have suggested as well:
From this post in the discussion:
Should firefox be removed from portage?
https://forums.gentoo.org/viewtopic-t-1038430-start-25.html#7880354
I learned:
https://airvpn.org/topic/15769-how-to-harden-firefox-extreme-edition/
where read, among other things:
| Code: |
// 2614: disable SPDY as it can contain identifiers - https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (see no. 10)
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3-1", false);
// 2615: disable http/2 for now as well - need more info
user_pref("network.http.spdy.enabled.http2", false);
user_pref("network.http.spdy.enabled.http2draft", false);
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
