# SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox

## miroR

retitling (2015-10-07 13:21+02:00) to:

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox

----------------------------------------------------------------

title:

TLS (SSL) tcp stream decoding in your traffic dumps?

----------------------------------------------------------------

The knowledge is there. Else there wouldn't be no 'XXX' in regard....

Wireshark-users: [Wireshark-users] The SSL tcp stream decoding in Users' Manual?

https://www.wireshark.org/lists/wireshark-users/201509/msg00009.html

[*]

I'm talking about decrypting stuff like when you sent mail and capture traffic, and want to see what, if any, went wrong.

Or when you open sn TLS connection, say from Mutt, which, say, open your Lynx, but can't open the link to Gentoo forums, for some reason...

And stuff like that.

There's really advanced users here on Gentoo Forums. Some of you, I am sure, know how to do it.

Pls., give us at least some hints where to start figuring it out!

If you want more on my attempts (some really successful) at figuring why some things sometimes go badly wrong when you go online, have a look at:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion

https://forums.gentoo.org/viewtopic-t-999436.html

such as, e.g.:

how my previous provider threw my mail to junk:

```

ep  4 23:18:46 localhost postfix/smtp[14602]: 29D7B28E1FF:

to=<support@plus.hr>, relay=127.0.0.1[127.0.0.1]:11125, delay=15731,

delays=15731/0.01/0.18/0.52, dsn=5.0.0, status=bounced (host

127.0.0.1[127.0.0.1] said: 550-"JunkMail rejected - 147-226.dsl.iskon.hr

(n4m3.localdomain) 550-[89.164.147.226]:41972 is in an RBL, see 550

http://www.spamhaus.org/query/bl?ip=89.164.147.226" (in reply to RCPT TO

command)) 

```

found at:

https://forums.gentoo.org/viewtopic-t-999436.html#7613052

or one instance of undeniable clickjacking, found at:

https://forums.gentoo.org/viewtopic-t-999436.html#7685200

My dream is to learn it, and to teach to newbies how to get hold of their

online time, against attaks, intrusions, illegal accusations by malicious

providers (that's not a pun on words)... and such. Teach myself first, and

then newbies, to get real privacy.

---

[*] I set this in bottom, not to be accuse of crossposting. Pasting from that wireshark message of mine:

In simple search, currently, if you open:

https://www.wireshark.org/docs/wsug_html/

and search the text for 'XXX', then (again: currently) the first

instance you encounter is:

Follow SSL Stream | Same functionality as “Follow TCP Stream” but for

SSL streams. XXX - how to provide the SSL keys?Last edited by miroR on Wed Oct 07, 2015 11:24 am; edited 2 times in total

----------

## toralf

https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

----------

## miroR

 *toralf wrote:*   

> https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

 

Thanks!!!

...Studying it!...

----------

## toralf

 *miroR wrote:*   

>  *toralf wrote:*   https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/ 
> 
> Thanks!!!
> 
> ...Studying it!...

 urw

BTW if it solves your question, pls just put a "[solved]" in front of the title of this thread.

----------

## miroR

 *toralf wrote:*   

>  *miroR wrote:*    *toralf wrote:*   https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/ 
> 
> Thanks!!!
> 
> ...Studying it!... urw
> ...

 

Oh, I don't believe. That couldn't happen just that easily. We are talking huge area here...

Don't know if you looked at the clickjacking that I caught. You don't get that without "preying" on your intruders (the regime, probably, in my case, wanting to rig me as spammer)...

What I mean, is, I constantly "uncenz" (read on) my time online.

The uncenz (for uncensorize) is a primitive program of mine:

http://github.com/miroR/uncenz

and I can figure a lot, just not when it's encrypted. But the area is huge: mailing, Dillo (with some not completely implemented TLS), Lynx... past dumps, current dmps to decode real time...

This is likely to protract long in the future....

Next, I did a little research with simple:

# emerge -s ssl

```

...

*  net-analyzer/ssldump

      Latest version available: 0.9-r2

      Latest version installed: [ Not Installed ]

      Size of files: 135 KiB

      Homepage:      http://www.rtfm.com/ssldump/

      Description:   An SSLv3/TLS network protocol analyzer

      License:       openssl

...

*  net-analyzer/sslscan

      Latest version available: 1.8.2

      Latest version installed: 1.8.2

      Size of files: 22 KiB

      Homepage:      http://sourceforge.net/projects/sslscan/

      Description:   Fast SSL port scanner

      License:       GPL-3

...

*  net-analyzer/sslsniff

      Latest version available: 0.8-r1

      Latest version installed: [ Not Installed ]

      Size of files: 203 KiB

      Homepage:      http://thoughtcrime.org/software/sslsniff/

      Description:   MITM all SSL connections on a LAN and dynamically generates certs

      License:       GPL-3

...

```

and it's the sslsniff that appears to do the work of sniffing the certs out.

However, while I was able to install ssldump, no luck I had with sslsniff....

So I think I'll go for the Bugzilla, The GUI Wireshark, where it's obvious they don't want to give it to the non-paying public... just read there about CloudShark that can do it for guiers.... 

The GUI Wireshark and the logging in that fine tutorial I can only use when I will use Firefox the next time. And Firefox is a harvester browser, like any of the other big browsers, so I don't like to use it.

And so I will probably need the sslsniff.

My mileage here, though, may vary greatly. I have, or had, postponed, and haven't completed other work, and will finish, or had finished, them who knows when, or only months later...

So if I don't go much about this in a matter of days, it will not mean that I desisted from this.

Regards!

----------

## miroR

net-analyzer_sslsniff fails to build

https://bugs.gentoo.org/show_bug.cgi?id=561314

It's a torture to file a bug with Dillo... But at least I'm really safe and calm in respect to when I use Firefox. I don't even want to think of Schmoog's own freeking Chrome or such...

----------

## papahuhn

Do you really expect to get info of how to break a TLS connection?

----------

## miroR

 *papahuhn wrote:*   

> Do you really expect to get info of how to break a TLS connection?

 

Yes I do. Now. Actually, I did it, because they, the SANS (will be explained) told the world about it.

Just study the links already given, if you're impatient.

Or, go straight to, in all apperances, a new paper available now to the world of poor users like me who just want to have their privacy, in steps:

The key link:

The SSL tcp stream decoding in Users' Manual? 

https://www.wireshark.org/lists/wireshark-users/201509/msg00011.html

where find:

Secure Socket Layer (SSL)

https://wiki.wireshark.org/SSL

and after reading a bit, I went avidly for the PDF file, find the words "Full paper: SSL/TLS:What's under the Hood, written by Sally Vandeven", and, surely, download it:

http://www.sans.org/reading-room/whitepapers/authentication/ssl-tls-whats-hood-34297

I suggest renaming it to:

```

$ mv -iv ssl-tls-whats-hood-34297 ssl-tls-whats-hood-34297.pdf

```

but that is unimportant.

And, once you downloaded it, have a look at the very last page, with the teaching programme, their all in the future, the first on the 2015-09-28, which is the daya after tomorrow! So it's a new paper.

 *SANS Traning wrote:*   

> 
> 
> Upcoming SANS Training
> 
> ...
> ...

 

----------

## miroR

And my breakthroug is, and surely I suggest that to all who do have Apache deployed in their boxes (probably SOHO networks, or other), to try in on their networks, offline, first.

I just successfully got it all working in my Apache, I saw the decrypted traffic, taken with my https://github.com/miroR/uncenz program, of my:

https://my-offline-host/cgi-bin/cgit.cgi/

I have to thank SANS Traning, and also Jeff Morris, subscriber (or more that he is) at Wireshark ML, for this breakthrough!

Regards!

----------

## papahuhn

 *miroR wrote:*   

> And my breakthroug is, and surely I suggest that to all who do have Apache deployed in their boxes (probably SOHO networks, or other), to try in on their networks, offline, first.

 

Your goal was to look into SSL traffic of your own webserver or what is the point?

Edit: Chromes sslkeylogfile feature is quite neat I must say. Thanks.

----------

## miroR

I just wrote a post in another topic of mine:

2yrs old maildrop still in portage, OK?

https://forums.gentoo.org/viewtopic-t-1027610.html#7820130

where I thank:

 *Quote:*   

> 
> 
> ...
> 
> old guard Mozilla...
> ...

 

In the other context I wrote it, and it belongs there.

However, if anybody is already familiar (as I intend to become, but do not expect to become soon) with how the TLS decryption for the poor users like me (see there the exact meaning of the phrase), came to exist, of which read there, but, pls do reply here (I am to blame, but it's already done... tired and also of unstable health...)...

Oh, I have to post that part over in the very next post to this one... I have to do that. Pls. give me a few minutes...

And it anyone is familiar enough to tell to the public about my question in the next post, and that I began in the above linked topic, please share your information with us.

Just a few minutes, please...

Regards!

----------

## miroR

So this is my qualm and my query.

Rephrasin somewhat from the link already posted in my previous post in this topic.

As you can see, I am busy on the TLS decryption that I always thought on the verge of being impossible other than for the Octopuses like Schmoog (y'know: the Schmoogle)... but possible it is, for little Unix's own G. I. Jones like me.

And I have to admit there must be some good ole guard still there in Mozilla, when I see that it is possible for poor users like me, in probably all sessions online, with Firefox...

(

And surely the Schmoog follows suit with their Chrome... Namely it is possible with Chrome too (which I don't use.

Y'know(, Schmoog follows suit), just like the Schmoog was the one that, at the same time when the true discoverers of the Heartbleed bug, some Skandinavian team --can't go in search for links, too busy-- the Schmoog was the one that decided that they need to be the discoverers of the Heartbleed too...

I'll allow it here: [I]f [I] [U]nderstand [C]orrectly. Not for the Heartbleed. That is hardly a matter for discussion. The Schmoog knows more than anyone. Even more that those who they serve painstakingly straining their looks to appear innocent from mass surveillance for them: the NSA... 

But IIUC on the Chrome following suit after old guard Mozilla devs apparenty decided to work for the users, for the true interests of the users.

And so to you, old guard Mozilla, to you goes my gratitude for opening up the TLS traffic for us, again, [I]f [I] [U]nderstand [C]orrectly, but I bet that I do.

)

So you see, the world thought unknown to me, and surely not just me, has slowly been opening to me, and many, now.

----------

## miroR

```

da504f6780bfaad3e40b9c9b6ae90407f24c51857e0026abca7476b0a8edcf01  one-piece-of-data

5ad8d862eb3cef55c2d3f991e943a54ea8a51d6495822927b8dfbcf7da49303f  another-piece-of-data

```

Talk follows. for the patient, soon enough.

----------

## miroR

Ah, things have changed (in a special way), so there's:

```

7b1de87c866e9834278560a034a20370d10fc2c4f26f1d8c64d3d470667c329a  yet-another-piece-of-data

```

Good to have these two posts on these data pieces hashes, esp. since I document with my uncenz program (link given in some of the previous posts). No, not for Gentoo folks (the following action, just read); Gentoo Forums have been honest in all the seven-eight years that I post on the forums, not them. But this method of rubbing the timestamp of when something happened is for other faces...

As I said, talk follows. for the patient, soon enough.

----------

## miroR

This will not be anything so special, like I thought at first.

EDIT 2015-10-01 19:41+02:00:

All the files are uploaded:

http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/

EDIT END

EDIT 2015-11-08 11:22+01:00:

And checked: their integrity is verifiable (there was one file, the dLo.sh and its dLo.sh.sig missing, but I'd need to check up my uncenz archive, and would probably find I forgot to upload them.

Pls find and apply the newbie tip for downloading these for testing/practicing at:

< this same topic >

https://forums.gentoo.org/viewtopic-t-1029408.html#7822806

(as it applies here in similar way)

To not edit thie post repeatedly, all the topic up until anything 2015-11 was done with wireshark-1.x (and tshark).

wireshark-2, that I now use, appears to either be still unstable, or to have some changes that I can't figure if they make or don't make any difference in regard to this whole topic. And that is why I'm checking all this topic with wireshark-2. If all I wrote applies for wireshark-2, I don't need to post any notices in this topic, if it does, search at the head of the first post, or in the newest post, as I'll surely report about it.

EDIT END

Something a little suspicious will not be easily denied, but it's not much.

It's not simple to explain, though. Not at all. (And also I haven't researched it all through yet.)

But maybe the comparison btwn my calm and worry-free browsing with Dillo for 856 sec (almost 15 minutes), and my opening of the same one single page during the short online time of browsing the same one page with Firefox for 61 sec (1 minute)[*], will give you a clear feeling of some surprise and bewilderment that overtook me, and made me study primarily these one single minute of my online with Firefox on one single page... ever since shortly before I posted the hashes in my two previous posts. in this topic.

Haven't been doing almost anything but that ever since. Also because I'm still happy I can decrypt the traffic that I thought I maybe never will be able to...

It's two sets of files, about browsing of the same page (and, with the gentle Dillo, it's more browsing of other pages too).

It unnerved me greatly how SourceForge --I wasn't able to find any other possible cause to the problem but the SF-- wouldn't post publicly the attachments to the lurker-users mailing list:

[Lurker-users] Installing Lurker on Gentoo 

http://sourceforge.net/p/lurker/mailman/message/34469526/

( and see the thread I started there )

And so I searched for how I posted two years ago, to another mailing list hosted on SourceForge.

That other ML that I posted to was Courier-Maildrop ML, and I decided, on the 21 of Sept 2015, as the timestamp in the filename (read on) will tell you, that I wanted to see if back then it showed (which let's say is hard to know), or, at least, to see if it now shows correctly the attachments sent with that email to the Maildrop list.

First, on what Maildrop is, and why I recommend it for true Unixers-to-be, read here:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion

https://forums.gentoo.org/viewtopic-t-999436.html#7696102

and around.

And, as you will see from the screencast, and be able to verify from the network traffic corresponding to that screencast, lo and behold, it doesn't show the attachments to that old email either!

Even worse! For some reason, as soon as there are attachments in an email, the plain simple text of the email is not shown on SourceForge either!

In this topic, I first do want to make it clear here what my browsing was about. But the topic is about the decrypted traffic related to that browsing.

On the 2015-09-21 I did the search, and you can see (from the screencast) that, with Dillo, I visited a few other pages, other than just that same page as with Firefox.

And, yes, on the 2015-09-27, I opened, with Firefox, only this one page, the same one that I had also opened on the 21st (except on the 21st I opened quite a few other pages as well):

My standalone maildrop configuration files 

http://sourceforge.net/p/courier/mailman/message/31585709/

And it stunned me how much traffic, and with miserable usefulness, as explained above, there happened btwn me and a few hosts, not just SourceForge!, during that 61 sec! And with miserable usefulness, unless you count ads and harvesting of data as useful.[**]

These are the two sets of files:

```

f713de433baca4fe4745349a8e63b664fbd534303e4718c8184889fa52c50eb3  dump_150921_2332_g0n.pcap

746079a3d60208fd13374e5444560e334aaafbf407e3b6f9f943e3846b5fef45  Screen_150921_2332_g0n.mkv

```

[**]

and

```

da504f6780bfaad3e40b9c9b6ae90407f24c51857e0026abca7476b0a8edcf01  dump_150927_1848_g0n.pcap

5ad8d862eb3cef55c2d3f991e943a54ea8a51d6495822927b8dfbcf7da49303f  Screen_150927_1848_g0n.mkv

```

Have a look. I'll also show the tshark commands that I used, and if you set you Wireshark up with my sslkey.log,

```

7b1de87c866e9834278560a034a20370d10fc2c4f26f1d8c64d3d470667c329a  SSLKEYLOGFILE_150927_1848_g0n.log

```

you will be able to reproduce and verify all that I will post (but give me --much?-- more time; this is huge work, and the partly examined TLS and SSL streams are likely just run-of-the-mill, or too convoluted Javascript programming pieces in there for me to figure out how they harvest my data).

Just no more instructions on how to set the $SSLKEYLOGFILE up, get it from the linked information where I got it from.

Now before I try and ask on Wireshark if it is possible to post on:

https://ask.wireshark.org/

with Dillo, I'll try and post in my very next post a few summary tshark lines on the two traffic dumps, the dump_150921_2332_g0n.pcap and dump_150927_1848_g0n.pcap.

---

[*] In truth it is some cca. 45 seconds online only, as only after I start [color]uncenz[/color] do I plug in my connectiong physically, and always before I kill [color]uncenz[/color] do I physically unplug the connection.

