Page 1 of 1

Calomel security plugins

Posted: Tue Nov 26, 2013 10:31 pm
by morganism
These seem to be working well. Havn't seen any conflicts yet.
Grades out SSL connection with a visual key

https://calomel.org/firefox_ssl_validation.html

Some good info tucked into the site also

https://calomel.org/

have also added :clean places now: addon for autosweeping , and have added the SDCookies plugin also.

Re: Calomel security plugins

Posted: Tue Dec 10, 2013 9:56 pm
by kukla
Very hard to please. Just started using this Add-on for FF, and it's reporting most HTTPS as either weak or very weak. The highest rating I've seen is 73% (e.g. Google HTTPS, which gets a "moderate") if using Perfect Forward Secrecy. According to Calomel, you hardly want to entrust any site with any kind of sensitive data, not even the brand of dog food you buy.

Re: Calomel security plugins

Posted: Wed Dec 11, 2013 12:29 am
by Thrawn
kukla wrote:According to Calomel, you hardly want to entrust any site with any kind of sensitive data, not even the brand of dog food you buy.

Makes you think, doesn't it? :D

Re: Calomel security plugins

Posted: Wed Dec 11, 2013 2:23 pm
by kukla
Well, since I'm probably not going to start hand delivering the identity of that dog food brand, I'm not sure what purpose the paranoia this creates serves. But I'd like to know why security credentials like this rate a "very weak." And, although it would be nice, I don't see every HTTPS site using PFS anytime in the near future, if that's what it takes to get a better rating.

Image

Re: Calomel security plugins

Posted: Thu Mar 27, 2014 4:56 pm
by dhouwn

Re: Calomel security plugins

Posted: Sun Mar 30, 2014 1:44 pm
by kukla

Excellent. Thanks for that.

Re: Calomel security plugins

Posted: Wed May 07, 2014 4:30 pm
by kukla
I have been using both Calomel and Qualys. Sometimes there is a huge difference between the results provided by the two. For example, ameli-rfe.fr/

Qualys gives this site an F and Calomel gives it a Moderate Yellow at 71%, and says it is using PFS, where Qualys says it isn't. Is Qualys perhaps looking at the IP for amelie.fr, not amelie-rfe.fr? Calomel does show the former as Very Weak. Are they looking at different IPs? If not, then how can this be explained?

Re: Calomel security plugins

Posted: Wed May 07, 2014 10:53 pm
by Thrawn
The Handshake Simulation table on Qualys shows that some of the reference browsers - including Firefox - will use a strong cipher that supports PFS, while many others will not. So Calomel, which lives in Firefox, is happy, but Qualys, which tests across the board, correctly warns that some clients will not have PFS.

The 'F' rating, as mentioned at the top of the page, is because the server supports SSL2. But modern Firefoxes disable SSL2 anyway. If you're really concerned about security, then you should disable SSL3 too.

Re: Calomel security plugins

Posted: Thu May 08, 2014 2:10 pm
by kukla
Thrawn wrote: If you're really concerned about security, then you should disable SSL3 too.

Can you please explain?

This is what I'm seeing for SSL3 (Fx 29) Reading in several places that it is disabled in current Firefox. I understand zip about all these different prefs. FWIW, I'm getting a good report back from
https://www.howsmyssl.com/

What should I set to false here?

Image

Re: Calomel security plugins

Posted: Mon May 12, 2014 5:50 am
by morganism
I would set false anything that is 128 bit, i think the fallback there was RC4 128 md5 for old blogs and such.
Think Camelia is very old.

This broke hotmail a while ago, but think they upgraded.
It is important to figure out how to make sure the browser doesn't downgrade the handshake.
I have asked this before, and never got a good answer. It depends on how many old sites, and how many mega sites you access.

Search here

https://cpunks.org//pipermail/cypherpunks/

and some info here on
http://dnscurve.org/in-benefits.html

I am not sure which ec (elliptical curve) was compromised, but some are saying the double versions are still secure.




are you looking for security, privacy, or anon ?

if privacy, check EFF.org for info, and make sure you disable ping back.
https://panopticlick.eff.org/about.php
https://wiki.mozilla.org/Fingerprinting

Also add self destructing cookies plug in, and look these over
ADD ons list

Calomel SSL Validation
Click&Clean
DOMCrypt
Download YouTube Videos as MP4
Email Extractor
Empty Cache Button
Exif Viewer
Facebook Disconnect
FEBE
Foundstone HTML5 Local Storage Explorer
Geolocater
Google Disconnect
gui:config
Hush - private bookmarking
JSONovich 1.9.6.1 true jsonovich@lackoftalent.org
Live HTTP headers
Lock The Text lockthetext@lockthetext.sourceforge.net
Mozilla Archive Format
Organize Status Bar (Revived)
Places Maintenance
PlacesCleaner
Self-Destructing Cookies
Skip Addon Compatibility Check
Skip Cert Error
Small Nav Bar
TagSieve
Twitter Disconnect
Vertical Toolbar
DisconnectMe blocks a lot of the tags on pages so you don't need FB,Googl block etc.

Anon uses most of the above, but TOR is the way to go, along with a VPN. Tor nodes have been compromised, and NSA has hacked many VPNs, so you still need to encrypt anything you send
"Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise

You also should know that Firefox keeps an sql database of all visited sites and downloaded files in your profiles sections (local and roaming)
SQLite database explorer


I don't know enough about security to help with encryption, header mods, pgp, etc. , to help you out there.

Re: Calomel security plugins

Posted: Mon May 12, 2014 7:06 am
by Thrawn
kukla wrote:What should I set to false here?


Code: Select all

security.tls.version.min

  • 0 = SSL3
  • 1 = TLS 1.0
  • 2 = TLS 1.1
  • 3 = TLS 1.2

Re: Calomel security plugins

Posted: Mon May 12, 2014 8:35 pm
by morganism
so firefox 26 and up is...


security.tls.version.min =0
security.tls.version.max =3

?

Re: Calomel security plugins

Posted: Tue May 13, 2014 3:36 am
by Thrawn
morganism wrote:so firefox 26 and up is...


security.tls.version.min =0
security.tls.version.max =3

?

Yes. By default, Firefox will allow SSL3 (but not SSL2), and TLS up to 1.2.

If you're keen, and willing to experiment, you can change the min version to 1, disabling SSL3. Or even set it to 3, but that will break a whole lot of sites.