# Mozilla Cloud non-Decryptable Download?

## miroR

EDIT 2015-11-05 23:19+01:00:

the title now:

Mozilla Cloud non-Decryptable Download? 

This topic contains the intrusive disruption of my topic by another Gentoo member, for which I am unable to continue, if this post, currently last, is not removed:

< this same topic >

https://forums.gentoo.org/viewtopic-t-1031758.html#7837184

I hope this won't continue to be happening in other topics of mine.

I had wanted to try to contain the intrusive intentional ruining of my topic here:

Uninstalling dbus and *kits (to Unfacilitate Remote Seats)

https://forums.gentoo.org/viewtopic-t-992146-start-75.html#7837090

the reasons why there, and not here, is explained there clearly.

But to no avail. Yes I have reported the post. We'll see. (If the link to the intrusive post becomes dead, it has been removed.)

EDIT END

====  underneath here content unmodified, remains as of the first timestamp  =====

Not sure at all what this will come out.

```

993e1cf1d0305fa519c9941189221c01b974d3596de21615768e20a7e521eac4 some-file

73a1f52a202450bab08632362bb74d38f4b1cbd8b45f92cbaf2314eb225d406f some-other-file

```

I make make un unrelated post (planned previously) out of this.

However, if this is something interesting (just take a look at how interesting this topic of mine

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox

https://forums.gentoo.org/viewtopic-t-1029408.html

appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic.

Patience, I kindly ask of readers.Last edited by miroR on Thu Nov 05, 2015 10:37 pm; edited 1 time in total

----------

## khayyam

 *miroR wrote:*   

> However, if this is something interesting (just take a look at how interesting this topic of mine [...] appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic.

 

miro ... yes, and if you include a URL in every post you make (as you do) then crawlers will harvest those links, and so the views increase ... isn't technology amazing. Your posts, this one especially, are esencially nonsensical, and you seem to be under the impression that people are reading.

best ... khay

----------

## miroR

I'll now post what I had prepared previously.

---

 *I wrote wrote:*   

> 
> 
> ==== This is a completed content for the post of two days ago. Not touching that one. Nicer remains the timestamp. ===
> 
> Still not sure where this issue goes.
> ...

 

You can check all with the traffic dump in the dir:

http://www.croatiafidelis.hr/foss/cap/cap-151029-MozCloud/

Here's the straight link:

http://www.croatiafidelis.hr/foss/cap/cap-151029-MozCloud/dump_151029_1757_g0n.pcap

tshark -n -q -r dump_151029_1757_g0n.pcap -z io,stat,0

```

========================================

| IO Statistics                        |

|                                      |

| Duration: 1992.9 secs                |

| Interval: 1992.9 secs                |

|                                      |

| Col 1: Frames and bytes              |

|--------------------------------------|

|                  |1                  |

| Interval         | Frames |   Bytes  |

|--------------------------------------|

|    0.0 <> 1992.9 |  93301 | 83347395 |

========================================