[**] The timestamps for the set made and carrying timestamp of 150921_2332 should have been:

```

$ ls -l dump_150921_2332_g0n.pcap  Screen_150921_2332_g0n.mkv 

-rw-r--r-- 1 miro miro   675772 2015-09-21 23:48 dump_150921_2332_g0n.pcap

-rw-r--r-- 1 miro miro 89116406 2015-09-21 23:48 Screen_150921_2332_g0n.mkv

```

and it was till I decided that saving 50M matters, and reconverted the screencast with FFmpeg's default settings:

```

$ ffmpeg -i Screen_150921_2332_g0n.mkv   Screen_150921_2332_g0nR.mkv

$ mv Screen_150921_2332_g0nR.mkv Screen_150921_2332_g0n.mkv

```

and so now the 'cast is:

```

-rw-r--r-- 1 miro miro 36937400 2015-09-29 01:02 Screen_150921_2332_g0n.mkv

```

Just to prevent any objections about veracity of my statements. My uncenz (linked previously in this topic) surely has ' -preset ultrafast' in its options and produces a little bulky 'casts. Reconversion was due for this larger of the two 'casts.

[***] A note is due. Sure, it's because of the Javascript (that runs, what tests?, what checks?, with all those hundreds and thousands of lines worth of scripts --when expanded, because they're mostly crammed onto single, or just a handful, of lines) that Dillo employs none... But what usefulness is there to that Javascript? Just to show me the page I asked? Really?... I don't think anyone can defend that stance. And also, how does a user remain in control here, with all that plethora of work by such Javascript, on his machine?Last edited by miroR on Sun Nov 08, 2015 10:35 am; edited 3 times in total

----------

## miroR

EDIT 2015-11-02 13:06+01:00:

Update on including named hosts in the listing exists now.

EDIT END

The same page (along with quite a few other pages) browsed with Dillo:

# tshark -r dump_150921_2332_g0n.pcap -q -z io,stat,0

```

====================================

| IO Statistics                    |

|                                  |

| Duration: 856.3 secs             |

| Interval: 856.3 secs             |

|                                  |

| Col 1: Frames and bytes          |

|----------------------------------|

|                |1                |

| Interval       | Frames |  Bytes |

|----------------------------------|

|   0.0 <> 856.3 |   1299 | 633411 |

====================================

```

The same page (and no other pages whatsoever opened by user, or shown to user,

as the screencast shows[*]) browsed with Firefox:

# tshark -r dump_150927_1848_g0n.pcap -q -z io,stat,0

```

==================================

| IO Statistics                  |

|                                |

| Duration: 61.4 secs            |

| Interval: 61.4 secs            |

|                                |

| Col 1: Frames and bytes        |

|--------------------------------|

|              |1                |

| Interval     | Frames |  Bytes |

|--------------------------------|

|  0.0 <> 61.4 |   1878 | 917311 |

==================================

```

---

With Dillo:

# tshark -r dump_150921_2332_g0n.pcap -q -z conv,ip

```

================================================================================

IPv4 Conversations

Filter:<No Filter>

                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |

                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |

192.168.1.3          <-> 46.51.197.89             241    176700     231     33872     472    210572    24.019174000       589.7156

205.134.191.174      <-> 192.168.1.3              145     11238     121    119608     266    130846   338.249268000       195.8425

216.34.181.60        <-> 192.168.1.3              113      9762     112    115825     225    125587   618.279041000       233.4181

192.168.1.3          <-> 137.117.229.219          104    114329     104      8883     208    123212    83.952226000       157.7557

192.168.1.3          <-> 67.158.26.137             26     34744      28      2182      54     36926    57.560851000         0.8682

192.168.1.3          <-> 192.168.1.1                7      1091       8       604      15      1695    57.267513000       280.9814

224.0.0.1            <-> 10.16.96.1                 7       434       0         0       7       434    90.990774000       749.9971

255.255.255.255      <-> 192.168.1.1                1       592       0         0       1       592     0.510912000         0.0000

255.255.255.255      <-> 0.0.0.0                    1       409       0         0       1       409     0.488053000         0.0000

================================================================================

```

With Firefox:

# tshark -r dump_150927_1848_g0n.pcap -q -z conv,ip

```

================================================================================

IPv4 Conversations

Filter:<No Filter>

                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |

                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |

192.168.1.2          <-> 23.63.127.118            397    527674     317     35578     714    563252    32.929597000        22.0994

127.0.0.1            <-> 127.0.0.1                408     39080       0         0     408     39080     0.000000000        61.4484

216.58.209.162       <-> 192.168.1.2               88     10607      98     60515     186     71122    34.602984000         2.9523

216.58.209.194       <-> 192.168.1.2               68      5777      62     65107     130     70884    33.133720000        20.1780

192.168.1.2          <-> 192.168.1.1               40     10925      40      3330      80     14255    30.476933000         7.9108

216.34.181.60        <-> 192.168.1.2               38      3568      37     28778      75     32346    32.363382000        11.3056

216.58.209.193       <-> 192.168.1.2               31      3118      39     39683      70     42801    35.857940000         0.3652

208.117.229.250      <-> 192.168.1.2               26      5645      24      8362      50     14007    33.388199000        22.8297

208.117.229.248      <-> 192.168.1.2               24      2410      23     17141      47     19551    34.879513000         0.3704

192.168.1.2          <-> 54.230.46.170             18     17623      21      1804      39     19427    33.136730000        20.2186

192.168.1.2          <-> 74.125.24.95              15      5580      19      2121      34      7701    32.923574000         1.5411

192.168.1.2          <-> 173.194.44.23             15      5511      17      2084      32      7595    35.448949000         0.3683

192.168.1.2          <-> 173.194.44.19             15      5887      17      2081      32      7968    35.124572000         0.3434

192.168.1.2          <-> 46.137.174.129            10      6364      13      1604      23      7968    34.896746000        20.4715

192.168.1.2          <-> 23.63.139.27               8      2523      11      1190      19      3713    35.064187000        20.1878

192.168.1.2          <-> 46.33.68.128               8      2488      11      1208      19      3696    33.139425000        20.1483

216.34.181.63        <-> 192.168.1.2                6       740       4       442      10      1182    31.386185000        20.6129

216.34.181.81        <-> 192.168.1.2                4       280       3       216       7       496    38.388114000         6.2801

224.0.0.1            <-> 10.16.96.1                 1        62       0         0       1        62    48.812905000         0.0000

255.255.255.255      <-> 192.168.1.1                1       592       0         0       1       592    22.120562000         0.0000

255.255.255.255      <-> 0.0.0.0                    1       409       0         0       1       409    22.101373000         0.0000

================================================================================

```

[**]

---

[*] It will show, if I manage to post both the screencasts and the traffic dumps publicly, hopefully on ask.wireshark.org.

[**] What is missing, and I don't know how to do it with tshark, is, I'd like to insert a column before the column that is currently the first columm, which inserted-to-be column would hold the resolved host name (such as google for the Schmoog; lots of it in Firefox, the Scmoog is sitting in Fox: not good!, such as akamai, pagead and stuff; ah!, also sourcefirge.net). And I want to ask on Wireshark how to do it.

( EDIT 2015-11-02 13:06+01:00:

Update on including named hosts in the listing exists now.

EDIT END )

[***] Pls. also see the bottom note in the previous post, on the feasibility of user' control of his machine when such browsing, as with the above,  with Firefox, Javascript-"enhanced", goes on.Last edited by miroR on Mon Nov 02, 2015 12:10 pm; edited 1 time in total

----------

## miroR

I want to post what I found out. In June 2015, you can read:

[Dillo-dev] how about if we make a 3.0.5

http://lists.dillo.org/pipermail/dillo-dev/2015-June/010562.html

(3.0.5 is the current released version of Dillo, still as of 2015-10-01)

That summarizes it for people with too little knowledge of C/C++, and time, to delve into the sourcecode, like me.

That is a previous message taken notice of, and replied honestly, with full quote, as FOSS devs should always do with important previous messages. Kudos to Dillo devs!

However, Dillo devs are understaffed. No moneys there, like in the big browsers... And yet Dillo looks like the most promising true FOSS, poor users' privacy-defending browser...

I really hesitate to even send a message with the question on when is NSS (which I believe can be used by other browsers, can it?; NSS stands for Mozilla's Network Security Services, and it is NSS that got us the TLS decryption for Firefox), or some other method, going to be, if ever, deployed in Dillo, so that we can decrypt the TLS traffic?

Because currently there does not seem to be a way to decrypt the TLS traffic with Dillo.

But I will have to ask there about it. At some point in time...

About NSS, it's best to start from here:

https://en.wikipedia.org/wiki/Network_Security_Services

And I see clutches of a few big players that I don't like. It's not just the proverbial Larry and Sergey, the Schmoog the "do-no-evil" paramount associate firm of the top spies firm of the world...

It's also the owner of once-was-FOSS MySQL, and once-was-FOSS Java, who is also, I learned it now only, the proud owner of Sun as well, the Larry Oracle... I learned that when I saw

 *wikipedia.org wrote:*   

> 
> 
> Applications that use NSS
> 
> ... Sun Microsystems/Oracle Corporation ...
> ...

 

and those big players co-developed it.

But what is the alternative?

Do we have any?

And our privacy worldwide depends now on those people, brothers in *nix!

---

Also there is some hope, I'm sure, to get some more informaion on these issues with Postfix poeple. I really wish to be able to decrypt my mail communications too. Maybe this is a good start:

http://www.postfix.org/FORWARD_SECRECY_README.html

---

But I have to go and find a way to upload what I promised in my two previous posts to this one.

I would have already done it, but I see how, still, all of my understanding of what is going on when I connect online, is so hollowy (as of most *nix users; most all, other than the very advanced, the wizards or near-wizards, who can cope with all the complex issues there)...

Overwhelmed.

----------

## miroR

Sorry for more waiting next. I wasn't idle at all. And if only you could see the grin on my face, for a reason... But I promise you that you will chuckle with amusement too. More work though...

Just: I will keep to my word.

But I got a scoop. Probably. So first is posting this.

```

cf89395d8026e2491cbacbd033b99e0b78ff7c61db0bef107f90520d84aeba6c  dump_151001_1207_g0n.pcap

f7f559adbae55cc4eb6c60faaeec3fbba8ae6dbc0a20386d2ac29e4bccc91b15  Screen_151001_1207_g0n.mkv

8d5a35ef3d9a8e5e1e7887466f18dd7145ac9736b2a09a766be3aadd2d67f643  dump_151001_1248_g0n.pcap

#       TOO BIG, NOT WORTH KEEPING                                Screen_151001_1248_g0n.mkv

b1d9753b84401ad7e434496b5233ea44a2b72e79b3953b69e777b400e6bfb9de  dump_151001_1357_g0n.pcap

3d1ffd7df6bb9fc42f3dcf64e29a0299ca6f2126c97ee646d22cbfcbfa08fbe2  Screen_151001_1357_g0n.mkv

b0a69eec17ca0b77d66e34d54a6cebaea0f4e5084a8109f2a5aea93e70a4ddfa  dump_151001_1358_g0n.pcap

cc4d7086ee898f444269b3714200e6fc1dc5a09c6a27543b2eb585c8f6a0e555  Screen_151001_1358_g0n.mkv

1b40979df0b98fc3e360dbd1e3f44609455e5c22056d41eb5ad9d5cc256349f9  dump_151001_1659_g0n.pcap

682e6a5e335baeca61363b5aa97b10ae88b4107840d70d9a9eedc68a74444215  Screen_151001_1659_g0n.mkv

57887f12a27a7da6f169451259239b8d475c9be8f77b7a0133d2e5c04fa68118  dump_151001_1705_g0n.pcap

5bf4cdb4e12659cd8256a29626b4968dc1520c29d07a6c1f30b5b1ccc941643a  Screen_151001_1705_g0n.mkv

c221abdc47af4fbc03c119abe222944db2ee3b2612a4099269b466ff6d00f44f  dump_151001_1726_g0n.pcap

18ddd5c858ead21890ecce2cd3ea1b926d719b4ad6215cd5a4db9ff8265eb21f  Screen_151001_1726_g0n.mkv

beefad5844cebd2ed4e7435cfe620657178582bf7d72a11e86ba6da648778ceb  dump_151001_1728_g0n.pcap

5dc9c6c09022e9d122a7ccb73295dc7c9c43a1ec1aba2b7f56d29961acacc631  Screen_151001_1728_g0n.mkv #  will be kept

675fb31fddcef9593f29fe537f7f2230ad788e71bfbe8edae98463f07dec3a61  Screen_151001_1728_g0nR.mkv # the replacement, for publishing

```

First these I post, then fulfill the promise, then come back to explain the scoop.

(Actually the first thing is move these files away into Air-Gapped safe system. Even before posting this.)

Just the why for exceptions above:

```

$ ls -l Screen_151001_1248_g0n.mkv

-rw-r--r-- 1 miro miro 181055560 2015-10-01 13:43 Screen_151001_1248_g0n.mkv

$ ls -lh Screen_151001_1248_g0n.mkv

-rw-r--r-- 1 miro miro 173M 2015-10-01 13:43 Screen_151001_1248_g0n.mkv

$ ls -l Screen_151001_1728_g0n*.mkv

-rw-r--r-- 1 80683330 2015-10-01 17:42 Screen_151001_1728_g0n.mkv

-rw-r--r-- 1 32058028 2015-10-01 17:54 Screen_151001_1728_g0nR.mkv

$

```

Working...

----------

## miroR

Open in Wireshark the file dump_150927_1848_g0n.pcap.

I know it's not to be taken as Sacred Scriptures (the name resolution can sometimes be brazenly lied to by various subjects), but it's nice to have a fine and still very probable guess on who we are talking to, esp. since most of us, me and the readers are not (yet; some readers will likely be some day) experts. So...

...So Alt-S (or clik on "Statistics") and in the popdown that opened choose: "Show Address Resolution".

Copy and paste just the first less then 200 lines, and paste it into a file, what should we call it? We should call it by the dump we took it out, and give it the infix _RESO, and the extension .txt, I suggest. So paste into  dump_150927_1848_g0n_RESO.txt that which you just copied.

```

$ cat > dump_150927_1848_g0n_RESO.txt 

```

And after I did what I suggest you to do, it looks like this:

