Active Topics

 


Reply
Thread Tools
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#21
One thing we definatly need to do if we upgrade NSS or otherwise update the security for the N900 is to make sure it passes this test page
https://www.ssllabs.com/ssltest/viewMyClient.html
and doesn't bring up any red flags on there.

Right now it shows a bunch of red flags.
Bringing in a newer version of NSS would probably solve a lot of this (since it would have SSL3 turned off and TLS1.2 support and not support weak ciphers and etc)
 

The Following 11 Users Say Thank You to jonwil For This Useful Post:
Posts: 1,808 | Thanked: 4,272 times | Joined on Feb 2011 @ Germany
#22
Originally Posted by Dongle Fongle View Post
I checked my security settings at gmail, having 'access restricted from apps with weaker security', it won't work in the N900s mail client.
Note that the above setting prevents *any* client from using IMAP (or POP3) to connect to gmail. It's not just N900 but every standard IMAP client cannot work when that setting is on.

Some call it security. Others call it vendor-locking.
 

The Following 10 Users Say Thank You to reinob For This Useful Post:
Posts: 368 | Thanked: 975 times | Joined on Aug 2013
#23
This post from Sulu made me curious about the current state of browsers used in Fremantle.
As mentioned by jonwil there is a website to do a certain browser security test.

Originally Posted by jonwil View Post
One thing we definatly need to do if we upgrade NSS or otherwise update the security for the N900 is to make sure it passes this test page
https://www.ssllabs.com/ssltest/viewMyClient.html
and doesn't bring up any red flags on there.
I checked the browsers I sometimes use.

Stock browser - Insecure in Protocol Support, Logjam Vulnerability, Poodle Vulnerability, Cipher Suites (6x), Protocol Details

Surf (easy Debian) - insecure in Cipher Suite (5x), Protocol Details

eww - Emacs (doesn't have javascript enabled) - insecure in Cipher Suite (6 and 3 weak), Protocol Details

Iceweasel (easy Debian) - no security issues

Not sure what the worst offenders are, but at least Iceweasel seems to be okay for secure browsing.
Of course this is based on the assumption that the test provided by ssllabs is a good one.

So use the other browsers at your own risk I will not stop using Surf or eww but in some cases that I need / want security to be improved I will use Iceweasel.
 

The Following 9 Users Say Thank You to t-b For This Useful Post:
pichlo's Avatar
Posts: 6,447 | Thanked: 20,981 times | Joined on Sep 2012 @ UK
#24
In comparison, the same test run on...

1. My daughter's Android 4.4.2 tablet, stock browser: loads the page in split second, shows a sea of red (Logjam, Freak, Poodle, SSL3, 4 cipher suites...)

2. Jolla stock browser: takes ages to load the page, mostly green (4 cipher suites in red, different from the above)
__________________
Русский военный корабль, иди нахуй!
 

The Following 7 Users Say Thank You to pichlo For This Useful Post:
Posts: 368 | Thanked: 975 times | Joined on Aug 2013
#25
Originally Posted by pichlo View Post
In comparison, the same test run on...

1. My daughter's Android 4.4.2 tablet, stock browser: loads the page in split second, shows a sea of red (Logjam, Freak, Poodle, SSL3, 4 cipher suites...)
Interesting - I assume there are a lot of people using an insecure browser then.
Tbh - I have no idea what the red flags are all about and what are the worst issues. Most red flags doesn't necessarily mean the least secure.

I am also wondering what the risks are if you are just avoid browsing the sketchy sites. I usually use my N900 to browse one of the more well known news sites, a couple of boards or emacs sites so I feel relatively safe.

And even if you're targeted.. what can they do? What are the real world risks for browsing the web with an insecure browser with an N900, Android or Jolla phone?
In a worst case scenario an attacker can take over your phone, extract all data and delete your files - how much of a chance is that?
The attacker might also try to install a windows file on your N900. Good luck with that...

So it might look worse than the situation actually is. Any security experts here?
 

The Following 3 Users Say Thank You to t-b For This Useful Post:
Posts: 262 | Thanked: 315 times | Joined on Jun 2010
#26
Originally Posted by t-b View Post
Interesting - I assume there are a lot of people using an insecure browser then.
I would say so.

Tbh - I have no idea what the red flags are all about and what are the worst issues. Most red flags doesn't necessarily mean the least secure.

I am also wondering what the risks are if you are just avoid browsing the sketchy sites. I usually use my N900 to browse one of the more well known news sites, a couple of boards or emacs sites so I feel relatively safe.
Yes, I think you would be relatively safe. There are still man in the middle attacks (which many of the recent vulnerabilities relate to), but that requires somebody to have:
  • hacked networking equipment in a carrier, ISP, or, hosting company, and
  • the time and the interest to go after you, specifically

And even if you're targeted.. what can they do? What are the real world risks for browsing the web with an insecure browser with an N900, Android or Jolla phone?
In a worst case scenario an attacker can take over your phone, extract all data and delete your files - how much of a chance is that?
The attacker might also try to install a windows file on your N900. Good luck with that...
Probably the two worst things they could do would be:
  • install ransomware on your phone and encrypt your filesystem
  • install a rootkit on your phone and then silently collect information, hoping you'd log in to a website from which they could garner info, or use your phone in DDOSing, or even record your calls, switch on your webcam, etc

Neither of these are 'low hanging fruit' with regard to N900 by any means and would require more work.