```

tshark -q -r dump_151029_1757_g0n.pcap -z conv,ip

<but the resolved names in parentheses is of my addition> [*]

```

================================================================================

IPv4 Conversations

Filter:<No Filter>

                                                                                                                                     |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |

                                                                                                                                     | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |

192.168.1.3                                       <-> 54.192.55.37(d3581xjroqhv5u.cloudfront.net)                                     47095  70986165   25543   1799129   72638  72785294    59.282923000       249.2311

192.168.1.3                                       <-> 91.198.174.192(METa.wikimedia.org)                                               1811   1394268    1850    208476    3661   1602744    14.401525000      1878.8822

192.168.1.3                                       <-> 91.198.174.208(upload.wikimedia.org)                                             1526   1557690    1405    146571    2931   1704261    14.644842000      1866.1800

192.168.1.3                                       <-> 67.215.92.219(www.opendns.com)                                                   1400   1984347     987     97464    2387   2081811    55.222555000        21.1789

192.168.1.3                                       <-> 104.87.7.204(e4478.a.akamaiedge.net)                                              872    983483     650     69023    1522   1052506  1296.578943000       237.2263

192.168.1.3                                       <-> 79.133.35.202(orsn.net)                                                           814   1116764     583     57255    1397   1174019  1912.621276000        61.3161

192.168.1.3                                       <-> 106.187.50.235(wiki.opennicproject.org)                                           401    206739     516     59582     917    266321   668.428752000       803.0666

192.168.1.3                                       <-> 173.239.79.210(observatory.eff.org)                                               282     89104     361    210384     643    299488    14.610474000      1932.7411

193.92.150.194(db.southeu.clamav.net)             <-> 192.168.1.3                                                                       301     20105     301    349522     602    369627  1971.778438000         7.9034

208.117.229.246(ytstatic.l.google.com)            <-> 192.168.1.3                                                                       262     30257     285    231203     547    261460  1294.235990000       118.1253

192.168.1.3                                       <-> 192.168.1.1                                                                       240     53976     241     19497     481     73473    14.347454000      1963.8573

193.198.233.211(pula.tile.openstreetmap.org)      <-> 192.168.1.3                                                                       224     24565     226    169922     450    194487  1915.340281000        60.6354

207.241.224.26(wwwb-front2.us.archive.org)        <-> 192.168.1.3                                                                       196     18105     202    200912     398    219017   717.542395000        70.5737

208.117.229.216(youtube-ui.l.google.com)          <-> 192.168.1.3                                                                       126     12249     132     82777     258     95026  1295.664277000       115.6899

199.16.156.120(syndication.twitter.com)           <-> 192.168.1.3                                                                       124     31324     130     33285     254     64609   918.258500000       605.8391

208.117.229.251(ytstatic.l.google.com)            <-> 192.168.1.3                                                                       128     14023     123     39553     251     53576  1294.711558000       116.6539

216.58.208.74(googleapis.l.google.com)            <-> 192.168.1.3                                                                        91      7973     111    114445     202    122418  1294.708016000       116.6989

192.168.1.3                                       <-> 104.87.23.15(e10776.b.akamaiedge.net)                                              99     31128      71      6842     170     37970    58.518070000       152.4074

192.168.1.3                                       <-> 104.92.100.137(e6640.g.akamaiedge.net)                                             87     92107      80      6348     167     98455    57.095759000       160.2028

192.168.1.3                                       <-> 104.244.43.44(PLAtfoRM.twitter.com)                                                68     32441      82      8598     150     41039   670.180128000       353.9075

192.168.1.3                                       <-> 104.244.43.108(PLAtfoRM.twitter.com)                                               61      8837      83      9090     144     17927   917.636938000        66.5593

192.168.1.3                                       <-> 23.37.43.27(e8218.ce.akamaiedge.net)                                               61     15537      68      7236     129     22773    66.944206000      1345.4188

192.168.1.3                                       <-> 173.194.113.183(csi.gstatic.com)                                                   56     21454      68      6900     124     28354  1300.186735000       116.1969

192.168.1.3                                       <-> 37.252.170.182(secure.anycast.adnxs.com)                                           67     16811      48      9668     115     26479    68.518336000        60.6243

208.117.229.212(youtube-ui.l.google.com)          <-> 192.168.1.3                                                                        55      5147      49     17320     104     22467    59.114340000       116.1468

199.16.156.52(syndication.twitter.com)            <-> 192.168.1.3                                                                        47      6807      53      9996     100     16803   670.701160000       286.1726

192.168.1.3                                       <-> 54.192.12.211(d15a7gkmxinlzq.cloudfront.net)                                       50     41019      48      4338      98     45357    58.493768000       116.7505

192.168.1.3                                       <-> 74.125.136.141(appspot.l.google.com)                                               50     49669      40      3897      90     53566  1294.714544000       117.6672

216.137.59.141(dnn506yrbagrg.cloudfront.net)      <-> 192.168.1.3                                                                        45      4512      41     26783      86     31295    59.223058000       116.0383

192.168.1.3                                       <-> 68.232.35.116(s11.gp1.wac.alphacdn.net)                                            50     31881      36      4050      86     35931    57.170370000       149.3047

216.58.211.4(wwW.google.com)                      <-> 192.168.1.3                                                                        44      5768      39      5230      83     10998    59.222866000      1354.1470

192.168.1.3                                       <-> 46.33.68.128(a1158.b.akamai.net)                                                   37      6404      44      3912      81     10316    58.829964000       116.2763

208.117.229.250(ytstatic.l.google.com)            <-> 192.168.1.3                                                                        39      3705      38     19415      77     23120  1298.278404000       116.0712

216.58.211.3(www.google.hr)                       <-> 192.168.1.3                                                                        40      4504      35     11993      75     16497    59.637909000       116.3867

208.117.229.213(youtube-ui.l.google.com)          <-> 192.168.1.3                                                                        37      3541      34     12194      71     15735  1297.353593000       115.9963