$ cat dump_150927_1848_g0n_RESO.txt

```

# Hosts information in Wireshark 

#

# Host data gathered from /Cmn/mr/dump_150927_1848_g0n.pcap

205.251.193.85   ns-341.awsdns-42.com

173.194.44.19   www.google.com

216.34.181.81   goparallel.sourceforge.net

208.117.229.244   www-google-analytics.l.google.com

173.194.44.20   www.google.com

205.251.194.181   ns-693.awsdns-22.net

205.251.193.134   ns-390.awsdns-48.com

46.33.68.128   a1158.b.akamai.net

216.239.32.10   ns1.google.com

127.0.0.1   gbn.xdwgrp

208.117.229.245   www-google-analytics.l.google.com

205.251.199.100   ns-1892.awsdns-44.co.uk

195.22.200.158   n2b.akamai.net

46.137.174.129   consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com

216.239.34.10   ns2.google.com

92.122.217.11   n1ce.akamaiedge.net

208.117.229.246   www-google-analytics.l.google.com

104.83.4.15   n7b.akamai.net

54.230.46.170   dd1f6ymc64rwu.cloudfront.net

195.22.200.159   n3b.akamai.net

216.239.36.10   ns3.google.com

104.83.5.158   n6g.akamaiedge.net

92.122.217.12   n3ce.akamaiedge.net

208.117.229.247   www-google-analytics.l.google.com

23.63.139.27   e8218.ce.akamaiedge.net

208.78.70.3   ns1.p03.dynect.net

208.78.71.3   ns3.p03.dynect.net

216.239.38.10   ns4.google.com

104.83.5.159   n7g.akamaiedge.net

208.117.229.248   www-google-analytics.l.google.com

173.194.44.23   www.google.hr

74.125.24.95   googleadapis.l.google.com

216.58.209.193   pagead-googlehosted.l.google.com

173.194.44.24   www.google.hr

208.117.229.249   www-google-analytics.l.google.com

205.251.199.231   ns-2023.awsdns-60.co.uk

216.58.209.162   pagead46.l.doubleclick.net

216.58.209.194   partnerad.l.doubleclick.net

208.117.229.250   www-google-analytics.l.google.com

23.14.93.240   n6ce.akamaiedge.net

205.251.196.123   ns-1147.awsdns-15.org

208.117.229.251   www-google-analytics.l.google.com

2.20.182.166   n2g.akamaiedge.net

54.228.218.185   consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com

205.251.196.29   ns-1053.awsdns-03.org

23.14.93.242   n7ce.akamaiedge.net

104.83.4.21   n6b.akamai.net

195.22.200.165   n4b.akamai.net

23.63.127.118   e872.g.akamaiedge.net

104.83.5.164   n4g.akamaiedge.net

46.33.68.73   a1158.b.akamai.net

23.14.93.243   n4ce.akamaiedge.net

104.83.4.22   n5b.akamai.net

195.22.200.246   n0g.akamaiedge.net

216.34.181.60   sourceforge.net

173.194.44.15   www.google.hr

173.194.44.31   www.google.hr

80.157.149.222   n2ce.akamaiedge.net

173.194.44.16   www.google.com

88.221.81.192   n1b.akamai.net

92.122.214.245   n0ce.akamaiedge.net

204.13.250.3   ns2.p03.dynect.net

88.221.81.193   n1g.akamaiedge.net

176.34.179.148   consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com

173.194.44.17   www.google.com

216.34.181.63   www.sourceforge.net

204.13.251.3   ns4.p03.dynect.net

173.194.44.18   www.google.com

23.14.93.232   n5ce.akamaiedge.net

205.251.194.227   ns-739.awsdns-28.net

195.22.200.251   n3g.akamaiedge.net

2a00:1450:400d:806::2002   pagead46.l.doubleclick.net

2a00:1450:4014:80b::1000   www-google-analytics.l.google.com

2a00:1450:400d:807::2001   pagead-googlehosted.l.google.com

2a00:1450:4016:802::1011   www.google.com

2a00:1450:400b:c02::5f   googleadapis.l.google.com

2a00:1450:4016:802::1017   www.google.hr

2a00:1450:4014:80a::1009   clients.l.google.com

# Address resolution IPv4 Hash table 

#

# With 77 entries

#

Key:0x55c1fbcd IP: 205.251.193.85, Name: ns-341.awsdns-42.com

Key:0x132cc2ad IP: 173.194.44.19, Name: www.google.com

Key:0x0 IP: 0.0.0.0, Name: 0.0.0.0

Key:0x51b522d8 IP: 216.34.181.81, Name: goparallel.sourceforge.net

Key:0xf4e575d0 IP: 208.117.229.244, Name: www-google-analytics.l.google.com

Key:0x142cc2ad IP: 173.194.44.20, Name: www.google.com

Key:0xb5c2fbcd IP: 205.251.194.181, Name: ns-693.awsdns-22.net

Key:0x86c1fbcd IP: 205.251.193.134, Name: ns-390.awsdns-48.com

Key:0x8044212e IP: 46.33.68.128, Name: a1158.b.akamai.net

Key:0xa20efd8 IP: 216.239.32.10, Name: ns1.google.com

Key:0x100007f IP: 127.0.0.1, Name: gbn.xdwgrp

Key:0xffffffff IP: 255.255.255.255, Name: 255.255.255.255

Key:0xf5e575d0 IP: 208.117.229.245, Name: www-google-analytics.l.google.com

Key:0x64c7fbcd IP: 205.251.199.100, Name: ns-1892.awsdns-44.co.uk

Key:0x9ec816c3 IP: 195.22.200.158, Name: n2b.akamai.net

Key:0x81ae892e IP: 46.137.174.129, Name: consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com

Key:0xa22efd8 IP: 216.239.34.10, Name: ns2.google.com

Key:0xbd97a5c IP: 92.122.217.11, Name: n1ce.akamaiedge.net

Key:0xf6e575d0 IP: 208.117.229.246, Name: www-google-analytics.l.google.com

Key:0xf045368 IP: 104.83.4.15, Name: n7b.akamai.net

Key:0xaa2ee636 IP: 54.230.46.170, Name: dd1f6ymc64rwu.cloudfront.net

Key:0x9fc816c3 IP: 195.22.200.159, Name: n3b.akamai.net

Key:0xa24efd8 IP: 216.239.36.10, Name: ns3.google.com

Key:0x9e055368 IP: 104.83.5.158, Name: n6g.akamaiedge.net

Key:0xcd97a5c IP: 92.122.217.12, Name: n3ce.akamaiedge.net

Key:0xf7e575d0 IP: 208.117.229.247, Name: www-google-analytics.l.google.com

Key:0x1b8b3f17 IP: 23.63.139.27, Name: e8218.ce.akamaiedge.net

Key:0x3464ed0 IP: 208.78.70.3, Name: ns1.p03.dynect.net

Key:0x101a8c0 IP: 192.168.1.1, Name: 192.168.1.1

Key:0x3474ed0 IP: 208.78.71.3, Name: ns3.p03.dynect.net

Key:0xa26efd8 IP: 216.239.38.10, Name: ns4.google.com

Key:0x9f055368 IP: 104.83.5.159, Name: n7g.akamaiedge.net

Key:0x201a8c0 IP: 192.168.1.2, Name: 192.168.1.2

Key:0xf8e575d0 IP: 208.117.229.248, Name: www-google-analytics.l.google.com

Key:0x172cc2ad IP: 173.194.44.23, Name: www.google.hr

Key:0x5f187d4a IP: 74.125.24.95, Name: googleadapis.l.google.com

Key:0xc1d13ad8 IP: 216.58.209.193, Name: pagead-googlehosted.l.google.com

Key:0x182cc2ad IP: 173.194.44.24, Name: www.google.hr

Key:0xf9e575d0 IP: 208.117.229.249, Name: www-google-analytics.l.google.com

Key:0xe7c7fbcd IP: 205.251.199.231, Name: ns-2023.awsdns-60.co.uk

Key:0xa2d13ad8 IP: 216.58.209.162, Name: pagead46.l.doubleclick.net

Key:0xc2d13ad8 IP: 216.58.209.194, Name: partnerad.l.doubleclick.net

Key:0x160100a IP: 10.16.96.1, Name: 10.16.96.1

Key:0xfae575d0 IP: 208.117.229.250, Name: www-google-analytics.l.google.com

Key:0xf05d0e17 IP: 23.14.93.240, Name: n6ce.akamaiedge.net

Key:0x7bc4fbcd IP: 205.251.196.123, Name: ns-1147.awsdns-15.org

Key:0xfbe575d0 IP: 208.117.229.251, Name: www-google-analytics.l.google.com

Key:0xa6b61402 IP: 2.20.182.166, Name: n2g.akamaiedge.net

Key:0xb9dae436 IP: 54.228.218.185, Name: consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com

Key:0x1dc4fbcd IP: 205.251.196.29, Name: ns-1053.awsdns-03.org

Key:0xf25d0e17 IP: 23.14.93.242, Name: n7ce.akamaiedge.net

Key:0x15045368 IP: 104.83.4.21, Name: n6b.akamai.net

Key:0xa5c816c3 IP: 195.22.200.165, Name: n4b.akamai.net

Key:0x767f3f17 IP: 23.63.127.118, Name: e872.g.akamaiedge.net

Key:0xa4055368 IP: 104.83.5.164, Name: n4g.akamaiedge.net

Key:0x4944212e IP: 46.33.68.73, Name: a1158.b.akamai.net

Key:0xf35d0e17 IP: 23.14.93.243, Name: n4ce.akamaiedge.net

Key:0x16045368 IP: 104.83.4.22, Name: n5b.akamai.net

Key:0xf6c816c3 IP: 195.22.200.246, Name: n0g.akamaiedge.net

Key:0x3cb522d8 IP: 216.34.181.60, Name: sourceforge.net

Key:0xf2cc2ad IP: 173.194.44.15, Name: www.google.hr

Key:0x1f2cc2ad IP: 173.194.44.31, Name: www.google.hr

Key:0xde959d50 IP: 80.157.149.222, Name: n2ce.akamaiedge.net

Key:0x102cc2ad IP: 173.194.44.16, Name: www.google.com

Key:0xc051dd58 IP: 88.221.81.192, Name: n1b.akamai.net

Key:0xf5d67a5c IP: 92.122.214.245, Name: n0ce.akamaiedge.net

Key:0x10000e0 IP: 224.0.0.1, Name: 224.0.0.1

Key:0x3fa0dcc IP: 204.13.250.3, Name: ns2.p03.dynect.net

Key:0xc151dd58 IP: 88.221.81.193, Name: n1g.akamaiedge.net

Key:0x94b322b0 IP: 176.34.179.148, Name: consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com

Key:0x112cc2ad IP: 173.194.44.17, Name: www.google.com

Key:0x3fb522d8 IP: 216.34.181.63, Name: www.sourceforge.net

Key:0x3fb0dcc IP: 204.13.251.3, Name: ns4.p03.dynect.net

Key:0x122cc2ad IP: 173.194.44.18, Name: www.google.com

Key:0xe85d0e17 IP: 23.14.93.232, Name: n5ce.akamaiedge.net

Key:0xe3c2fbcd IP: 205.251.194.227, Name: ns-739.awsdns-28.net

Key:0xfbc816c3 IP: 195.22.200.251, Name: n3g.akamaiedge.net

# Address resolution IPv6 Hash table 

#

# With 12 entries

#

IP: fe80::1, Name: fe80::1

IP: 2a00:1450:400d:806::2002, Name: pagead46.l.doubleclick.net

IP: ff02::2, Name: ff02::2

IP: 2a00:1450:4014:80b::1000, Name: www-google-analytics.l.google.com

IP: 2a00:1450:400d:807::2001, Name: pagead-googlehosted.l.google.com

IP: 2a00:1450:4016:802::1011, Name: www.google.com

IP: 2a00:1450:400b:c02::5f, Name: googleadapis.l.google.com

IP: 2a00:1450:4016:802::1017, Name: www.google.hr

IP: ff02::1, Name: ff02::1

IP: 2a00:1450:4014:80a::1009, Name: clients.l.google.com

IP: ff02::1:2, Name: ff02::1:2

IP: fe80::20e:2eff:fee9:89b2, Name: fe80::20e:2eff:fee9:89b2

# Port names information in Wireshark 

#

# With 6100 entries

#

Port 8191 

     TCP  limnerpressure

    UDP  (null)

```

The above we just used to be in the clear how many conversations there were in those some 45 seconds...

Now, here's how you can get out of that pcapng file that you still have opened the js that Mozilla uses to get your data. That is surely only one of its mechanisms.

A note (for hasty and impatient readers, not to draw wrong conclusions)[/code]: This is not yet about TLS decryption. This tcp stream is not TLS encrypted.

Type this in the box labeled with "Filter:"

```

tcp.stream eq 9

```

and hit Enter.

The displayed packets will now reduce to just a handful or two or three handful of packets. Well you won't get those packets on the next Christmas, it's different kind of packets, and you won't get them in your hands. Your machine gets them...

All these packets were btwn my machine and the Mozilla cloud. It's a conversation, to and fro:

```

54.230.46.170   dd1f6ymc64rwu.cloudfront.net

```

If you don't see both of at least (if you switched off the name resolution in the Wireshark "Preferences") the numerical address, then you've not been following me correctly or something else is the matter. I'll assume that you have, and that you see.

Right click on any of the packats and click on "Follow TCP stream". What opens to you in a new window contains:

```

ET /get?name=notice.js&domain=slashdot.org&c=teconsent&text=true HTTP/1.1

Host: consent-st.truste.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://sourceforge.net/p/courier/mailman/message/31585709/

Connection: keep-alive

HTTP/1.1 200 OK

Content-Type: text/javascript

Content-Length: 15887

Connection: keep-alive

Access-Control-Allow-Origin: *

Cache-Control: max-age=86400

Content-Encoding: gzip

Date: Sun, 27 Sep 2015 02:44:44 GMT

Expires: Mon, 28 Sep 2015 02:44:44 GMT

Pragma: public

Server: TXS

Vary: Accept-Encoding

Age: 50668

X-Cache: Hit from cloudfront

Via: 1.1 b451ce1932d9b97c4ef54f2f37ecb931.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 0hUbsESnHoM6beWEUO_4UZgc9T8EY85vANmfLTe-wXCDU1mOpvi40g==

...........}y..6....)...LZ.ZR..%3...I<.....L......$.)Q&.>.....  ......vw'm.7

..P(,v.?...q...,./..e...n.........D...;..UM._.i.....q.8..........~.....?.

~{...kn.<.....\d.r..]..Tx...O...4\.i.........^......u.m....

Y.hS...Q.......w....o./...+w!...IC.....2.oY...l..[v..7.._,..e.+.n.nY...._....e.....|

.......G?....8\..\k.....,O...t..v.&.c..X+.C.|}..6.I..........-Y..L...c..E.ZW,5.X.

.w..v/;..q..-.c..23..i;.......e....{..t..l....  ][.....(.;.U?...

```

You can't read the most of it, the second part, after the headers, of which I pasted just a little in the paste above, because it is, as the HTTP header (all that is readable are HTTP-headers, they don't show in the page or be it something else that you're getting from some source, they direct you, the client how to deal with the page, or other content)...

You can't read the most of it, because it is, as the HTTP header tells you (which I'm repasting):

```

Content-Encoding: gzip

```

because it's gzipped.

Save that which you opened as, e.g.: dump_150927_1848_g0n_s09.dump.

You probably could cut out the HTTP headers with some good editor like Vim, XEmacs, Nano... , save that second part with '.gz' extension and gunzip it, but it's better to use hexedit or such hex editor.

So:

```

$ hexedit dump_150927_1848_g0n_s09.dump

```

The string that you need to find, in hex, is "1F8B08". The beginning of the gzipped archive. Read 'man hexedit' and try to select, copy and paste into a new file the whole content from that sting to end of the file.

When (upon hitting Esc-O) you are asked for the name of the new file into which to save what you copied, give it the name dump_150927_1848_g0n_s09.gz.

In my case, after I pasted in that name, this is what it looked like, pasting just these lines:

```

00004010   77 24 16 ED  A4 79 88 4A  F6 71 E9 97  08 34 6D 0C  w$...y.J.q...4m.

                                      File name: dump_150927_1848_g0n_s09.gz

00004050   52 17 20 1D  22 08 C4 D1  4B F3 CE C4  22 0A E3 20  R. ."...K..."..

```

And I hit Enter, and exited hexedit with Ctrl-X.

Apparently I did it right, because:

```

$ file dump_150927_1848_g0n_s09.gz 

dump_150927_1848_g0n_s09.gz: gzip compressed data, from Unix

```

And:

```

$ gunzip dump_150927_1848_g0n_s09.gz

$ file dump_150927_1848_g0n_s09

dump_150927_1848_g0n_s09       dump_150927_1848_g0n_s09.dump

$ file dump_150927_1848_g0n_s09

dump_150927_1848_g0n_s09: ASCII text, with very long lines

$

```

(the second line above is just me pressing Tab, to see what I have after "dump_150927_1848_g0n_s09": the "dump_150927_1848_g0n_s09" vanished.)

