Maemish's Avatar
Posts: 1,719 | Thanked: 4,765 times | Joined on Apr 2018 @ Helsinki, Finland.
#61
Phone manufacturer (and your phones original software developers) have more access to your phone when you do not make this update. These updates have been made to give them less access (as well as just to make phone work better because internet sites have changed and in the software are old packages which may give access to the phone more easily if the software is not updated). But I think you have now enough information why you should update. Otherwise it would be better not to use N900 if security and cotrol over your device is your goal.
__________________
"I don't know how but I can try!" (active)

Master of not knowing (active)

For me it is possible to get lost in any case (active)

Learning to fall from high (DONE)

Learning to code with BASIC (WIP)
 

The Following 2 Users Say Thank You to Maemish For This Useful Post:
Posts: 10 | Thanked: 13 times | Joined on Dec 2019 @ Australia
#62
Originally Posted by Koiruus View Post
You do realize that this "third party" is how FOSS works, basically?
No, it doesn't. "Free" does not mean handing control of what is running to somebody else. Having the freedom to run what you wish is fundamental.
 

The Following User Says Thank You to oldnumpty For This Useful Post:
Posts: 256 | Thanked: 939 times | Joined on Jun 2014 @ Finland
#63
Yes, but being too fundamental you end up having to build your OS by yourself. Think about that: Perfect freedom to run just the stuff you want! Us others, not capable to build our own systems, have to rely on something already made, like the CSSU in this case. You may call it third party and unreliable, but then you'll have to make your own OS. Because sticking to original N900 firmware and speaking of freedom is just lying yourself.
 

The Following 4 Users Say Thank You to Koiruus For This Useful Post:
Posts: 10 | Thanked: 13 times | Joined on Dec 2019 @ Australia
#64
I haven't had to make my own OS, I've been using what's installed on the phone for years. This is the first hiccup I've had because of "old age".

Anyway, I've finally had a chance to look through the settings in opera, and there are settings in about:config to enable TLS 1.1 and TLS 2.1, which I've done. Duckduckgo seems happy again, so I'm sorted (at least for the time being )

Thanks again for the help.
 

The Following 3 Users Say Thank You to oldnumpty For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#65
So I had some time to use nginx as reverse proxy and it seems to work.
So I used for testing a tls v1.2 page with sni and new ciphers:

https://fancyssl.hboeck.de/

supported ciphers from server:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp521r1 (eq. 15360 bits RSA) FS 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS

Success Microb was able to show me the page

So in microb I put http://fancyssl.hboeck.de and could see the page.
When I was using https I got a ssl_error_no_cypher_overlap. It could be that nginx using the cipher from microb which is not allowed with fancyssl.

So it was easier as I thought I used in the end this information here:

https://superuser.com/questions/1487...era-wi/1487784

So all connection from microb to nginx are http request which get translated to https. You only need to set the proxy in the connection settings to 127.0.0.1.

Last edited by Halftux; 2020-03-29 at 16:06.
 

The Following 7 Users Say Thank You to Halftux For This Useful Post:
Maemish's Avatar
Posts: 1,719 | Thanked: 4,765 times | Joined on Apr 2018 @ Helsinki, Finland.
#66
Would it be possible to get this shown in screenshots how to and what and exactly where, instead of just "set the proxy in connection settings to"? I just mean that I have never done any changes to any connection settings in N900 so the bar is high for me to try cause I do not know everything what I need to know, are there some other stuff to choose or click/tag or write etc.
__________________
"I don't know how but I can try!" (active)

Master of not knowing (active)

For me it is possible to get lost in any case (active)

Learning to fall from high (DONE)

Learning to code with BASIC (WIP)
 

The Following User Says Thank You to Maemish For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#67
Originally Posted by Maemish View Post
Would it be possible to get this shown in screenshots how to and what and exactly where, instead of just "set the proxy in connection settings to"?
Sorry this I count as basic knowledge/settings. This thread explains it very well:

HowTo: Nokia N900 HTTP Proxy Setup Tutorial

My post belongs to the at the moment solo discussion started in post 44 in this thread, but all others are welcome to join. There you will also find nginx which you will need.

But I still try several things what is now working http to https bump and there I need to try different pages, so it was working for the example page which has strong limitations to connect to it but to show the http content there is no challenge. So it is still not clear how hard-coded urls for scripts/images behaves

But I would like to have https(tlsv1.0) bump to higher tls versions and this seems not so easy to set up. Normaly the first one is enough but for paranoid person who are not sure if something on the device is listening would this maybe a little better but it is no guarantee...
 