192.168.1.3                                       <-> 173.194.116.185(pagead46.l.doubleclick.net)                                        32     13151      39      4005      71     17156    58.501609000       115.7495

208.117.229.217(youtube-ui.l.google.com)          <-> 192.168.1.3                                                                        37      3618      33     11125      70     14743  1291.738397000       117.6083

192.168.1.3                                       <-> 54.246.123.254(data-collector-linkedin-prod-803114458.eu-west-1.elb.amazonaws.)    31     15502      39      4164      70     19666    65.741151000        65.5876

192.168.1.3                                       <-> 104.244.43.172(platform.twitter.com)                                               30      6242      39      4237      69     10479  1223.068003000       189.3098

192.168.1.3                                       <-> 173.194.116.220(dart.l.doubleclick.net)                                            30     12906      39      3813      69     16719    58.496705000       116.7201

216.58.209.168(www-googletagmanager.l.google.com) <-> 192.168.1.3                                                                        37      3185      32     22797      69     25982    58.465698000       115.6854

192.168.1.3                                       <-> 185.63.147.10(any-eu.www.linkedin.com)                                             32      9541      36      3837      68     13378    69.327707000       116.8225

216.58.211.35(www.google.hr)                      <-> 192.168.1.3                                                                        35      3683      27      9934      62     13617  1298.187182000       116.1833

192.168.1.3                                       <-> 173.194.112.250(pagead.l.doubleclick.net)                                          27     10512      35      3826      62     14338  1296.363420000       116.0318

192.168.1.3                                       <-> 50.31.164.174(bam.nr-data.net)                                                     29      7729      33      4193      62     11922    66.302954000       116.9269

208.117.229.218(youtube-ui.l.google.com)          <-> 192.168.1.3                                                                        32      3924      28      4920      60      8844  1296.574470000        61.8602

192.168.1.3                                       <-> 54.246.108.37(fanboy-web-linkedin-prod-935158116.eu-west-1.elb.amazonaws.com)      31     14062      28      2895      59     16957    70.308618000        61.7705

192.168.1.3                                       <-> 54.228.244.241(data-collector-linkedin-prod-803114458.eu-west-1.elb.amazonaws.)    31     14445      28      3022      59     17467    67.928440000        61.3584

208.117.229.249(ytstatic.l.google.com)            <-> 192.168.1.3                                                                        30      4209      29      5726      59      9935    57.281102000        63.3404

192.168.1.3                                       <-> 46.137.124.98(www.bizographics.com)                                                30     13494      28      2991      58     16485    67.281565000        61.6806

192.168.1.3                                       <-> 173.194.112.89(pagead.l.doubleclick.net)                                           27     12060      29      2653      56     14713    57.106885000       116.1459

192.168.1.3                                       <-> 74.125.136.95(googleadapis.l.google.com)                                           26      3409      29      3620      55      7029  1294.706363000       115.6756

192.168.1.3                                       <-> 173.194.116.218(pagead46.l.doubleclick.net)                                        21      6160      24      3752      45      9912   529.405475000       115.8264

192.168.1.3                                       <-> 185.31.17.175(c.global-ssl.fastly.net)                                             22     16026      21      2065      43     18091    65.716976000        61.7831

192.168.1.3                                       <-> 173.194.113.90(pagead46.l.doubleclick.net)                                         18      2394      21      2879      39      5273  1296.801580000       115.5870

192.168.1.3                                       <-> 66.228.63.70(www.opennicproject.org)                                               30      7113       9       636      39      7749  1229.968277000        99.7276

192.168.1.3                                       <-> 104.244.43.12(platform.twitter.com)                                                16      4992      23      1935      39      6927   789.216954000       439.4942

127.0.0.1                                         <-> 127.0.0.1                                                                          36      3732       0         0      36      3732  1984.204172000         8.6515

192.168.1.3                                       <-> 17.171.8.16(ocsp.pki-apple.com.akadns.net)                                         16      4580      19      1526      35      6106  1292.914909000       115.5835

192.168.1.3                                       <-> 46.33.68.72(a1158.b.akamai.net)                                                    16      3024      18      1676      34      4700    57.228615000       115.8789

192.168.1.3                                       <-> 93.184.220.29(cs9.wac.phicdn.net)                                                  10      3060      14      2261      24      5321    56.073400000        26.2459

193.63.75.103(www.openstreetmap.org)              <-> 192.168.1.3                                                                        13      1619      10      6299      23      7918  1913.250907000         6.6914

192.168.1.3                                       <-> 67.215.92.210(dashboard.opendns.com)                                               11      5765      12      1582      23      7347    58.906764000        11.1855

199.16.156.230(twitter.com)                       <-> 192.168.1.3                                                                        10      1018      12      4357      22      5375  1290.983939000         7.1214

205.178.187.13(www.networksolutions.com)          <-> 192.168.1.3                                                                        12       840       9       636      21      1476   707.301071000        20.6142

192.168.1.3                                       <-> 188.40.2.4(osmtools.de)                                                             9      1652      11       970      20      2622  1915.225345000        15.1181

192.168.1.3                                       <-> 17.146.233.10(files.me.com)                                                         9      3436      10      1501      19      4937  1292.427851000         4.1550

199.16.156.6(twitter.com)                         <-> 192.168.1.3                                                                        10      1018       9      4091      19      5109   926.159799000         5.6840

207.241.226.249(vlcbackup.archive.org)            <-> 192.168.1.3                                                                        10      1203       8       880      18      2083   723.208901000         5.7509

224.0.0.1                                         <-> 10.16.96.1                                                                         15       930       0         0      15       930   114.177572000      1750.0431

207.241.224.2(archive.org)                        <-> 192.168.1.3                                                                         4       280       2       144       6       424   741.173875000         5.4068

255.255.255.255                                   <-> 0.0.0.0                                                                             2       818       0         0       2       818     0.027432000         3.3679

255.255.255.255                                   <-> 192.168.1.1                                                                         1       592       0         0       1       592     3.417719000         0.0000

================================================================================