And here's just part of that huge file, that, BTW, ought to be renamed to what it is:

```

$ mv -iv dump_150927_1848_g0n_s09 dump_150927_1848_g0n_s09.js

```

So here's just parts of it (and I cut the lines which would not wrap, so it's imprecise, this paste):

```

function

_truste_eu(){truste=self.truste||{};truste.eu=truste.eu||{};truste.eu.version="v3.12-21";

truste.eu.COOKIE_DAX_NAME="notice_dax_signature";truste.eu.COOKIE_PREF_NAME="notice_preferences";

truste.eu.COOKIE_CATEGORY_NAME="optout_domains";truste.util=truste.util||{};truste.util.getUniqueID=function(){return"truste_"+Math.random()};

truste.util.getIntValue=function(h){h=parseInt(h);return

isNaN(h)?null:h};truste.util.getScriptElement=function(h,k){"string"==typeof

h&&(h=RegExp(h));if(!(h instanceof

RegExp))return null;for(var

a=self.document.getElementsByTagName("script"),d,b=a.length;0<b--&&(d=a[b]);)if((k||!d.id)&&h.test(d.src))return

d;return null};truste.util.initParameterMap=function(h,k){k instanceof

Object||(k={});if(h&&"string"==typeof h.src){var

a,d=k._url=h.src;if(d=(k._query=d.replace(/^[^;?#]*[;?#]/,""))

.replace(/[#;?&]+/g,"&"))for(d=d.split("&"),a=d.length;0<a--;){var

b=d[a].split("="),c=b.shift();k[c]||(k[c]=decodeURIComponent(b.length?b

.join("="):""))}h.id=k.sid=k.sid||truste.util.getUniqueID()}else

k._query=

...[snipped 15 lines]...

self.postMessage?truste.util.addListener(self,"message",

truste.eu.msg.msgListener):truste.eu.msg.poller.callback=truste.eu.msg.msgListenerIE7;truste.eu.mobile=truste.eu.mobile||{isMobile:!1,

checkIfMobile:function(){var

a=self.navigator.userAgent||self.navigator.vendor||self.opera,d=/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a

wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r

|s

)|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s

...[the ugly really long and hardly legible jumbo saussage above cut to remain within the space we have here ;-) ]...

...[Have a look at this one here: all options are on the table!]...

return/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od|ad)|iris|kindle|lge

|maemo|midp|mmp|netfront|nexus (7|s|one)|galaxy.*nexus|opera m(ob|in)i|palm(

os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows

(ce|phone)|xda|xiino/i.test(a)||d.test(a.substr(0,

4))}};truste.eu.mobile.isMobile=truste.eu.mobile.checkIfMobile();truste.eu._listeners=[];truste.eu.cancelCmTimeout=null;truste.eu.cmLoading=

!1;truste.eu.addEventListener=function(a,d){if(a&&"function"==typeof

a){for(var

b=-1,c=0,e=truste.eu._listeners.length;c<e;c++)if(truste.eu._listeners[c]===a){b=c;break}b+1&&d?truste.eu._listeners.splice(b,

1):b+1||truste.eu._listeners.push(a)}};truste.eu._dispatchEvent=function(a,d){for(var

b=truste.eu._listeners.length;0<b--;)try{truste.eu._listeners[b](a,d)}catch(c){}};truste.eu.actmessage=function(a){var

d=truste.eu.bindMap;if(a&&"preference_manager"==a.source)switch(a.message){case

"submit_preferences":if(null!=

a.data){var b=parseInt("object"==typeof

a.data?a.data.value:a.data);isNaN(b)||(d.prefCookie=b,truste.util.trace("changing

preference to:

"+d.prefCookie),truste.util.createCookie(truste.eu.COOKIE_PREF_NAME,

d.prefCookie+":"+d.daxSignature,a.data.expires,!0),truste.

eu.sendclosereport=!1,truste.eu.caIcon&&truste.eu.caIcon.setAttribute("consent",d.prefCookie))}break;case

"cm_loading":truste.eu.cmLoading=!0;break;case "change_panel":"string"==typeof

a.data&&(null!=truste.eu.cancelCmTimeout&&(clearTimeout(truste.eu.cancelCmTimeout),

...[cut out 61 lines here]...

a.parent}catch(e){}a.addEventListener?(a.addEventListener("message",c.messageListener,

!1),a!=b&&b.addEventListener("message",c.messageListener,!1)):(a.attachEvent("onmessage",c.messageListener),

a!=b&&b.attachEvent("onmessage",

c.messageListener))}c.fake.consentDecision=null;c.fake.capabilities.push("getConsentDecision");d.version="3.12";return

d}(truste.eu.noticeLP);self.TRUSTE_CMAPI_DEBUG=self.PREF_MGR_API_DEBUG;truste.cma.debug=truste.util.debug;truste.eu.bindMap?truste.eu.init(null,

1):truste.util.addScriptElement(truste.eu.SOURCE_SERVER+

"?js=1&"+truste.eu.noticeLP._query,truste.eu.init,null,!0)}self._truste&&(self._truste.eu=_truste_eu)||_truste_eu();

```

OK. That's how it generally works. Now let's do it with a decrypted TLS stream. In the next post.

Ah, I forgot. That JS, surely is for me to see the page so perfectly and that I don't complain. It's about the user, right?

No! No! It's about control over me, the poor user! It's about tracking me, knowing all about my machines, and me. I really have no time for Javascript right now, but that is part of a big mosaic of data harvesting that goes on against the users all the time. And that data is sold. So big browsers, big money. The money comes from numbers of users. A few dimes per each is a lot of moneys. But that is such a shady world there! All kinds of games in there...

Make Dillo, make Lynx, make those good browsers strong. Don't let us in the clutches of these big-players-in-control browsers, dear [F]ree [O]pen [S]ource [S]oftware developers!

And you, Mozilla, revert from the Schmoog's ways and leave Schmoog's embrace, Mozilla, if you can! Let the Schmoog alone doing his spying. You don't spy. Be yourself like long time ago, if you can.

----------

## miroR

Now there are 42 tcp streams in that dump_150927_1848_g0n.pcap file.

There needs to be a way to automate the extraction of the tcp strems, those that weren't originally encrypted and those that were encrypted, and can only be decrypted, given the PFS employed (the Perfect Forward Secrecy), if you have its session key.

I have no time to study lua, which Wireshark employs, but if anybody can teach us how to use it, it would be so great!

For that reason, I haven't studied all of the streams. It's too repetitive and turesome! And so I may not have the best example Javascript at hand from the traffic capture.

The method I won't repeat here.

You can close the file and check that you did correctly all that SANS Training explained to you in their PDF linked from the Wireshark Wiki. Revisit the previous post if you got lost.

Now you need to use the keylog file that I posted on:

LINK HERE

(but you already know about it, else you wouldn't have that dump_150927_1848_g0n.pcap opened, would you?

And, exampli gratia, do:

```

$ cp -iav SSLKEYLOGFILE_150927_1848_g0n.log ~/.sslkeylogfile.log

```

It is best that you get that file only read and write permission. No need for execute perms like in the PDF (didn't notice any other faults). So (not chmod 700, but):

```

$ chmod 600  ~/.sslkeylogfile.log

```

Surely there's the SSLKEYLOGFILE environment variable and the setting in the "Preferences" that need to be set correctly too.

And, now when you open that tile again (had you tried previously you wouldn't get anything decrypted). you'll be able to see all honest SSL streams in their decrypted content.

So let's reopen the dump_150927_1848_g0n.pcap file, and let's do:

```

tcp.stream eq 5

```

This time "Follow ssl stream".

Save it as: dump_150927_1848_g0n_s05-ssl.dump (with the infix '-ssl' so you know you got it from following SSL stream).

Here's what should open for you. But again, you'll have to hexedit it.  Three files there to extract.

```

GET /allura/nf/1443116597/_ew_/theme/sftheme/js/sftheme/modernizr.custom.90514.js HTTP/1.1

Host: a.fsdn.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://sourceforge.net/p/courier/mailman/message/31585709/

Connection: keep-alive

HTTP/1.1 200 OK

Server: nginx

Content-Type: application/x-javascript

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

ETag: "1424736091.61-9496"

Last-Modified: Tue, 24 Feb 2015 00:01:31 GMT

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Vary: Accept-Encoding

Content-Encoding: gzip

Cache-Control: public, max-age=31341714

Expires: Sat, 24 Sep 2016 10:51:06 GMT

Date: Sun, 27 Sep 2015 16:49:12 GMT

Content-Length: 3833

Connection: keep-alive

...........Z[s.8.~?....Q...$...dN6q2..

..[lots of complete gibberish cut out here]...

..'2.......%..GET

/allura/nf/1443116597/_ew_/_slim/css?href=tool%2Fmailman%2Fcss%2Fmailman.css%3Ballura%2Fcss%2Fforge%2Fhilite.css%3Ballura%2Fcss%2Fforge%2Ftooltipster.css

HTTP/1.1

Host: a.fsdn.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0

Accept: text/css,*/*;q=0.1

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://sourceforge.net/p/courier/mailman/message/31585709/

Connection: keep-alive

HTTP/1.1 200 OK

Server: nginx

Content-Type: text/css

Accept-Ranges: bytes

ETag: "1443292082.92-16762"

Last-Modified: Sat, 26 Sep 2015 18:28:02 GMT

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Vary: Accept-Encoding

Content-Encoding: gzip

Cache-Control: public, max-age=31455530

Expires: Sun, 25 Sep 2016 18:28:02 GMT

Date: Sun, 27 Sep 2015 16:49:12 GMT

Content-Length: 3557

Connection: keep-alive

...........[[s.6.~..@..

..[lots of complete gibberish cut out here]...

.AXj............._.99.\.....m3..w.F....l./W....[f......U!zA..GET /allura/nf/1443116597/_ew_/theme/sftheme/images/sftheme/32x32/code_32.png HTTP/1.1

Host: a.fsdn.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://sourceforge.net/nf/tool_icon_css?1443116597

Connection: keep-alive

HTTP/1.1 200 OK

Server: nginx

Content-Type: image/png

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

ETag: "1425517460.08-973"

Last-Modified: Thu, 05 Mar 2015 01:04:20 GMT

Content-Length: 973

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Cache-Control: public, max-age=31341609

Expires: Sat, 24 Sep 2016 10:49:22 GMT

Date: Sun, 27 Sep 2015 16:49:13 GMT

Connection: keep-alive

.PNG

.

...

IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...oIDATx..WK

..[lots of complete gibberish cut out here]...

..f..J.Ur.@??...../.?...q......?....IEND.B`.

```

The third, the last is a PNG.

```

$ hexedit dump_150927_1848_g0n_s05-ssl.dump

```

and search for hex string '89504E', cut from there to end and save into a new file as dump_150927_1848_g0n_s05-ssl_03.png. Then if necessary go back to search for the same string and truncate the file at that point. Now that file has only two files to extract left.

Go to top. Search for the familiar '1F8B08' string, but take the second one. Select to end, copy, save as dump_150927_1848_g0n_s05-ssl_02.gz. Truncate in the same manner. 

Go to top. Search for the familiar '1F8B08' string, there's only one left. Save from there to end in a new file dump_150927_1848_g0n_s05-ssl_01.gz.

The three files (after gunzip'ing the first two, and renaming them):

```

$ ls -l dump_150927_1848_g0n_s05-ssl_0?.*

-rw-r--r-- 1 ukra ukra  9497 2015-10-01 22:09 dump_150927_1848_g0n_s05-ssl_01.js

-rw-r--r-- 1 ukra ukra 16762 2015-10-01 22:05 dump_150927_1848_g0n_s05-ssl_02.css

-rw-r--r-- 1 ukra ukra   973 2015-10-01 22:04 dump_150927_1848_g0n_s05-ssl_03.png

$
```

The JS is the modernizr script, now obsolete, I believe, for HTML5, or related...

Never mind, I hope some will find this not such a bad practice. And if anybody teaches us some Lua scripts, great. Because this is very cumbersome, not having some means to look up the streams quickly. Remember this is just 45 seconds, and I couldn't get to the bottom of if (42 streams! in 45 seconds) at all.

Like I said, my first decrypted online was really not much at all. But I had to keep my promise.

----------

## miroR

EDIT 2015-10-04 16:23+02:00 :

Revised this post for typoes, improved the wording in some sentences, and added the [***] note in bottom.

EDIT END

I'll try and post the files upfront this time, so you can check as soon as you read this and possibly (or should I say hopefully; there will be some feathers ruffled, and maybe adverse consequences/actions against me) [and possibly] in a few next posts. There are issues, and I am not ready to go the Javascript way onto the possibly-Schmoog-friendly ask.wireshark.org in my tiny, and in a peculiar way, regimatic environment (the internet is broken down and control given to smaller entities per the local power/regime, with the master entity, the U.S. (read: the NSA) keeping all the threads, therefore the "in a peculiar way") [*].

The files to look up and run the commands below against, will be on:

http://www.croatiafidelis.hr/foss/cap/cap-151001-legalis-login/

The important file without which you can't decrypt any of te SSL streams, and that needs to be set up as previously explained (in the PDF linked document by SANS Training), is the file with the session keys for all of this set (or even more). [**]

The SSLKEYLOGFILE_151001_1358_g0n.log.

Maybe you can do best to download just the dLo.sh file. Make a dir where you have perms. Enter that dir and run it:

```

$ ./dLo.sh

```

It will download all that is currently in the cap-151001-legalis-login/ .

Download them to be able to run the commands below, and check on the veracity of my claims/help us solve what I can not solve.

Because I also post this because I may need some help to figure out things. If any of you wizards are benevolently reading this, from Wireshark mailing lists, from higher echalons in Gentoo, or elsewhere, and you know how to solve the real hurdles that will be in your plain sight, if those hurdles are at all solvable, do join in with your kind advice. You will have my gratitude, and I am sure, respect from other readers of this topic!

The first set to examine is of the time: 2015-10-01 13:58 CET (as it carries the timestamp 151001_1358, and I live in Zagreb, Croatia).

tshark -r dump_151001_1358_g0n.pcap -q -z expert,note,tcp

```

Errors (3)

=============

   Frequency      Group           Protocol  Summary

           2  Malformed                TCP  New fragment overlaps old data (retransmission?)

           1  Undecoded               SPDY  Inflation failed. Aborting.

Warns (37)

=============

   Frequency      Group           Protocol  Summary

          34   Sequence                TCP  Connection reset (RST)

           1  Undecoded                SSL  BER: Dissector for OID not implemented. Contact Wireshark developers if you want this supported

           2   Sequence                TCP  TCP transmission window is now completely full

Notes (267)

=============

   Frequency      Group           Protocol  Summary

          97   Sequence                TCP  TCP keep-alive segment

          88   Sequence                TCP  ACK to a TCP keep-alive segment

          62   Sequence                TCP  This frame is a (suspected) retransmission

          17   Sequence                TCP  Duplicate ACK (#1)

           1  Malformed               HTTP  HTTP body subdissector failed, trying heuristic subdissector

           1   Sequence                TCP  Duplicate ACK (#2)

           1   Sequence                TCP  Duplicate ACK (#3)

```

A preemption first. Looking back, did anybody see anything faulty in my Gentoo's setup in those network traffic captures on that maildrop-users mailing list hosted on SourceForge?

I'm so glad, now, that I already posted those dumps. See my two previous posts (and maybe read further back if you parachuted in here).

Now if anybody would be trying to sell us the crap that I should need to fix my machine, because it were, in his opinion, broken, such (possible) individual only needs to redirect his/her own attention to how smooth my setup works on internet conversations with honest hosts. Thanks. Period dot.

I can't give detailed analysis of this traffic capture as I don't yet speek Lua (no time to study it now) and it's too much work do it manually, but maybe I could call readers' attention to three particular tcp streams: We'll be pasting, in the filter, first "tcp.stream eq 61" (because the screencast tells us to, even though it's out of order), then  "tcp.stream eq 16", and then "tcp.stream eq 56".

I'll post some extracted files in the corresponding folder named after the dump: dump_151001_1358_g0n.d/

1) So you should see how it is that the screencast tells us to look up the stream 61 first, to get a clearer picture. You can see there troubles right at start if you download and view the screencast Screen_151001_1358_g0n.mkv.

WARNING: if your technical interests are strict on this topic, skip to "WARNING END"

But a note is due. I want to try and see if I can ask some legalese on the Croatian Legal Forums (Hrvatski Pravni Portal) in connection with my correspondence with my providers who arbitrarily breached my rights as well as the agreement btwn me and each of them respectively, who censored me based on their baseless false accusations that I sent spam emails, some of which you can read even here on Gentoo Forums in my translation:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion

https://forums.gentoo.org/viewtopic-t-999436.html#7682770

as well as now (hopefully they haven't taken my NGO's site down) on:

http://www.croatiafidelis.hr/foss/cenz/iskon-t-com-miro-rovis/message/20150113.171003.a35398a1.en.html

(but that is the only translated email, the rest is in Croatian; it's:

a Snapshot (taken in a hurry) of Lurker deployed on my SOHO

http://www.croatiafidelis.hr/foss/cenz/iskon-t-com-miro-rovis/

btwn me, Miroslav Rovis, and Iskon, and T-com

that I want to talk legalese to juridical poeple and citizens there).

That is why I am trying to login/register at http://www.legalis.hr , the Croatian Legal Forums.

WARNING END

You can see there, in that screencast, after the first half a minute:

 *Quote:*   

> 
> 
> A script on this page may be busy, or it may have stopped responding. You can stop the script now, open the script in the debugger, or let the script continue.
> 
> Script: http: //rsgde.adocean.pl/files/... <snipping a little>/simpaBanner2.Js:1
> ...

 

I chose to "Debug script" but then very soon decided I wasn't going to delve into it. Too little knowledge of Javascript here.

Anyway, that same script is available in the dump.