The Following 7 Users Say Thank You to Halftux For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#68
I am really surprised how well it works with this reverse proxy and the good thing is that all http requests from any application will be redirected to https.
One problem is that links and other embedded things are linked to https or the browser tries to fetch them over https.
So nginx need to take care about that and will filter all supported mime types data to replace the https string when right configured.
So I guess this method has limits(for example the test from ssllabs.com redirect to port 8443), but also microb has limits. I will post my server section wich works good for me. If you facing some problem you could tweak the sub filter types and the sub filter to gain different results.

example: sub_filter_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;



Tested with:

http://www.howsmyssl.com
http://wikipedia.org
http://fancyssl.hboeck.de
and some more ...
howsmyssl reports probably ok with no vulnerability.

Here the steps to give microb or other apps a new tls encryption feature.

Requirements: openssl1.1.0h
nginx 1.16.1 Depends: libc6 (>= 2.5.0-1), libgcc1 (>= 1:4.4.0), libpcre3 (>= 4.5), libssl1.1 (>= 1.1.0h), zlib1g (>= 1:1.2.1)


1. Install nginx deb from post 44. Check the for libpcre3 with dpkg --list | grep libpcre

2. setup a reverse proxy server in /etc/nginx/nginx.conf.
Which listen on port 80 and makes http requests to https ( with tls 1.2 support and new ciphers)

Code:
server {
    listen       80;
    server_name  localhost;

    location / {
        resolver 127.0.0.1;
        #proxy_pass https://$host:443;
        proxy_pass https://$host$request_uri;
        #proxy_set_header Host $http_host;
        proxy_set_header Accept-Encoding "";
        proxy_redirect https:// http://;
        sub_filter_once off;
        sub_filter_types *;
        sub_filter "https://" "http://";
        #sub_filter "https://$host" "http://$host";
    }
}
4. Change in connections settings the http proxy to 127.0.0.1 port 80. See the screenshot.

5. start nginx as root (located in /opt/nginx/).

Code:
sudo gainroot
cd /opt/nginx
./nginx
To stop nginx you could use "./nginx -s quit".
Another way could be to add a init.d script, as starting point you could use this.

With this configuration https requests will not be processed by the proxy(only http), this means that microb would initiate the connection with tls v1.0 without sub processing by nginx which could make it faster. To prevent this behavior you could add another proxy, a HTTPS-Proxy in the N900 settings with 127.0.0.1:443 and add a server into nginx.conf which listen on that port and makes a redirect to http which will then be handled from the other proxy on port 80.

Code:
server {
    listen 443;
    return 301 http://$host$request_uri;
}
Attached Images
  

Last edited by Halftux; 2020-04-02 at 19:27.
 

The Following 10 Users Say Thank You to Halftux For This Useful Post:
Maemish's Avatar
Posts: 1,719 | Thanked: 4,765 times | Joined on Apr 2018 @ Helsinki, Finland.
#69
Thank you very much!
__________________
"I don't know how but I can try!" (active)

Master of not knowing (active)

For me it is possible to get lost in any case (active)

Learning to fall from high (DONE)

Learning to code with BASIC (WIP)
 

The Following 2 Users Say Thank You to Maemish For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#70
As a reminder if you are using microb with tls 1.0, by using https requests or without a proxy, you could make it a little bit more secure by removing certificates and disabling some ciphers and ssl3.

Removing certificates
chrome://pippki/content/certManager.xul

Disabling ciphers and ssl3 search for: ssl3
about:config

You could also edit /home/user/.mozilla/microb/prefs.js for disabling ssl3 and unsecure rc4 ciphers.
Code:
user_pref("security.enable_ssl3", false);
user_pref("security.ssl3.rsa_fips_with_3des_ede_cbc_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
user_pref("security.ssl3.rsa_rc4_128_md5", false);
user_pref("security.ssl3.rsa_rc4_128_sha", false);
For changing the user agent you could use "hide user agent" or "User Agent Tool" aswell in about:config general.useragent.vendor.

If you are using the proxy and wonna disable old https behavior you should add a https proxy 127.0.0.1:44 for example which points to nowhere. So that these requests can't get to the outside. But this will effect not only microb it is temporaly a solution, and also not really needed!!! Maybe you could add only the proxy to about:config or you need to setup a https proxy with ssl bump.

Last edited by Halftux; 2020-04-01 at 12:01.
 

The Following 2 Users Say Thank You to Halftux For This Useful Post:
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 17:16.