```

The issue with this capture is not too hard to see for a trained eye. A huge portion of the entire capture of 83M, which is a huge traffic for simply browsing which I did for those 33 minutes, without downloading any video or another file of that order of magnitude, a huge portion is here:

grep cloudfro dump_151029_1757_g0n.conv-ip-with-names

<and the legend (the first two lines) is of my addition>

```

                                                                                                                                     |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |

                                                                                                                                     | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |

192.168.1.3                                       <-> 54.192.55.37(d3581xjroqhv5u.cloudfront.net)                                     47095  70986165   25543   1799129   72638  72785294    59.282923000       249.2311

192.168.1.3                                       <-> 54.192.12.211(d15a7gkmxinlzq.cloudfront.net)                                       50     41019      48      4338      98     45357    58.493768000       116.7505

216.137.59.141(dnn506yrbagrg.cloudfront.net)      <-> 192.168.1.3                                                                        45      4512      41     26783      86     31295    59.223058000       116.0383

```

and it is especially obvious that the one conversation of all, with the 54.192.55.37(d3581xjroqhv5u.cloudfront.net), downloaded into my system a little short of 70M (the 47095 Frames or 70986165 Bytes, under "<-" ), and so it has made for the great great majority of the traffic.

Maybe that is the regular way Firefox updates. It really may be.

But if it is the regular way Fox updates, then it ought to be in the open, for me, a user of Mozilla Firefox, a program that is Free Open Source Software, at least as it is claimed to be such but its developers (and I still hope they do keep to some standards, at least a significant part of its community).