$ tshark -r dump_151001_1358_g0n.pcap -z expert,note,tcp | grep rsgde | grep simpaBanner

```

1163 34.721663000  192.168.1.2 -> rsgde.adocean.pl HTTP 425 GET /files/akimiqplupg/yileewlqpw/vdmegvlrkn/js/simpaBanner2.js HTTP/1.1 

```

So paste in the filter:

```

tcp.stream eq 61

```

It would even more extend these posts if I repeated the method of extracting content. See previous posts.

The script is in the said folder and it is named: dump_151001_1358_g0n_s61_01_SimpaBanner2.js. What is wrong with the script I can not tell for reasons already stated.

2) tcp.stream eq 16

It decrypts, yes it does. But what is decrypted, is some fragment of some compressed file, or some encrypted matter (so, if this latter is the case, it's encryption upon encryption, and there is no key other than in the Schmoog's own archives, to decrypt the inner encryption, again: if that is the case [***]). Have a look, as I'll post what anybody can decrypt with the setup of his/her Wireshark as we have so far learned:

Follow and save ssl stream, and compare it to this one that you can download (it ought to be exactly the same, to the bit), and then you tell me what you can make of it:

dump_151001_1358_g0n_s16-ssl.dump

The only string that makes some sense to me if I look up that dump with hexedit is "PRI * HTTP/2.0". All else is gibberish.

3) tcp.stream eq 56

This one is fascinating!

The conversation is with some Zucky the great "philantropist"'s Facebook host:

```

31.13.84.8   StAr.c10r.facebook.com

```

It's easy to extract it. Click on any of the lines with TLSv1.2, follow SSL stream, Save as:

dump_151001_1358_g0n_s56-ssl.dump

It's, allegedly (read on) gzip'd. 

It's two GET's in there. Second first.

NOTE: 'man hexedit' ...

Search, in hex, for "47455400". Set mark at the second found. Search to end. That will select to end. Copy. Paste into a file, naming that file:

dump_151001_1358_g0n_s56-ssl_02.dump

Reapeat the search (or in some other fashion set the cursor again at the start of the second GET. Truncate.

Set the mark at the first get. Search to end. That will select the entire remaining content from there. Paste into file:

dump_151001_1358_g0n_s56-ssl_01.dump

Open file: dump_151001_1358_g0n_s56-ssl_01.dump

I don't see there could be anything there to extract.

Open file: dump_151001_1358_g0n_s56-ssl_02.dump

Serch in ascii for gzip finds one instance. Move to top. Search in hex for "1F8B08". Mark. Move to end. Copy. Paste into  file: dump_151001_1358_g0n_s56-ssl_02.gz

And here we go, here's the fascinating thing!:

```

$ ls -l dump_151001_1358_g0n_s56-ssl_02.gz 

-rw-r--r-- 1 ukra ukra 5993 2015-10-02 14:42 dump_151001_1358_g0n_s56-ssl_02.gz

$ file dump_151001_1358_g0n_s56-ssl_02.gz 

dump_151001_1358_g0n_s56-ssl_02.gz: gzip compressed data, from Unix

$ gunzip dump_151001_1358_g0n_s56-ssl_02.gz 

gzip: dump_151001_1358_g0n_s56-ssl_02.gz: invalid compressed data--format violated

$ 

```

The kind and philantropist Zucky's Facebook violates the gzip format! Pls do show me, pls. do prove me wrong! I'm really not claiming complete certainty because I'm really not an expert by any means. However, the file is there for everybody to see.

Do tell us why that gzip'd archive can not be extracted and why gzip shouts out so loud that the format has been violated!

I want to see (but not immediately; this is tiring work) what the true experts on Wireshark.org may want to say about this little snippet of content with this credibly (IMO) alleged violation. [***]bis

Anyway, I basically decided that, looking up all the plethora of almost all the world's top surveillors being pulled in by my only trying to open, and possibly login/register with the Croatian Legal Forums... (almost all; I believe there are some who will sorely miss Billy the Senior Philantropist's M$ not pulled in)...

And so I decided I try and do some filtering to see if I can talk to the Croatian Legal Forums without having to deal with than many of the big players' surveilling tentacles.

By filtering some of that plethora of domains out at the input of my iptables, dropping their packets on the floor, with emplying the filtering capability that I compiled in my kernel, and deploying it by adequate filtering rules.

Have a look at how many of those hosts are set to get their tentacles in my machine by my mere opening the initial http://www.legalis.hr page and trying to login/register in:

dump_151001_1358_g0n_RESO.txt

I'll continue this story in the next post.

---

[*] I'd really kindly ask the inventor Tim Berners Lee whether (1) he knew ahead of his invention that such would be the case, and I'd kindly ask him (2) not to keep boasting with the benefits of the internet; nothing is better for it, unless the big brains, and big players, don't engage against (the first), or stop surveillance (the second), surveillance the cancer of the internet, like, exampli gratia, Bruce Schneier does, of the world's true intellectual internet elite; but does anyone know of any big players refraining from spreading this cancer?

[**] I really have nothing to hide currently, and yet few readers will doubt that I am fighting so that we, the poor users, especially the FOSS *nix users (too little hope for M$, Apple and such, users), be able to hide our personal correspondence, our browsing habits, and anything we want to hide. Because it is our time, our life, our streets in our cities (and not, say, Schmoog's), our friends and our communities, and it does not pertain to the surveillors, to control any of it, to track, to inspect and hoard data about, any of it, by any constitution of any country of the world that is at least somewhat free. You can start from the Constitution of the United States of America, this important amendment granting they are not allowed to control you:

https://en.wikipedia.org/wiki/Fourth_Amendment_to_the_United_States_Constitution

and I can tell you that the right to hide my communications, as I please, is in the Constitution of the Republic of Croatia, as well. Just the hiding that I talk as legitimae here, is not hiding things and you move you code into people's computors like Facebook appears to have done above. I don't approve of such hiding of things. Because that's not privacy, that's attack on other people's property what FB apparently does. In this note I remotely paraphrase Eric Google's, in 201x, repeating of Göbels', in 194x, soundbite: "If you have nothing to hide, you have nothing to worry about!", if the kind reader hasn't noticed.

[***] and [***]bis It is more study that is needed, of the HTTP2 standard (as well as of SPDY), as I explain in the later posts in this topic, starting from:

https://forums.gentoo.org/viewtopic-t-1029408.html#7823392

as well as on Wireshark ML:

https://www.wireshark.org/lists/wireshark-users/201510/msg00000.html

to see if these packets really carry concealed content, which IMO would be breach of my privacy, because the ground is mine, not Schoog's, not Facebook's nor any others', it's my machine. It's like entering somebody's home with a concealed gun, if it really can not be decrypted without Quantum PC power, what they put in those packets...Last edited by miroR on Sun Oct 04, 2015 3:51 pm; edited 2 times in total

----------

## miroR

This is not yet the next post I planned.

But a necessary addendum.

I figured out that I will need to understand more concepts and learn to apply them to decrypt some of the traffic.

In the previous post there is the line

```

          1  Undecoded               SPDY  Inflation failed. Aborting. 

```

SPDY (pronounced Speedy), is Schmoog's enhancement for the HTTP1x protocol, upon which (and that's the other line --but in context--:

```

PRI * HTTP/2.0 

```

upon which (upon the SPDY) the HTTP2 was developed.

Once I study those, I might be able to decrypt such traffic too.

A good start:

Why are the headers of this SPDY SYN_STREAM sample apparently uncompressed?

http://stackoverflow.com/questions/27454189/why-are-the-headers-of-this-spdy-syn-stream-sample-apparently-uncompressed

and 

https://wiki.wireshark.org/HTTP2

----------

## miroR

More on the necessary digression. This is still not in the planned line of presentation.

I'm reluctunt to try things SPDY offline in my Apache. Have a look at what is very telling about SPDY:

```

# emerge -tuDN mod_spdy

These are the packages that would be merged, in reverse order:

Calculating dependencies    ... done!                             

[ebuild  N    #] www-apache/mod_spdy-0.9.4.3::gentoo  USE="-debug {-test}"

7,162 KiB

[ebuild     UD ]  www-servers/apache-2.2.31:2::gentoo [2.4.16:2::gentoo]

USE="doc ssl suexec -debug -ldap (-selinux) -static -threads (-alpn%)"

APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm

authn_default%* authn_file authz_dbm authz_default%* authz_groupfile

authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock

deflate dir disk_cache%* env expires ext_filter file_cache filter headers

include info log_config logio mem_cache%* mime mime_magic negotiation rewrite

setenvif speling status unique_id userdir usertrack vhost_alias -asis

-auth_digest -authn_dbd -cern_meta -charset_lite -dbd -dumpio -ident -imagemap

-log_forensic -proxy -proxy_ajp -proxy_balancer -proxy_connect -proxy_ftp

-proxy_http -proxy_scgi -reqtimeout -substitute -version (-access_compat%)

(-authn_core%*) (-authz_core%*) (-authz_dbd%) (-cache_disk%)

(-lbmethod_bybusyness%) (-lbmethod_byrequests%) (-lbmethod_bytraffic%)

(-lbmethod_heartbeat%) (-macro%) (-proxy_fcgi%) (-proxy_wstunnel%)

(-ratelimit%) (-remoteip%) (-slotmem_shm%) (-socache_shmcb%*) (-unixd%*)"

APACHE2_MPMS="-event -itk% -peruser -prefork -worker" 5,542 KiB

[ebuild     UD ]   app-admin/apache-tools-2.2.31::gentoo [2.4.16::gentoo]

USE="ssl" 0 KiB

Total: 3 packages (2 downgrades, 1 new), Size of downloads: 12,704 KiB

Would you like to merge these packages? [Yes/No] No

Quitting.

```

I bet you saw my reply to tthe question in bottom: "No" (without quotes).

What is also very telling is the 

Distribution of web servers among websites that use SPDY

http://w3techs.com/technologies/segmentation/ce-spdy/web_server

and I'll paste it in here, since those numbers change. So the current numbers

(see the timestamp of this post) are:

```

Nginx is used by 73.9% of all the websites whose web server we know and that

use SPDY as site element.

```

```

Nginx         73.9%

LiteSpeed     23.1%

Apache         2.3%

Node.js        0.4%

Google_Servers 0.3%

```

Take a look at how the Schmoog trust their own invention. how Nginx is stuck with it (good luck to anyone believing in and trusting the Schmoog!), and they must be cursing the former, and how the Apache folks never really trusted it.

Or were the Schmoog upfront using it for some shady purposes along? Who can tell? True experts only (and I'm certainly not one), and who are honest along being expert, but honest truly: very rare; I have met some, yes, but too rare those kind of experts... Aarrgh.. The world is waiting for a Schmoog whistleblower to tell us more about the Octopus... Ever, anyone?

There's more.

Really I cheered when I read to the end of this e-mail

```

HTTP Working Group <ietf-http-wg@w3.org>

```

, and when I understood that Poul-Henning Kamp [*] was the author of that open letter which I enjoyed reading and recognize (to some extent: I'm just an advanced user) its arguments, and many among you readers of this topic will too:

Why HTTP/2.0 does not seem interesting

https://www.varnish-cache.org/docs/trunk/phk/http20.html

The letter talks about SPDY as well. find the line:

 *Poul-Henning Kamp wrote:*   

> 
> 
> Overall, I find the design approach taken in SPDY deeply flawed.
> 
> 

 

My problem is, that I need to figure out how to decrypt these freaking packets (mosly Schmoogle's but others' too), that use either SPDY or HTTP2. Because I must be in control of my machine, and not the Schoogle's kind.

Else, they will be able to set me up as spammer and be able to censor me, as they already did, for long months, which I mentioned in some of the first posts (links there to documented events of censorship, like clickjacking).

(and that is just the last big censorship event of their making on me. If you want more, and on how Google helps regimes like in my country, have a look at why I have all the reson to detest Google:

Really? The Surveillance Engine Terminated All My Videos

http://forums.debian.net/viewtopic.php?f=3&t=113059

).

When is that idiotic Octopus going down, if really it does not intend to behave?

--

[*] I like to spread valuable info. I don't remember having listened to anything as impressive as this Poul-Henning Kamp's speech at FOSSDEM Conference 2014. It was previously elsewhere, and if you can't download the entire 46 minutes, as I can not currently from my quaters (but I do have a lousy provider), do tell! Here:

NSA operation ORCHESTRA Annual Status Report

https://commons.wikimedia.org/wiki/File:NSA_operation_ORCHESTRA_Annual_Status_Report.webm

It is not important because of me, as I have already archived it previously for myself, but for others, to spread the truth to others as well.Last edited by miroR on Sun Oct 04, 2015 4:53 pm; edited 3 times in total

----------

## miroR

Still can not move on without the understanding of these issues. But maybe we get to know more on these special concealed (to majority of users at least) packets. I wrote to Wireshark ML:

Wireshark-users: Re: [Wireshark-users] The SSL tcp stream decoding in Users' Manual?

https://www.wireshark.org/lists/wireshark-users/201510/msg00000.html

----------

## miroR

A note: in the email there, I'm referring to the link to my last email to Wireshark ML, in the post immediately before this one, you can see that I actually can decode SPDY and HTTP2. More on my research on SPDY and HTTP2 in the next post. I mean really next (and only then the posts promised quite-a-few-posts-back; those had already been written).

Just: my research resulted, in my pretty clear understanding that it is good for me, at least for now, since no benefit for me (nor to users generally, just to big-business) from SPDY and HTTP2, only possibly more trouble, like CRIME (but on that in the next post), [that it is good for me] to disable SPDY and HTTP2 in my Fox.

Read all, don't just follow this post; this is partly, very partly only, a failed test!

Save your ~<you>/.mozilla/firefox/<your-salt-here>.default/prefs.js, say

like:

```

$ cp -iav ~<you>/.mozilla/firefox/<your-salt-here>.default/prefs.js prefs.js_$(date +%s)_$(hostname)

```

so you can compare what  you got with the GUI changes you will make.

Close if previously you had Firefox opened.

Start Firefox. Don't open any pages with it. Do this work first.

Type in about:config in Firefox.

In the Search box type in 'spdy' (without quotes).

Wherever you see 'true' doubleclick on it. It will turn to 'false'

I hope now spdy and http2 are disabled.

Comparing my ~ukra/.mozilla/firefox/<my-salt-here>.default/prefs.js

with the changed profile, and disregarding the changes that Fox makes on every start/exit in your pref.js, these are the changes necessary to rid of the CRIME-enabled SPDY and HTTP2:

$ cat prefs.js.diff

```

> user_pref("network.http.spdy.allow-push", false);

> user_pref("network.http.spdy.coalesce-hostnames", false);

> user_pref("network.http.spdy.enabled", false);

> user_pref("network.http.spdy.enabled.deps", false);

> user_pref("network.http.spdy.enabled.http2", false);

> user_pref("network.http.spdy.enabled.v3-1", false);

> user_pref("network.http.spdy.enforce-tls-profile", false);

```

And I believe (

I clone my systems:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion 

https://forums.gentoo.org/viewtopic-t-999436.html#7613044

)

...

And I believe that (since I clone my systems), that doing this same GUI change, but doing it the non-GUI way, on another of my systems which has until now been on defaults regarding SPDY and HTTP2, will be a proof of concept.

On the other system (a clone, on same type/model hardware), I copy its pref.js where I can, first, view it in some details.

Now on that copied pref.js (but really, it can be done on the original, just Fox must NOT be running), I did:

```

$ cat prefs.js.diff | sed 's/> //'  >> prefs.js 

$ mv -iv prefs.js prefs.js_NEW 

```

The diff btwn the prefs.js_NEW and the orig prefs.js on this other system, is the same as on the GUI-experimented one.

So:

```

cp -iav prefs.js_NEW ~<me>/.mozilla/firefox/<my-salt-here>.default/prefs.js

```

And if I start Fox now, open 'about:config' and in the Search box type in spdy, I should see the same SPDY and HTTP2 entries disabled.

No. I was wrong. Upon starting Fox, I had it all at defauls, like before. Why is that?

Never mind. I did the clicking as, obviously, I am supposed to, then I exited Fox, restarted it, and this time it holds: these failed standards, in the sense that they are not catching with the non-big-business internet people, are disabled.

----------

## miroR

In the first place, HTTP2 is just a remake of SPD2, and also, as Poul-Henning Kamp says, feels more like HTTP1.2.

It hasn't, and hardly is it expected to, catch on. So it looks to me as just a failure.