So it might look worse than the situation actually is. Any security experts here?
I think due to the fact that the browser on N900 is so old (and the hardware so RAM-starved) we're less inclined to do much browsing with it, so I think we're probably safer than many other devices.

But we really should not be complacent, either!
 

The Following 9 Users Say Thank You to Xagoln For This Useful Post:
pichlo's Avatar
Posts: 6,447 | Thanked: 20,981 times | Joined on Sep 2012 @ UK
#27
It depends on the type of vulnerability. Some can expose your computer to a rogue script on a dodgy website but, as far as I understand, all of those on ssllabs are about SSL/TLS vulnerabilities. In other words, vulnerability to the man in the middle (MITM) attack.

It is easy to be targeted. Especially on a mobile device using WiFi. All you need is another device on the same network and eavesdrop on your traffic. This might be trickier on networks you are in charge of (such as at home), but easy on public networks or even at your workplace.

What is the worst thing they can do? Sure, installing malware would be about as bad as it can get but that is unlikely to happen through a MITM attack. It is more likely to simply sniff your traffic and hope to extract from it some sensitive info. If you can avoid it, do not do online banking (including eBay/Amazon/flight ticket etc purchase) on a public WiFi.
__________________
Русский военный корабль, иди нахуй!
 

The Following 8 Users Say Thank You to pichlo For This Useful Post:
Posts: 262 | Thanked: 315 times | Joined on Jun 2010
#28
Originally Posted by pichlo View Post
It is easy to be targeted. Especially on a mobile device using WiFi. All you need is another device on the same network and eavesdrop on your traffic. This might be trickier on networks you are in charge of (such as at home), but easy on public networks or even at your workplace.
That's a very good point that my answer overlooked. It's easy enough for a malicious sysop of a public wifi to install something like sslstrip, and/or to portscan your phone to look for vulnerable versions of any daemons that may be listening. Or to silently inject malicious content into your browsing session.

Tunneling your browsing via your own home server (e.g. over SSH or openvpn) would prevent many of these attack vectors, but of course it'll be slower.
 

The Following 6 Users Say Thank You to Xagoln For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#29
Originally Posted by Xagoln View Post
to portscan your phone to look for vulnerable versions of any daemons that may be listening.
This could be prevented in droping all incoming packages or use genwall in stealth mode.

I would never do a bank transfer with a mobile phone, only with a live boot cd with a system and browser you trust.

However to make maemo more secure we need to fix the root of the problem.

We need to get rid of the closed blobs. Then we can have a new kernel and make an up to date development environment.
After that porting maemo to other hardware, this will increase the intrest in maemo. The result will be that many people have the intrest to keep maemo updated and it would be much easier than now with an outdated development environment.

But who has the power to do so?
Make huge donation to hire somebody?

Or all the rest of the developer should work together and focus on one problem and go on step by step through a list?

In general it would be nice to have more wiki documentations about reverse engineering, one page to read to get kernel compilation from nowdays with provided source and config from all different kernels.

The community need to learn how to deal with the problem I guess many want to help but they have not the knowledge to do. So please share as much as possible.

I know to become a good hacker you need to read and try many things but to gain more power for the next generation you need to teach that the future goes on and not standing still on the same place or level.

Sorry many things maybe already said If you feel so you could just ignore me.
 

The Following 7 Users Say Thank You to Halftux For This Useful Post:
wicket's Avatar
Posts: 634 | Thanked: 3,266 times | Joined on May 2010 @ Colombia
#30
Originally Posted by Xagoln View Post
Probably the two worst things they could do would be:
  • install ransomware on your phone and encrypt your filesystem
  • install a rootkit on your phone and then silently collect information, hoping you'd log in to a website from which they could garner info, or use your phone in DDOSing, or even record your calls, switch on your webcam, etc
Both programs that MicroB is comprised of (browser and browserd), run as the user user. For the two points above to be possible, a vulnerability would need to be exploited in the kernel or some other software. This may be possible indirectly through some other MircoB exploit, otherwise MicroB itself is completely safe from these.

As has already been mentioned, the main threat comes from MitM attacks but the problem is not only limited to wireless networks. Given these vulnerabilities in MicroB, I'd assume that pretty much all communications including passwords and other sensitive data are being intercepted. Global surveillance programmes have been well documented.
__________________
DebiaN900 - Native Debian on the N900. Deprecated in favour of Maemo Leste.

Maemo Leste for N950 and N9 (currently broken).
Devuan for N950 and N9.

Mobile devices with mainline Linux support - Help needed with documentation.

"Those who do not understand Unix are condemned to reinvent it, poorly." - Henry Spencer
 

The Following 7 Users Say Thank You to wicket For This Useful Post:
Reply

Tags
fremantle, microb


 
Forum Jump


All times are GMT. The time now is 20:24.