I'll try and see if I can manage to get the TCP or SSL streams in the open, and see what exactly Mozilla downloaded into my system, and then I can, hopefully, find it in my system, and get an inkling at least, what it does, or is, there for.

Next.

---

[*] Compare with the output of:

thark -q -r dump_151029_1757_g0n.pcap -z hosts

----------

## miroR

Then it ought to be in the open. For me. Encrypted with PFS (Perfect Forward Secrecy), so no one can snoop on it, but if I cared to store and keep the "CLIENT_RANDOM" keys in my $SSLKEYLOGFILE (or in some other fashion), then it must be open for me to see what Mozilla from its cloud downloaded into my system, if that was the case, as it looks to me.

The filter is: "ip.addr==54.192.55.37" (without quotes).

Or maybe better: "(ip.addr==54.192.55.37) || (ip.addr==54.192.12.211) || (ip.addr==216.137.59.141)" (without quotes), but pls. note that I'm guessing only...

I'll take this latest.

I entered (pasted) that string in the Wireshark filter, hit Enter to get that filtered display active, and then File >  "Export Specified Packets". "Packet Range" is "All Packets", the "Displayed" is selected already, and I saved it as:

dump_151029_1757_g0n_MozCloud.pcap

If you, by doing the same, get:

```

-rw-r--r-- 1 miro miro  75195628 2015-10-30 16:45 dump_151029_1757_g0n_MozCloud.pcap

```

which is in human readable (the '-h' switch)

```

-rw-r--r-- 1 miro miro  72M 2015-10-30 16:45 dump_151029_1757_g0n_MozCloud.pcap

```

then probably my suggestions can be followed (and if you're into network capture, maybe you can tell all of us more; there will be encryption that I'm afraid I can not decrypt, later; perfectly possible only because my knowledge is insufficient, but also that not all tools are there for decryption, even if I were expert)...

I now open that dump with those just exported specified packets selection in Wireshark.

Now at least we are dealing with only 7 tcp streams, while in the complete dump, there were 472 tcp streams

( you get streams out if you put [0-7] for $the_number in "tcp.stream eq $he_number" in the filter for that MozClould.pcap dump (and you get nothing if you put 8 or greater; and in the complete dump, you get a different tcp stream if you put [0-472] in "tcp.stream eq $the_number", such as "tcp.stream eq 3" or "tcp.stream eq 405", respectively )

.

But can these streams be decrypted? And if, how?

----------

## miroR

I'll try and cut to the chase. Because I'm beginning to be in a hurry. I need Fox as I have to use internet banking for my monthly paying of my bills, and I have only in Fox some trust lingering, from among the javascipt enabled browsers that I could do those payments with. 

But my not being able to decrypt the huge payload (we are just about coming to it next), is making me worry, and either I go and pay my bills at the counter instead of via the internet banking, or...

We still have dump_151029_1757_g0n_MozCloud.pcap open in Wireshark.

Enter the filter "tcp.stream eq 5" (without quotes).

Right click on any frame with TLS1.2, follow SSL stream, and save as:

dump_151029_1757_g0n_MozCloud_s5-ssl.dump

You should get:

```

$ ls -l  dump_151029_1757_g0n_MozCloud_s5-ssl.dump 

-rw-r--r-- 1 miro miro 136352 2015-10-30 22:30 dump_151029_1757_g0n_MozCloud_s5-ssl.dump

$ ls -lh  dump_151029_1757_g0n_MozCloud_s5-ssl.dump 

-rw-r--r-- 1 miro miro 134K 2015-10-30 22:30 dump_151029_1757_g0n_MozCloud_s5-ssl.dump

```

Can't delve into it, in a hurry for reason stated above, but it's some tiny adobe managed video, in some likelihood, but it's partial content, I think I saw somewhere when following it (just open it with:

```

$ hexedit dump_151029_1757_g0n_MozCloud_s5-ssl.dump

```

)

But it's this next stream... Do the same right click as before, but choose "Follow tcp stream" instead. And be patient. It's there, we have arrived at where the story might start to become interesting.