You can read also what PHK wrote previously on SPDY:

What SPDY did to my summer vacation

https://www.varnish-cache.org/docs/trunk/phk/spdy.html

So PHK, an expert who spent quite some time studying it, and I really didn't go into details of that page, I only searched, as it is not there to be easily found, what to do about it... The Google's and such businesses that "own" the internet propaganda is such that you would think it's the next big thing, the SPDY, and now the HTTP2.

So PHK, an expert who spent quite some time studying it, claims SPDY is "deeply flawed", as I quoted him some two posts ago.

I even looked up the linked from there:

Varnish User Group Meeting 6 (VUG6 London)

https://www.varnish-cache.org/vug6

and read some of the paper linked in there:

PHK's Keynote (on HTTP/2.0) 

https://www.varnish-cache.org/sites/default/files/02_VUG6-PHK_Keynote.pdf

and I'll only suggest page 18 of that paper, where PHK claims:

```

HTTP/2.0 is an uncertain target

No realistic timeline

Very unclear featureset

May not even catch on when done

```

And let's see now if HTTP2 caught on. Because that VUG6 event took place in early October 2012. which is just about 3 (three) years ago.

Maybe that PHK is not such an expert. Maybe that he was wrong... Let's see.

...Aargh. I searched so much, and read lots of it, that it is not even a quick task to find the page, which is the most indicative od all...

Wait...

Ah! Here we go:

On this page:

Comparison of web server software

https://en.wikipedia.org/wiki/Comparison_of_web_server_software#Features

you can see that of all the numerous software that some thirty different servers support, lots of green there, but also, for some entries, such as Java Servlets, more red than green, but...

But, at the end of the software features enumerated, there's the Google's fabulous, fabulous HTTP/2 ! 

Supported by only three of all the servers, the rest probably never bothered to even think about supporting it. Not even consider HTTP2! Bravo, Google!! Such an incredible success!!

I hope other Gentoo users, and whoever finds this page (Google will probably not put it upfront for finding, even if it does have all the entries that people will give to that surveillance --the real purpose-- and also search engine), will lose less time on this idiotic standards than I have.

What huge amount of time this research took me! What a waste of time these standards, SPDY and HTTP2. Yes they do have their usefulness for the big business, but, and it's also PHK who said it somewhere (but I'm done with them, I hope, can't search for the exact document to quote him), but for users there is no benefit whatsoever.

SPDY and HTTP2 are, I hope, done for me. Only I have to make sure that I disable them successfully in my Firefox.

I also mentioned CRIME. Here:

https://en.wikipedia.org/wiki/CRIME

and 

https://en.wikipedia.org/wiki/Transport_Layer_Security#CRIME_and_BREACH_attacks

And surely remember that the surveillance engine and its friends may very well have their other reasons, not available anywhere, because not published, completely secret, for SPDY and HTTP2. Can not claim that, surely. I'm waiting for a Google whistleblower like many thinking people.

Regards!

--

EDIT 2015-10-06 22:31+02:00 :

Only after already having posted this post have I understood what PHK meant when he cited his own email of 1999. in the (link also already in the top of this post):

 *PHK wrote:*   

> 
> 
> My one lucky break was the bikeshed email where I actually did sit down and compose some of my thoughts, thus firmly sticking a stick in the ground as one of the first to seriously think about how you organize open source collaborations.
> 
> 

 

In that bikeshed email you can read what Larry Google, Sergey Google and Eric Google (where Google stands for "the Schmoog"), and friends, should carefully read, and there you can find the treatment that they should be had.

PHK understood it ahead of time. Just as he writes in the paragraph previous to the already cited paragraph. He saw, by mere logic of the totally flawed design (well you probably can't push some surveillance hooks in there for the NSA, and make a standard that does the right thing fro what it is nominally made for, can you?) of SPDY and HTTP2. That is the meaning of the opening paragraph of that "What SPDY did to my summer vacation" article of his. Here:

 *PHK wrote:*   

> 
> 
> It's dawning on me that I'm sort of the hipster of hipsters, in the sense that I tend to do things far before other people do, but totally fail to communicate what's going on out there in the future, and thus by the time the "real hipsters" catch up, I'm already somewhere different and more interesting.

 

And that is why he cited his, by that time (September 2012), thirteen years old email of his.

This is my paraphrasing of that email of his:

Why Should I Care What Color the Bikeshed Is?

http://bikeshed.org/

, for the Larry (both Google and and Oracle), Sergey and Eric and the cameraderie of theirs:

```

Your standard is about to be presented/suggested/imposed on to several hundred

thousand people, who will have to spend at least 10 minutes reading about it

before they can decide what to do about it.

...[snip]...

                                                           

Are you absolutely sure that your standard is of sufficient importance to

bother all these people ?                    

                                                           

                        [YES]  [REVISE]  [CANCEL]                 

----------------------------------------------------------------------------

----------------------------------------------------------------------------

Warning:  You have not considered all the existing standards and the real

issues that ought to be dealt with. 

                                                           

                            [CANCEL]                              

----------------------------------------------------------------------------

----------------------------------------------------------------------------

Warning:  Your dedicated teams have not even considered half of what has been

suggested to them by true internet experts. Logically it follows that you

yourselves, the "big" boys of ths internet, cannot  possibly have considered

and understood all the important issues, breakages, hardships that you will

have created if you, "big" as you are, successfully push it by your propaganda.

                                                           

A cool off timer for this standard will prevent you from     

pushing any standards onto the internet for the next fifteen years

                                                           

                             [Cancel]                             

----------------------------------------------------------------------------

```

EDIT END

----------

## miroR

More than two weeks ago, at this address of this topic you are reading: 

https://forums.gentoo.org/viewtopic-t-1029408.html#7822806

I wrote (and I myself need to try and pick up the narrative first)

The following is, first some parts of the two-weeks old post, by the intended plan of presentation, just as in the link above posted, and then I will continue from where I had left off.

Most of the new text below I wrote two weeks ago, and need only to correct and adapt it a little.

So I had written...  *Quote:*   

> 
> 
> I'll try and post the files upfront this time, so you can check as soon as you read this and possibly ...[snip]... [the] next posts.
> 
> ...[snip]...
> ...

 

The dLo.sh below, as well as the SUMS and the SUMS.sig's, will, in cases of additions and/or changes (changes to the listing, not the particular SHA256 hashes), [will] be updated, but old SUMS and SUMS.sig's will be in the PREV/ directory ('PREV' for previous), just in case someone wanted to check up on the consistency of my methods/statements.

 *Quote:*   

> 
> 
> Maybe you can do best to download just the dLo.sh file. Make a dir where you have perms.
> 
> 

 

(Also move dLo.sh into that dir.)

 *Quote:*   

>  Enter that dir and run it:
> 
> ```
> 
> $ ./dLo.sh
> ...

 

The same method of naming will apply for the other files in cap-151001-legalis-login/ .

 *Quote:*   

> 
> 
> 1) So you should see how it is that the screencast tells us to look up the stream 61 first, to get a clearer picture. You can see there troubles right at start if you download and view the screencast Screen_151001_1358_g0n.mkv.
> 
> ...[snip]...
> ...

 

At this point I had described how I extracted that exact script. Pls. see the complete post for that.

 *Quote:*   

> 
> 
> The script is in the said folder and it is named: dump_151001_1358_g0n_s61_01_SimpaBanner2.js. What is wrong with the script I can not tell for reasons already stated.
> 
> 

 

However, I had posted the script, into which I had previously interpolated a few newlines, for my easier reading. That modified one is now named dump_151001_1358_g0n_s61_01_SimpaBanner2e.js (with the infix 'e' for 'edited') and what exactly you can get, with the methods described, out of that file, bears now the original name dump_151001_1358_g0n_s61_01_SimpaBanner2.js, as it should.

 *Quote:*   

> 
> 
> 2) tcp.stream eq 16
> 
> It decrypts, yes it does. But what is decrypted, is some fragment of some compressed file, or some encrypted matter (so, if this latter is the case, it's encryption upon encryption, and there is no key other than in the Schmoog's own archives, to decrypt the inner encryption, again: if that is the case ...[snip]...  ). Have a look, as I'll post what anybody can decrypt with the setup of his/her Wireshark as we have so far learned:
> ...

 

That HTTP2, as well as SPDY is what I took much closer look at in the meatime btwn that old post and this new post.

This was my first encounter with this despicable standard.

Obviously, as seen now even from the very title of this topic ("SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox"), I intend to try and, hopefully, for some forseeable future, live without SPDY and HTTP2 despicable standards and the intrusions they enable.

Read about it in the posts btwn the one quoted here (and linked in the top), and this very one you are reading right now.

 *Quote:*   

> 
> 
> 3) tcp.stream eq 56
> 
> This one is fascinating!
> ...

 

And as you can see, I'm finally continuing. It's really the continuation of the same story. And I needed to refresh my own memory of what I wrote so far.

Now, the dump_151001_1358_g0n_RESO.txt file, in the corresponding dir (by the infix-timestamp), contains:

```

# Hosts information in Wireshark

#

# Host data gathered from /Cmn/mr/dump_151001_1358_g0n.pcap

...

```

and it's a 16K file, and it is just part (actually I didn't look much into the ports and firmware parts, which is huge, just the hosts part) of the complete file which you can in Wireshark get by going Statistics > Show Address Resolution, and copying and pasting it like I did (there is a way to do it with tshark, but I did it that way then). Every traffic capture has its own listing like that. And for the dump_151001_1358_g0n.pcap it's 134 lines only up to the first IPv6 address:

```
$ cat dump_151001_1358_g0n_RESO.txt | grep -B400000000 '2a03:2880:f007:8:face:b00c:0:1[[:space:]]scontent.xx.fbcdn.net' | wc -l

134

$
```

If you grep that one further for any of the strings 'akam|face|goog|zilla|pagead|smartad' separately or combined, you get a few or a lot of lines.

You get lots of output if you grep if for 'ns' (mostly if not all something to do with the old historical Mozilla 'Netscape' browser label, I believe).

You get 8 lines all belonging to 'd22io8ipz38kkf.cloudfront.net' if you grep it for just 'cloud'.

You get a few 'pagead', 'smartad' and such. And you get lots more minor hosts.

I won't paste it here, as it is in the said dir. But I'll try and remember how I extracted the line for my iptables rules, to block out a few of those far too many surveillors for just one portal accessed.

(Or do I really have to open my machine for whoever wants to snoop in a little? If I only want to visit a site, and maybe login/register?)

It's not so hard to sort and awk and cut and paste together that list of hosts (I'm talking about the unix commands: sort awk cut paste which I used) to get what I wanted, which was, for the first step, this:

```

104.83.4.100   n6b.akamai.net

104.83.4.103   n1g1.akamai.net

104.83.4.117   n6g1.akamai.net

104.83.4.125   n6dspl.akamai.net

104.83.4.15   n7b.akamai.net

104.83.4.21   n5g1.akamai.net

104.83.4.22   n5b.akamai.net

104.83.5.156   n0dspe1.akamaiedge.net

104.83.5.157   n6g.akamaiedge.net

104.83.5.158   n6dspe1.akamaiedge.net

104.83.5.159   n7dspe1.akamaiedge.net

104.87.51.180   e3821.dspe1.akamaiedge.net

152.115.75.210   track-eu.adform.net

152.115.75.218   track-eu.adform.net

166.88.18.58   ns2.zoneedit.com

173.239.79.201   ns1.eff.org

173.239.79.210   observatory6.eff.org

178.218.165.165   ns2.mojsite.com

178.218.169.132   engine.xclaimwords.net

178.218.169.162   hr-engine.xclaimwords.net

178.218.169.163   hr-engine.xclaimwords.net

178.218.172.172   ns1.mojsite.com

184.26.161.66   a14-66.akam.net

184.85.248.65   ns5-65.akam.net

185.86.139.19   itx4.smartadserver.com

185.86.139.29   itx4.smartadserver.com

188.125.93.156   l.gycs.b.yahoodns.net

188.125.93.157   l.gycs.b.yahoodns.net

#188.40.29.90   www.legalis.hr

193.108.91.240   ns1-240.akam.net

193.108.91.96   a1-96.akam.net

193.47.99.4   ns3.second-ns.de

195.191.92.140   ns1.ns-serve.net

195.191.93.140   ns2.ns-serve.net

195.22.200.158   n3b.akamai.net

195.22.200.165   n1b.akamai.net

195.245.255.29   canopus.oglasnik.hr

195.245.255.9   www.posao.hr

204.13.250.28   ns2.p28.dynect.net

204.13.251.28   ns4.p28.dynect.net

205.251.193.93   ns-349.awsdns-43.com

205.251.194.25   ns-537.awsdns-03.net

205.251.197.254   ns-1534.awsdns-63.org

205.251.198.243   ns-1779.awsdns-30.co.uk

208.117.229.212   www.google.com

208.117.229.213   www.google.com

208.117.229.214   www.google.com

208.117.229.215   www.google.com

208.117.229.216   www.google.com

208.117.229.217   www.google.com

208.117.229.218   www.google.com

208.117.229.219   www.google.com

208.78.70.28   ns1.p28.dynect.net

208.78.71.28   ns3.p28.dynect.net

213.133.106.251   ns1.your-server.de

213.189.48.235   ns1.gemius.pl

213.239.204.242   ns.second-ns.com

216.239.32.10   ns1.google.com

216.239.34.10   ns2.google.com

216.239.36.10   ns3.google.com

216.239.38.10   ns4.google.com

216.58.209.161   pagead-googlehosted.l.google.com

216.58.209.162   pagead46.l.doubleclick.net

216.58.209.194   pagead.l.doubleclick.net

2.20.182.162   n3dspe1.akamaiedge.net

2.20.182.164   n1dspe1.akamaiedge.net

2.20.182.165   n2g.akamaiedge.net

23.14.93.233   n7ce.akamaiedge.net

23.14.93.235   n5ce.akamaiedge.net

23.14.93.241   n4ce.akamaiedge.net

23.14.93.242   n6ce.akamaiedge.net

23.211.61.67   a22-67.akam.net

23.35.116.174   e6603.g.akamaiedge.net

23.54.107.27   e8218.ce.akamaiedge.net

31.13.84.4   scontent.xx.fbcdn.net

31.13.84.8   StAr.c10r.facebook.com

46.101.18.226   ns12.zoneedit.com

46.33.68.128   a1158.b.akamai.net

46.33.68.32   a1603.g1.akamai.net

46.33.68.40   a1603.g1.akamai.net

46.33.68.72   a1158.b.akamai.net

54.230.44.105   d22io8ipz38kkf.cloudfront.net

54.230.44.14   d22io8ipz38kkf.cloudfront.net

54.230.44.20   d22io8ipz38kkf.cloudfront.net

54.230.44.40   d22io8ipz38kkf.cloudfront.net

54.230.44.48   d22io8ipz38kkf.cloudfront.net

54.230.44.54   d22io8ipz38kkf.cloudfront.net

54.230.44.56   d22io8ipz38kkf.cloudfront.net

54.230.44.58   d22io8ipz38kkf.cloudfront.net

62.168.111.101   ns2.gemius.pl

63.245.217.138   aus4.vips.phx1.mozilla.com

63.245.217.219   aus4.vips.phx1.mozilla.com

63.245.217.43   aus4.vips.phx1.mozilla.com

68.142.254.15   yf4.a1.b.yahoo.net

68.180.130.15   yf3.a1.b.yahoo.net

69.171.239.11   a.ns.xx.fbcdn.net

69.171.255.11   b.ns.xx.fbcdn.net

69.50.225.156   ns2.eff.org

72.21.80.5   ns1.phicdn.net

72.21.80.6   ns2.phicdn.net

72.246.46.65   a4-65.akam.net

78.46.77.4   www.mojposaomarketing.net

80.157.149.215   n0ce.akamaiedge.net

80.237.178.232   wlt-adpilotgroup.adspirit.info

81.0.212.193   ns3.gemius.pl

81.4.121.49   procyon.oglasnik.hr

84.53.139.64   ns4-64.akam.net

84.53.139.65   a11-65.akam.net

87.237.206.243   hr.hit.gemius.pl

87.237.206.245   rsgde.adocean.pl

87.237.206.249   hr.hit.gemius.pl

88.221.81.192   n0dspl.akamai.net

88.221.81.193   n2b.akamai.net

88.221.81.195   n3ce.akamaiedge.net

92.122.206.37   n4b.akamai.net

92.122.206.38   n0b.akamai.net

92.122.214.238   n1ce.akamaiedge.net

93.184.220.29   cs9.wac.phicdn.net

95.101.2.26   a2047.dspl.akamai.net

95.101.2.32   a2047.dspl.akamai.net

95.101.2.33   a2047.dspl.akamai.net

95.101.2.40   a2047.dspl.akamai.net

95.101.2.48   a2047.dspl.akamai.net

95.101.2.51   a2047.dspl.akamai.net

95.101.2.56   a2047.dspl.akamai.net

95.101.2.57   a2047.dspl.akamai.net

95.101.2.66   a2047.dspl.akamai.net

96.7.49.64   a3-64.akam.net

96.7.49.66   ns7-66.akam.net

```

I won't go into figuring out which exact hosts I left out from this list, and which I decided to try and block, with absolute precision. But I remember I started drastically blocking nearly all but the:

```

54.230.44.xx   d22io8ipz38kkf.cloudfront.net

```

Zilla just has to connect to its cloud to send to all it tat it has harvested from me... Aaarghh, I don't like it, but OK.

