Calomel security plugins

Talk about internet security, computer security, personal security, your social security number...
Post Reply
morganism
Senior Member
Posts: 134
Joined: Tue Nov 26, 2013 9:44 pm

Calomel security plugins

Post by morganism »

These seem to be working well. Havn't seen any conflicts yet.
Grades out SSL connection with a visual key

https://calomel.org/firefox_ssl_validation.html

Some good info tucked into the site also

https://calomel.org/

have also added :clean places now: addon for autosweeping , and have added the SDCookies plugin also.
Mozilla/5.0 (Windows NT 6.0; rv:24.0) Gecko/20100101 Firefox/24.0
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Calomel security plugins

Post by kukla »

Very hard to please. Just started using this Add-on for FF, and it's reporting most HTTPS as either weak or very weak. The highest rating I've seen is 73% (e.g. Google HTTPS, which gets a "moderate") if using Perfect Forward Secrecy. According to Calomel, you hardly want to entrust any site with any kind of sensitive data, not even the brand of dog food you buy.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:26.0) Gecko/20100101 Firefox/26.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Calomel security plugins

Post by Thrawn »

kukla wrote:According to Calomel, you hardly want to entrust any site with any kind of sensitive data, not even the brand of dog food you buy.
Makes you think, doesn't it? :D
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Calomel security plugins

Post by kukla »

Well, since I'm probably not going to start hand delivering the identity of that dog food brand, I'm not sure what purpose the paranoia this creates serves. But I'd like to know why security credentials like this rate a "very weak." And, although it would be nice, I don't see every HTTPS site using PFS anytime in the near future, if that's what it takes to get a better rating.

Image
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:26.0) Gecko/20100101 Firefox/26.0
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Calomel security plugins

Post by dhouwn »

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Calomel security plugins

Post by kukla »

dhouwn wrote:Maybe cross-check using https://www.ssllabs.com/ssltest/, in this case, see https://www.ssllabs.com/ssltest/analyze ... .apple.com.
Excellent. Thanks for that.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:28.0) Gecko/20100101 Firefox/28.0
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Calomel security plugins

Post by kukla »

I have been using both Calomel and Qualys. Sometimes there is a huge difference between the results provided by the two. For example, ameli-rfe.fr/

Qualys gives this site an F and Calomel gives it a Moderate Yellow at 71%, and says it is using PFS, where Qualys says it isn't. Is Qualys perhaps looking at the IP for amelie.fr, not amelie-rfe.fr? Calomel does show the former as Very Weak. Are they looking at different IPs? If not, then how can this be explained?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:29.0) Gecko/20100101 Firefox/29.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Calomel security plugins

Post by Thrawn »

The Handshake Simulation table on Qualys shows that some of the reference browsers - including Firefox - will use a strong cipher that supports PFS, while many others will not. So Calomel, which lives in Firefox, is happy, but Qualys, which tests across the board, correctly warns that some clients will not have PFS.

The 'F' rating, as mentioned at the top of the page, is because the server supports SSL2. But modern Firefoxes disable SSL2 anyway. If you're really concerned about security, then you should disable SSL3 too.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Calomel security plugins

Post by kukla »

Thrawn wrote: If you're really concerned about security, then you should disable SSL3 too.
Can you please explain?

This is what I'm seeing for SSL3 (Fx 29) Reading in several places that it is disabled in current Firefox. I understand zip about all these different prefs. FWIW, I'm getting a good report back from
https://www.howsmyssl.com/

What should I set to false here?

Image
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:29.0) Gecko/20100101 Firefox/29.0
morganism
Senior Member
Posts: 134
Joined: Tue Nov 26, 2013 9:44 pm

Re: Calomel security plugins

Post by morganism »

I would set false anything that is 128 bit, i think the fallback there was RC4 128 md5 for old blogs and such.
Think Camelia is very old.

This broke hotmail a while ago, but think they upgraded.
It is important to figure out how to make sure the browser doesn't downgrade the handshake.
I have asked this before, and never got a good answer. It depends on how many old sites, and how many mega sites you access.

Search here

https://cpunks.org//pipermail/cypherpunks/

and some info here on
http://dnscurve.org/in-benefits.html

I am not sure which ec (elliptical curve) was compromised, but some are saying the double versions are still secure.




are you looking for security, privacy, or anon ?

if privacy, check EFF.org for info, and make sure you disable ping back.
https://panopticlick.eff.org/about.php
https://wiki.mozilla.org/Fingerprinting

Also add self destructing cookies plug in, and look these over
ADD ons list

Calomel SSL Validation
Click&Clean
DOMCrypt
Download YouTube Videos as MP4
Email Extractor
Empty Cache Button
Exif Viewer
Facebook Disconnect
FEBE
Foundstone HTML5 Local Storage Explorer
Geolocater
Google Disconnect
gui:config
Hush - private bookmarking
JSONovich 1.9.6.1 true jsonovich@lackoftalent.org
Live HTTP headers
Lock The Text lockthetext@lockthetext.sourceforge.net
Mozilla Archive Format
Organize Status Bar (Revived)
Places Maintenance
PlacesCleaner
Self-Destructing Cookies
Skip Addon Compatibility Check
Skip Cert Error
Small Nav Bar
TagSieve
Twitter Disconnect
Vertical Toolbar
DisconnectMe blocks a lot of the tags on pages so you don't need FB,Googl block etc.

Anon uses most of the above, but TOR is the way to go, along with a VPN. Tor nodes have been compromised, and NSA has hacked many VPNs, so you still need to encrypt anything you send
"Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise

You also should know that Firefox keeps an sql database of all visited sites and downloaded files in your profiles sections (local and roaming)
SQLite database explorer


I don't know enough about security to help with encryption, header mods, pgp, etc. , to help you out there.
Mozilla/5.0 (Windows NT 6.0; rv:28.0) Gecko/20100101 Firefox/28.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Calomel security plugins

Post by Thrawn »

kukla wrote: What should I set to false here?

Code: Select all

security.tls.version.min
  • 0 = SSL3
  • 1 = TLS 1.0
  • 2 = TLS 1.1
  • 3 = TLS 1.2
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
morganism
Senior Member
Posts: 134
Joined: Tue Nov 26, 2013 9:44 pm

Re: Calomel security plugins

Post by morganism »

so firefox 26 and up is...


security.tls.version.min =0
security.tls.version.max =3

?
Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Calomel security plugins

Post by Thrawn »

morganism wrote:so firefox 26 and up is...


security.tls.version.min =0
security.tls.version.max =3

?
Yes. By default, Firefox will allow SSL3 (but not SSL2), and TLS up to 1.2.

If you're keen, and willing to experiment, you can change the min version to 1, disabling SSL3. Or even set it to 3, but that will break a whole lot of sites.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
Post Reply