Be patient (unless you have a really powerful computor). Do save it as:

dump_151029_1757_g0n_MozCloud_s5.dump

but all those megabytes need a little time to reassemble from those some 40000 different frames (packets).

You should have this eventually:

```

$ ls -l  dump_151029_1757_g0n_MozCloud_s5.dump 

-rw-r--r-- 1 miro miro 67764933 2015-10-30 22:41 dump_151029_1757_g0n_MozCloud_s5.dump

$ ls -lh  dump_151029_1757_g0n_MozCloud_s5.dump 

-rw-r--r-- 1 miro miro 65M 2015-10-30 22:41 dump_151029_1757_g0n_MozCloud_s5.dump

$

```

And here my insufficient knowledge, or encryped content (coming at it in a moment), makes me unable to view what those 65M contain.

Get ready to follow by studying "man hexedit" (emerge hexedit it you haven't yet).

```

$ hexedit dump_151029_1757_g0n_MozCloud_s5.dump

```

Next, search for, in hex, string "474554" (without quotes), which is the string that GET'd content starts with, and take notice how many you find. They should be three (3) only.

Stay with the third 474554 that you found. Mark it. go to end. Copy.

You'll get a jocular warning ( my install is:

```
 # equery l hexedit

 * Searching for hexedit ...

[IP-] [  ] app-editors/hexedit-1.2.13:0

#
```

):

```

       Hey, don't you think that's too big?!

             Really copy (Yes/No)

```

Enjoy the joke, answer "y" and paste it into a file:

dump_151029_1757_g0n_MozCloud_s5_03.dump

Move again to the start of the third GET and truncate at that point.

Go to beginning, and from there get one, and another time to the start of GET. So you are at the second GET.

Just like before, mark, move to end, copy and paste into a file:

dump_151029_1757_g0n_MozCloud_s5_02.dump

To beginning, and move to the second GET, and truncate there.

Go to beginning, and from there go to the start of the last GET. Mark, move to end, copy and paste into a file:

dump_151029_1757_g0n_MozCloud_s5_01.dump

You should now have:

```
$ ls -l dump_151029_1757_g0n_MozCloud_s5_0?.dump

-rw-r--r-- 1 miro miro  1484476 2015-10-30 23:36 dump_151029_1757_g0n_MozCloud_s5_01.dump

-rw-r--r-- 1 miro miro 13834287 2015-10-30 23:36 dump_151029_1757_g0n_MozCloud_s5_02.dump

-rw-r--r-- 1 miro miro 37479495 2015-10-30 23:35 dump_151029_1757_g0n_MozCloud_s5_03.dump

$ ls -lh dump_151029_1757_g0n_MozCloud_s5_0?.dump

-rw-r--r-- 1 miro miro 1.5M 2015-10-30 23:36 dump_151029_1757_g0n_MozCloud_s5_01.dump

-rw-r--r-- 1 miro miro  14M 2015-10-30 23:36 dump_151029_1757_g0n_MozCloud_s5_02.dump

-rw-r--r-- 1 miro miro  36M 2015-10-30 23:35 dump_151029_1757_g0n_MozCloud_s5_03.dump

$
```

Now, let's go get the gzip data, if we can:

```

$ hexedit dump_151029_1757_g0n_MozCloud_s5_03.dump

```

Search, in hex, for "1F8B08" (without quotes). Only one found. Mark. Move to end. Copy. Paste into file:

dump_151029_1757_g0n_MozCloud_s5_03.gz

And here we go, where I have no idea how to get what that data is:

```

$ file dump_151029_1757_g0n_MozCloud_s5_03.gz

dump_151029_1757_g0n_MozCloud_s5_03.gz: gzip compressed data, ASCII, extra field, encrypted

$ 

```

Do you see these unusual info the file command is telling us?