And I left the 'mozilla'-named lines, so:

```

63.245.217.xxx   aus4.vips.phx1.mozilla.com

```

I didn't block either.

Surely I left any of the hosts with 'eff.org' in their names. I hope I wasn't lied to by EFF. and that Electronic Frontier Foundation are good guys (although I have too little personal understanding, haven't studied enough their stuff).

I also left most of the hosts containing 'ns' (but not the ns lines which also contain fb --I don't trust Zucky, and if you do, you try  and tell me they're honest, but pls. some other time).

And my first try, IIRC, to connect to http://www.legalis.hr with lots of those hosts blocked was based on this purged list:

```

104.83.4.0/24   akamai.net

104.83.5.0/24   akamaiedge.net

104.87.51.180   e3821.dspe1.akamaiedge.net

152.115.75.0/24   track-eu.adform.net

184.26.161.66   a14-66.akam.net

184.85.248.65   ns5-65.akam.net

185.86.139.19   itx4.smartadserver.com

185.86.139.29   itx4.smartadserver.com

188.125.93.156   l.gycs.b.yahoodns.net

188.125.93.157   l.gycs.b.yahoodns.net

193.108.91.240   ns1-240.akam.net

193.108.91.96   a1-96.akam.net

193.47.99.4   ns3.second-ns.de

195.191.92.140   ns1.ns-serve.net

195.191.93.140   ns2.ns-serve.net

195.22.200.158   n3b.akamai.net

195.22.200.165   n1b.akamai.net

195.245.255.29   canopus.oglasnik.hr

195.245.255.9   www.posao.hr

208.117.229.0/24   www.google.com

213.133.106.251   ns1.your-server.de

213.189.48.235   ns1.gemius.pl

216.239.0/18   ns[X].google.com

216.58.209.0/24   pagead* (googlehosted or doubleclick.net)

2.20.182.0/24   akamaiedge.net

23.14.93.0/24   akamaiedge.net

23.211.61.67   a22-67.akam.net

23.35.116.174   e6603.g.akamaiedge.net

23.54.107.27   e8218.ce.akamaiedge.net

31.13.84.0/24   scontent.xx.fbcdn.net

46.33.68.0/24   akamai.net

62.168.111.101   ns2.gemius.pl

68.142.254.15   yf4.a1.b.yahoo.net

68.180.130.15   yf3.a1.b.yahoo.net

69.171.239.11   a.ns.xx.fbcdn.net

69.171.255.11   b.ns.xx.fbcdn.net

72.21.80.5   ns1.phicdn.net

72.21.80.6   ns2.phicdn.net

72.246.46.65   a4-65.akam.net

78.46.77.4   www.mojposaomarketing.net

80.157.149.215   n0ce.akamaiedge.net

80.237.178.232   wlt-adpilotgroup.adspirit.info

81.0.212.193   ns3.gemius.pl

81.4.121.49   procyon.oglasnik.hr

84.53.139.0/24   ns4-64.akam.net

87.237.206.243   hr.hit.gemius.pl

87.237.206.245   rsgde.adocean.pl

87.237.206.249   hr.hit.gemius.pl

88.221.81.0/24   akamai.net

92.122.206.0/24   n4b.akamai.net

92.122.214.238   n1ce.akamaiedge.net

93.184.220.29   cs9.wac.phicdn.net

95.101.2.0/24   dspl.akamai.net

96.7.49.0/24   a3-64.akam.net

```

I surely can't dedicate much time to iptables here, but I gave some hints in the topic:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion

https://forums.gentoo.org/viewtopic-t-999436.html#7613044

(starting from that post, and also in later posts in that topic)

where I find what I used:

http://gentoovps.net/configuring-iptables-firewall/

(just not the ulogd, which is obsolete), and surely man iptables, surely even more man iptables-extensions and http://netfilter.org ... I know some senior Gentooers use the shorewall package, but this worked fine for me, apparently)

And so a few awk and tr lines (talking about the unix awk tr commands) on the sorted list (the unix sort command), and eventually I added these two lines to my iptables rules.sh (just for the purposes of posting this on phpBB-powered Gentoo Forums, I had to split it into more lines, but these below are only two lines in my then script for my iptables, each of the two lines starting with '$ipt -A INPUT'):

```

$ipt -A INPUT -p tcp -s

104.83.4.0/24,104.83.5.0/24,104.87.51.180,152.115.75.0/24,184.26.161.66,184.85.248.65,185.86.139.19,

185.86.139.29,188.125.93.156,188.125.93.157,193.108.91.240,193.108.91.96,193.47.99.4,195.191.92.140,

195.191.93.140,195.22.200.158,195.22.200.165,195.245.255.29,195.245.255.9,208.117.229.0/24,213.133.106.251,

213.189.48.235,216.239.0/18,216.58.209.0/24,2.20.182.0/24,23.14.93.0/24,23.211.61.67,23.35.116.174,

23.54.107.27,31.13.84.0/24,46.33.68.0/24,62.168.111.101,68.142.254.15,68.180.130.15,69.171.239.11,

69.171.255.11,72.21.80.5,72.21.80.6,72.246.46.65,78.46.77.4,80.157.149.215,80.237.178.232,81.0.212.193,

81.4.121.49,84.53.139.0/24,87.237.206.243,87.237.206.245,87.237.206.249,88.221.81.0/24,92.122.206.0/24,

92.122.214.238,93.184.220.29,95.101.2.0/24,96.7.49.0/24

-j LOG --log-level error --log-prefix mrfw_schm_etal

$ipt -A INPUT -p tcp -s

104.83.4.0/24,104.83.5.0/24,104.87.51.180,152.115.75.0/24,184.26.161.66,184.85.248.65,185.86.139.19,

185.86.139.29,188.125.93.156,188.125.93.157,193.108.91.240,193.108.91.96,193.47.99.4,195.191.92.140,

195.191.93.140,195.22.200.158,195.22.200.165,195.245.255.29,195.245.255.9,208.117.229.0/24,213.133.106.251,

213.189.48.235,216.239.0/18,216.58.209.0/24,2.20.182.0/24,23.14.93.0/24,23.211.61.67,23.35.116.174,

23.54.107.27,31.13.84.0/24,46.33.68.0/24,62.168.111.101,68.142.254.15,68.180.130.15,69.171.239.11,

69.171.255.11,72.21.80.5,72.21.80.6,72.246.46.65,78.46.77.4,80.157.149.215,80.237.178.232,81.0.212.193,

81.4.121.49,84.53.139.0/24,87.237.206.243,87.237.206.245,87.237.206.249,88.221.81.0/24,92.122.206.0/24,

92.122.214.238,93.184.220.29,95.101.2.0/24,96.7.49.0/24

-j DROP

```

However that was too drastic. In fact, that envolved blocking their (is it hoster or is it close partner of some kind?) 'mojposao.hr' (probably an alias of 'www.mojposaomarketing.net'), as the loading stuck at it.

How do I know? It's all in the screencast and in the traffic dump. A quick look in the Screen_151001_1659_g0n.mkv and quick open of dump_151001_1659_g0n.pcap (no SSL session keys needed, since no SSL traffic at all).

Use the updated dLo.sh script (re-download it) to download what is missing in your local cap-151001-legalis-login/ (or with the name you gave it), just into the same dir that you already downloaded previously (if you are one of the first few dozen of readers of this topic). The wget command that does the downloading won't redownload what you already downloaded, and the respective SUMS and SUMS.sig files are extended with the new uploads.

So you can look up the pair Screen_151001_1659_g0n.mkv and dump_151001_1659_g0n.pcap. And understand that the iptables line was too drastic.

Ah, and starting at 1:25 of the screencast you see all those big and small players' hosts' packets being dropped on the floor by my grsecurity-mended-and-defended and netfilter-enabled kernel. That is my /var/log/messages being tailf'ed (I always run:

```

# tailf /var/log/messages

```

and keep an eye on what syslog-ng tells me (

I had my doubts about syslog-ng, and I'm still not sure, but I'm inclined to think now, that it was not a trouble of their making, the issues that I had, as described in:

Syslog-ng from Delay Logging to BrokenPipe/no Logging

https://forums.gentoo.org/viewtopic-t-1001994.html

but I haven't found time to unmask and check the new versions of syslog-ng

NOTE: There is another issue that posted in the meantime:

to which I still haven't found a solution or workaround. Don't even have much understanding of time clock in the kernel, to be honest:

Time drift after hibernate-ram

https://forums.gentoo.org/viewtopic-t-1030266.html

)

).

One of the most sacred things that I keep since I was falsely accused of spamming by my provider is the logs, of all my time online.

And sorry I can't usually post those, but I am prepared to, in case that I would need to prove that what I published somewhere absolutely conicides with what the logs will tell about a particular timestamped event that I published about, such as this attempt of mine to access http://www.legalis.hr page; but to access that page without having to submit to as complete mass surveillance tools as there can be crammed into an internet portal page... What an idiotic portal setup!

Extremely intrusive portal setup, yes! Sorry, Legalis.hr. And please fix that! If you really want to offer Zucky's and Larry and Sergey's and such logins and stuff (which we'll, hopefuly, see later, in the next traffic dumps in this topic), you must not impose it on those who don't want to have anything to do with Larry and Sergey's and Zucky's. I want to browse www.legalis.hr not google.hr and not facebook.com and other minor players' stuff.

Of this kind plea lots of internet sites should be aware of! We the honest freedom-loving users are losing our privacy because of you!...

And I also have net-firewall/conntrack-tools installed. So I can see some more info in /var/log/conntrackd-stats.log as well.

But it's overwhelming. I haven't really mastered all these techniques. Still at the basics of most of these.

And so, at this point, I went and unblocked that one mojposao.hr first, and then also a few more hosts from the rules of my iptables.

And what I tried next follows in the next post.Last edited by miroR on Sat Oct 17, 2015 12:01 pm; edited 1 time in total

----------

## miroR

I have tried again, and from the traffic captures and screencasts with the timestamps:

```

151001_1705

```

and 

```

151001_1726

```

(for 2015-10-01 17:05 and 17:26) it is clear that I didn't succeed.

But in those with the timestamp:

```

151001_1728

```

I almost succeeded. But for reasons that I am now not sure were what I rushed to tell in the screencast (and which in short, consist of my typing of: 'Schmoog, you're lying!'; you can see at the very end of that screencast how I literally typed those words in). Because google was probably not able to reach back to my machine, because I had blocked it. So I shouldn't have rushed with my judgement.

(No escape though. I already posted the hashes of all that happened two days ago. My picking some from all the listed and hashed documents in this previous post is only to show what is a little more worth presenting and what is more easily explainable. It's already grown a lot, this topic.)

Still the thing appears to be, that without connecting to the Schmoog, and more precisely, without the Schmoog being allowed into my machine, legalis.hr is unable to even register new arrivals (or old re-logins and such).

And gets to the wrong conclusion. I typed in my perfectly correctly spelled address, miro [dot] rovis [at] croatiafidelis [dot] hr, but I got back, as you can see:

 *legalis wrote:*   

> 
> 
> You have not entered an email address that we recognize. Please try again or contact the administrator (at 13:00 of Screen_151001_1728_g0n.mkv).
> 
> 

 

Because it waited for Schmoog to process the data, see (back around 12:10 and 12:20) that it contacts:

```

Connecting to www.googletagservices.com..

```

which is very, very bad. Selling Schmoog as good, as acceptable by default, is a crime. Crime against privacy.

In the dump_151001_1728_g0n_RESO.txt (in the dir dump_151001_1728_g0n.d/) I see nothing that contains the string googletag though.

And I believe I'm a little amazed and perplexed as to whether akamai is just a mask for google?

NOTE at proofreading. It's not:

https://en.wikipedia.org/wiki/Akamai

Because it's everywhere like google is, and it's, this case shows, particularly this set of my uncenz capture (the 'cast and the pcap with stamp '151001_1728') that legalis.hr was waiting for www.googletagservices.com but the only TLSv1.2 in the capture is from akamai.

NOTE at proofreading. See the note just above.

Just type in 'ssl' (without quotes) in the filter, and see for yourself.

And there is the 'Connecting to www.googletagservices.com..' notice in bottom of the Fox (in the status bar, on the left). So...

Anyway, I noticed that I have, yes, blocked all those in the INPUT chains, but my machine is attempting to connect to them (because Fox is all set up for the Schmoog, sadly; like one of the preferred wives of a sultan; all of hers is open to the emperor Octopus!)...

[Anyway, I noticed that I have, yes, blocked all those in the INPUT chains, but my machine is attempting to connect to them], because I did not add a rule to block my machine connecting to them in the OUTPUT chains (some of those at least I need to add blocking rules to).

Apparently, and see how long all this study took me (and I'm not a beginner here)... I will have to connect to the emperor Octopus of the internet if I want to just register/login to http://www.legalis.hr .

No, I don't hate the Octopus without a reason. They ruined all of my work, of more than 5 yrs of posting videos on Youtube, and invented copyright breaches to terminate my account. You can read more about it on:

Really? The Surveillance Engine Terminated All My Videos

http://forums.debian.net/viewtopic.php?f=3&t=113059

and my public reply and some questions put to Google (where Google stands for the Schmoog of course), you can read at:

https://github.com/miroR/flowstamp/blob/master/flowstamp_HR_U_2.txt

But that only led me to look more closely what that company does, and while my religion does not allow me to hate people, I do hate what that idiotic company does.

This story (however few people that can get so far as to understand these issues) is far from over.

Because now I see what the probably cause is that I just couldn't log into my pages with Fox on the http://www.plus.hr server where my NGO's http://www.CroatiaFidelis.hr website is hosted! It was a few months ago, and I wondered what all the akamai and google were doing there during all of my attemps (all failing) to log in!

Most firms, most sites, sell their customers to the Schmoog right away. So many login services are from the bosom of the Octopus!

I never would have thought I would be seeing this ugliness so widespread (if I'm not mistaken in my understanding and if my assumptions are correct: not all is provable what I concluded, but do give us clearer and more complete explanations, if you know, and only if you do know, better).

Not done, this topic is not done yet. And I originally (I'm adding this at proofreading time) I even thought I could not postpone it, because I needed some of the services that I was in vain trying to access here, as well as elsewhere... But it's so hard, so complex, by the nature of the tech, and by some deliberate convolution by the already blamed big players... It's so hard!

I am posting here partly out of despair for my inability to solve these things and know exectly what is going on...

But there seems to be some amount of dishonesty among the knowledgeable (no I don't mean just Schmoog and such employees, it's much wider).

Just look at this thread on Wireshark mailing lists. I'll give you my message, because I don't like blaming persons directly (other than public personages like Larry's --both Google and Oracle-- and such):

dissecting HTTPS traffic

https://www.wireshark.org/lists/wireshark-users/201510/msg00018.html

and you go back from there and deduce from the previous messages how people at numerous companies like to set up MitM attacks to break into their users SSL encrypted communications.

If I ever reach good and in depth understanding, I will try and teach openly to the newbies, and not hide from them and profit on them like some of the knowledgeable do, but teach them how to defend themselves from surveillance.

"Defend" is not wrong to say. Surveillance is for the sake of control. It's true aim is control you. And that's imposition of others' will on you, so something to defend yourself from.

I will next make some analysis on the set timestamped 151001_1728 and put some more of the resulting files, if any, into the dump_151001_1728_g0n.d/ dir.Last edited by miroR on Sat Oct 17, 2015 12:03 pm; edited 1 time in total

----------

## miroR

At 5:52 of screencast Screen_151001_1728_g0nR.mkv you can see that I'm opening another page. I'll start from there, as I don't have time to research the entire dump.

On that page you can read: 

 *legalis wrote:*   

> 
> 
> The two email addresses that you entered did not match.
> 
> To korisničko ime se već koristi ili nije pogodno za korištenje. Ako ste vi miroR i zaboravili ste vašu zaporku, kliknite ovdje.
> ...

 

Entire text in translation:

 *legalis wrote:*   

> 
> 
> The two email addresses that you entered did not match.
> 
> That username is already in use or is not adequate for using. If you are miroR and you forgot your password click here.
> ...

 

being there a link underneath "here". I want to find that text in the dump.

BTW, the two email addresses were not same, if you go back to 1:47 you can see that when I typed the first one, the key for the letter 's' didn't do the work (probably I didn't press it hard enough).

It's good having 'casts, because it tells you the page that loaded (but you can only see it loaded later, when I, at 9:18, decide to click into the tab of that page).

I fill in that page my miro [dot] rovis [at] croatiafidelis [dot] hr address, supply the corrct answer to the the question ("Kako se zove glavni grad Hrvatske?" means "What is the name of the capital of Croatia?"), and at 9:56 I click on "Zatraži korisničko ime i zaporku" which means "Request username and password".

You can see that I release that button after I pressed it, at

```

Oct  1 17:38:15

```

That you can see in bottom left of the screen, because my tailf'd /var/log/messages are being shown, and the lines in the log start with the time of day in that format.

Also during most of this time you can see in Firefox's status bar "connecting to www.google-analytics.com..".

The page that I will try and find in the tcp streams didn't show before 6:45, and when I click on its tab at 9:18 it is already loaded.

If

9:56 -> 17:38:15

then

6:45 -> 17:34:04

So I need not search through the tcp streams that start before 17:34, I believe.

I followed and saved more streams, but this one is in the dir: dump_151001_1728_g0n_s068.dump

However, it's only HTTP headers, no other content. It's related to the point in the screencast, because it has:

```

Referer: http://www.legalis.hr/forum/login.php?do=lostpw

```

where obviously lostpw stands for lost password. Good admins don't name things wrong, unless... Unless, like Facebook, some two posts back, they decide to play tricks such as violate gzip format, to hide things. (That was playing tricks, else it could be that Facebook are incompetent in these matters, but hardly anyone could claim the latter with any credibility...)

And that one happens (it's all in the medium pane of the Wireshark), btwn 17:34:10.7 and 17:34:25.8 (

which matches fine. The screencast is 14:06, while the pcap is 13:50 in duration, look up the uncenz code in the github, and also understand that I am not online constantly, but in only rare intervals of time, each from just after I fire up uncenz-1st to just before I issue the uncenz-kill command. Only. (Remember they falsely accused me of spamming. I can't let them control my machine. I have to control it!). And also ffmpeg is killed after the dumpcap, let alone that the dumpcap runs on empty, no packets really, at first, and mostly also before all is killed ('kill' is just unix terminology; I didn't invent it)

).

Surely that's not the page yet.

But it's only less than 4 minutes to search for the page that I want to see from the traffic.

The 'google-analytics.com' are all empty streams 70, 71, and 72.

There is again, some content that I can not make anything out of: tcp stream 73 (just that it says: connect.facebook.net and also spdy/3.1 and http/1.1), which ssl stream is empty. The conversation is with:

104.87.44.107	e3821.dspe1.akamaiedge.net

I searched, but it's tiresome, and at this time I don't know how to employ Lua to do the stream extraction automatically for me.

But I found the message: "You have not entered an email address that we recognize. Please try again or contact the administrator."

It's in stream 102 from which I extracted: dump_151001_1728_g0n_s102_01.html

You can see that message in video at 12:59.

At that point in the video, you can see the "CLIENT RANDOM..." lines thrown out in the terminal. It's because I have in that terminal this job running:

```

$ tailf ~/.sslkeylogfile.log

```

But I don't think any of the session keys decrypt anything sensible. Mostly the decrypted SSL contents are empty.

A partial resumé on all of these legalis-sets is:

While you can see some important info I understood and, I believe, correctly diagnosed (the situation is idiotically sick, yes it is, and it is so in global terms)...

Still, you can also see, that I need to find a way to automate the processes here somehow. This sole 14 minutes set has 130 tcp stream in it. Doing all of them manually is too much work.

If anyone has any advice on how to do it, where is anything really good to start from to learn the knowhow, pls. do so. I believe other readers will be grateful too.

And in case I'll be destined to wait till I by an eventual kind short advice like on the Wireshark mailing list, get quickly what I was wondering if it ever existed (I'm talking about the NSS decryption of SSL streams, which was the main topic in the first posts of this topic)...

...And after all the loong months of not knowing about it...

And in case I'll be destined to wait till I figure it out myself, I promise that I'll try and share my knowledge with you, the readers here. Because while some of the readers are as selfish as some of those in the thread I linked to above, lots of the readers are worth the trouble of spreading the Free Open Source methods and knowhow to, lots of you the readers are worth the (little) trouble (the big touble is getting the knowhow, not so much the sharing of it).

Also I don't know whether to continue with analyzing exactly these sets at all, since the most important info is, it appears to me (but do correct me if you, and only if you, know better) clear and I posted it.

Anyway, the time I can dedicate to these matters is limited...

Regards!

----------

## miroR

If anybody wants more of SSL decryption, there is another really hard to solve issue (at least so it appears to me):

current title: Some issue with network

should be: Mozilla Cloud not-decryptable Download

https://forums.gentoo.org/viewtopic-t-1031758.html

(but I will only change the title after a few more views, the hashes... I don't like touching the posts where I post hashes)...

----------

## miroR

 *In this previous post I wrote:*   

>  [**] What is missing, and I don't know how to do it with tshark, is, I'd like to insert a column before the column that is currently the first columm, which inserted-to-be column would hold the resolved host name (such as google for the Schmoog; lots of it in Firefox, the Scmoog is sitting in Fox: not good!, such as akamai, pagead and stuff; ah!, also sourcefirge.net). And I want to ask on Wireshark how to do it.
> 
> 

 

Here's how.

Into an empty dir where you have all privs. Copy in there some dumps. E.g.  i'll copy these that are (hopefully) still publicly available (read earlier, links there and all):

```

empty/dir-with-priv $ ls -l

total 1616

-rw-r--r-- 1 miro miro 675772 2015-09-21 23:48 dump_150921_2332_g0n.pcap

-rw-r--r-- 1 miro miro 978916 2015-09-27 18:50 dump_150927_1848_g0n.pcap

empty/dir-with-priv $ 

```

And now:

```

for i in $(ls -1 *.pcap|sed 's/\.pcap//'); do echo tshark -q -r $i.pcap -z hosts; tshark -q -r $i.pcap -z hosts | egrep -v '^#' | egrep '[[:alpha:]]'| sed 's/[[:space:]]/(/' |sed 's/\(.*\)/\1)/' > $i.hosts ; read FAKE; done;

```

Also:

```

for i in $(ls -1 *.pcap|sed 's/\.pcap//'); do echo tshark -q -r $i.pcap -z hosts; tshark -q -r $i.pcap -z hosts | egrep -v '^#' | egrep '[[:alpha:]]' | awk '{print $1}' > $i.hosts-N ; read FAKE; done;

```

And:

```

for i in $(ls -1 *.pcap|sed 's/\.pcap//'); do echo tshark -q -r $i.pcap -z conv,ip ; tshark -q -r $i.pcap -z conv,ip > $i.conv-ip; read FAKE; done;

```

And the final longish line that will do the substitution that I wondered how to do it back a few posts ago

```

for h in $(ls -1 *.pcap|sed 's/\.pcap//') ; do for i in $(cat $h.hosts-N) ; do echo $i;  j=$(grep $i $h.hosts); echo $j; read FAKE ; grep $i $h.conv-ip ; sed -i.bak "s/$i/$j/" $h.conv-ip ; read FAKE; diff $h.conv-ip $h.conv-ip.bak ; read FAKE ; done ; done ;

```

No time for explanations, details, embelishments, tabbing, et cetera.

So, with that bash (primitive) processing, you get:

With Dillo: 

# tshark -r dump_150921_2332_g0n.pcap -q -z conv,ip

(but the additions of the resolved hosts are with the bash above inserted

```

================================================================================

IPv4 Conversations

Filter:<No Filter>

                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |

                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |

192.168.1.3          <-> 46.51.197.89             241    176700     231     33872     472    210572    24.019174000       589.7156

205.134.191.174(marc.info)      <-> 192.168.1.3              145     11238     121    119608     266    130846   338.249268000       195.8425

216.34.181.60        <-> 192.168.1.3              113      9762     112    115825     225    125587   618.279041000       233.4181

192.168.1.3          <-> 137.117.229.219(www.dovecot.org)          104    114329     104      8883     208    123212    83.952226000       157.7557

192.168.1.3          <-> 67.158.26.137(wonkity.com)             26     34744      28      2182      54     36926    57.560851000         0.8682

192.168.1.3          <-> 192.168.1.1                7      1091       8       604      15      1695    57.267513000       280.9814

224.0.0.1            <-> 10.16.96.1                 7       434       0         0       7       434    90.990774000       749.9971

255.255.255.255      <-> 192.168.1.1                1       592       0         0       1       592     0.510912000         0.0000

255.255.255.255      <-> 0.0.0.0                    1       409       0         0       1       409     0.488053000         0.0000

================================================================================

```

With Firefox: 

# tshark -r dump_150927_1848_g0n.pcap -q -z conv,ip 

(but the additions of the resolved hosts are with the bash above inserted

```

================================================================================

IPv4 Conversations

Filter:<No Filter>

                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |

                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |

192.168.1.2          <-> 23.63.127.118(e872.g.akamaiedge.net)            397    527674     317     35578     714    563252    32.929597000        22.0994

127.0.0.1            <-> 127.0.0.1                408     39080       0         0     408     39080     0.000000000        61.4484

216.58.209.162(pagead46.l.doubleclick.net)       <-> 192.168.1.2               88     10607      98     60515     186     71122    34.602984000         2.9523

216.58.209.194(partnerad.l.doubleclick.net)       <-> 192.168.1.2               68      5777      62     65107     130     70884    33.133720000        20.1780

192.168.1.2          <-> 192.168.1.1               40     10925      40      3330      80     14255    30.476933000         7.9108

216.34.181.60(sourceforge.net)        <-> 192.168.1.2               38      3568      37     28778      75     32346    32.363382000        11.3056

216.58.209.193(pagead-googlehosted.l.google.com)       <-> 192.168.1.2               31      3118      39     39683      70     42801    35.857940000         0.3652

208.117.229.250(www-google-analytics.l.google.com)      <-> 192.168.1.2               26      5645      24      8362      50     14007    33.388199000        22.8297

208.117.229.248(www-google-analytics.l.google.com)      <-> 192.168.1.2               24      2410      23     17141      47     19551    34.879513000         0.3704

192.168.1.2          <-> 54.230.46.170(dd1f6ymc64rwu.cloudfront.net)             18     17623      21      1804      39     19427    33.136730000        20.2186

192.168.1.2          <-> 74.125.24.95(googleadapis.l.google.com)              15      5580      19      2121      34      7701    32.923574000         1.5411

192.168.1.2          <-> 173.194.44.23(www.google.hr)             15      5511      17      2084      32      7595    35.448949000         0.3683

192.168.1.2          <-> 173.194.44.19(www.google.com)             15      5887      17      2081      32      7968    35.124572000         0.3434

192.168.1.2          <-> 46.137.174.129(consent-icon-frontend-1667419262.eu-west-1.elb.amazonaws.com)            10      6364      13      1604      23      7968    34.896746000        20.4715

192.168.1.2          <-> 23.63.139.27(e8218.ce.akamaiedge.net)               8      2523      11      1190      19      3713    35.064187000        20.1878

192.168.1.2          <-> 46.33.68.128(a1158.b.akamai.net)               8      2488      11      1208      19      3696    33.139425000        20.1483

216.34.181.63(www.sourceforge.net)        <-> 192.168.1.2                6       740       4       442      10      1182    31.386185000        20.6129

216.34.181.81(goparallel.sourceforge.net)        <-> 192.168.1.2                4       280       3       216       7       496    38.388114000         6.2801

224.0.0.1            <-> 10.16.96.1                 1        62       0         0       1        62    48.812905000         0.0000

255.255.255.255      <-> 192.168.1.1                1       592       0         0       1       592    22.120562000         0.0000

255.255.255.255      <-> 0.0.0.0                    1       409       0         0       1       409    22.101373000         0.0000

================================================================================

```

----------

## miroR

The lines of a future script in the previous post, worked perfectly before going on the wire...

But when I copies and pasted, esp. the "longish" line, from that post just above here, and wanted to use those lines, it didn't work.

I discovered what happened, and if it don't works for you, plc. correct the lines, if this:

phpBB Strange White Space problem

https://forums.gentoo.org/viewtopic-t-1032010.html

after your inspection, happens to be the case. And those lines will work.

Regards!

----------

## miroR

Filed a bug:

wireshark-2 saves different tcp streams (non-decryptable/non-gunzip'able)

https://bugs.gentoo.org/show_bug.cgi?id=565152

because these procedures that I described can not be reproduced, or are reproduced incorrectly, and SSL/plain streams non-decryptable/non-gunzip'able.

Regards!

----------

## miroR

There could be very useful methods to learn, if I get help on Wireshark ML, where I just posted:

follow [tcp|ssl].stream with tshark

https://www.wireshark.org/lists/wireshark-users/201511/msg00033.html

----------

## miroR

I have been working a lot on reading the traffic. For people who found interest in reading this topic (and, judging by the number of vews, the interest does not seem to be waining), currently 5190 views), there could be some of these topics of interest, as they are related to SSL decryption:

How to extract content from tshark-saved streams? [[ where find, at the current end, link to my script to extract all the tcp and ssl streams with one command, and more ]]

https://forums.gentoo.org/viewtopic-t-1033844.html

More non-Decryptables (from Mozilla Cloud) [[ but read the news about reimplemented disconnect of, say, Schmoog's own tracking by Mozilla devs ]]

https://forums.gentoo.org/viewtopic-t-1034140-highlight-.html#7848104

(and I wrote more in other topics these days), but these are the most useful.

Regards!

----------

## miroR

I keep learning as I use Wireshark/Tshark, and maybe this tip, buried a little in other infromation:

kernel panic not anymore logged as it used to be

https://forums.gentoo.org/viewtopic-t-1041336.html#7898382

can be useful, or even the script itself could suffice for many:

http://www.croatiafidelis.hr/foss/cap/cap-160327-nft/tshark-http-uri.sh

where it reads:

```

#!/bin/bash

if [ $# -eq 0 ]; then

    echo "Must give a PCAP file (and I won't check if it is one)."

   echo "Use this at your own risk!"

   echo "Pls. read some more in the script."

    exit 0

fi

raw=$1

i=$(echo $raw|sed 's/\.pcap//')   #obviously, if the ext of your PCAP not

                        # '.pcap', modify

#This line sorts the uri's alphabetically

tshark -q -r $i.pcap -T fields \

   -e 'http.request.full_uri' | sort -u > ${i}-http-request-full_uri.txt

#This line only greps for lines with founds -- no alpha after numbers and

# space, not grep'ed in. Good for looking up that frame number in Wireshark

tshark -q -r $i.pcap -T fields \

   -e 'frame.number' -e 'http.request.full_uri' | grep \

   -E '^[0-9]{1,9}[[:space:]][[:alpha:]]' \

   > ${i}-frame-http-request-full_uri.txt

```

but check it and verify it at:

http://www.croatiafidelis.hr/foss/cap/cap-160327-nft/

Regards!

----------

## miroR

Another note. I had in the meantime learned that the advice that I vaguely arrive at, cleverer people have suggested as well:

From this post in the discussion:

Should firefox be removed from portage?

https://forums.gentoo.org/viewtopic-t-1038430-start-25.html#7880354

I learned:

https://airvpn.org/topic/15769-how-to-harden-firefox-extreme-edition/

where read, among other things:

```

// 2614: disable SPDY as it can contain identifiers - https://www.torproject.org/projects/torbrowser/design/#identifier-linkability  (see no. 10)

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled.v3-1", false);

// 2615: disable http/2 for now as well - need more info

user_pref("network.http.spdy.enabled.http2", false);

user_pref("network.http.spdy.enabled.http2draft", false);

```

----------