And sure, if I try:

```

$ gunzip dump_151029_1757_g0n_MozCloud_s5_03.gz

gzip: dump_151029_1757_g0n_MozCloud_s5_03.gz is encrypted -- not supported

$

```

And it's similar, if I process 02.dump like that, with:

```

$ file dump_151029_1757_g0n_MozCloud_s5_02.gz 

dump_151029_1757_g0n_MozCloud_s5_02.gz: gzip compressed data, has CRC, extra field, has comment, encrypted, last modified: Sun Oct 19 05:36:28 2003

$ gunzip dump_151029_1757_g0n_MozCloud_s5_02.gz 

gzip: dump_151029_1757_g0n_MozCloud_s5_02.gz is encrypted -- not supported

$

```

I'm not saying this isn't legitimate, as I don't know that it isn't.

Nor that it is legitimate.

I'm not so very bright, but neither stupid. I think I'll try and ask about this Mozilla devs, on their mailing list or some such place, or on Wireshark mailing list.

And in the meantime, I can't use Fox for internet banking, and the money that I need to pay, as every month, is due for payment...

Either I go to the bank or post office and pay over the counter (but what then do I have computers for?), or...

Regards!

EDIT 2015-11-01 21:06+01:00. corrected lapsus: 's/1F8B08/474554/'Last edited by miroR on Sun Nov 01, 2015 8:06 pm; edited 1 time in total

----------

## miroR

title will be:

Mozilla Cloud non-Decryptable Download?

================

(will change it later)

---

I owe you this one, readers, if there are any (maybe you better not read, or some will get upset if you do...)

I owe you this one, gentle readers:

 *I wrote:*   

> Either I go to the bank or post office and pay over the counter (but what then do I have computers for?), or... 
> 
> 

 

Or...? Or what? lingers the question.

Well, what for did I figured out, for myself and for other people, how to install gentoo air-gapped:

Air-Gapped Gentoo Install, Tentative

https://forums.gentoo.org/viewtopic-t-987268.html

?

And why do I try to spread some good methods of backup (would have been better if I had time to make a separate tip for it, true):

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion

https://forums.gentoo.org/viewtopic-t-999436.html#7613044

?

Surely I wiped the hard disk clean with the Air-Gapped complete system backup, with the Air-Gapped that could not have any intrusions on it... By cloning the air-gapped master system onto this one... But all these methods are explained in the respective links just given.

And if this matter shows to be nothing to worry about, well, then it need to be possible to get the content of those downloads in the open. Without becoming a rocket scientist to be able to do it...

If Zilla is really FOSS (...hope lingering).

No one is allowed to encrypt things in my computer, behind my back, not even Mozilla (if that was really its cloud downloading in my machine).

And neither should behind your back, gentle readers.

And surely, I'm back to using Dillo. Such a fine worry-free experience. I dream good FOSS people will help the Dillo devs to make Dillo much much better, more complete, and competing with the commercial big browsers...

Back to the issue. Anyone knows how to decrypt those?

Can you help us (It is likely that other users will have issues like this)?

Because it might take me longish to figure this out....

(If I do, I'll tell all of you!)

Regards!

----------

## miroR

Ah, and I forgot.

The entire snapshot of the system, with that download in it, is saved, and will be available for weeks, maybe even months from now.

With the backup/cloning method that I linked to in the previous post.

So no information, if there some real expert happens to want to look into this, has been lost.

Good night!

----------

## miroR

I can not believe I had forgotten to post the SSLKEYLOGFILE-151029.log....

It is there now.

No, that wouldn't decrypt the Moz Cloud download, no. But that decrypts everything else.

Anyway, I updated the:

http://www.croatiafidelis.hr/foss/cap/cap-151029-MozCloud/

and you can get the files by downloading just the dLo.sh, and 'chmod 755' to it, then into an empty new dir where you have privs, and ./dLo.sh to get all the files. I am now also uploading the Screen_151029_1757_g0n.mkv, but I'm afraid I won't have that much room left on my NGO's website...

And I mailed to Mozilla dev-security mailing list:

Mozilla Cloud non-Decryptable Download?

```

https://groups.google.com/forum/#!topic/mozilla.dev.security/abSHPU4EaP8

```

the link above is for pasting into your browser's address bar, because, like this:

https://groups.google.com/forum/#!topic/mozilla.dev.security/abSHPU4EaP8

the '/#!' seems to erroneously end the  reading of the address for phpBB...

EDIT 2015-11-01 20:42+01:00:

Ah, managed to get the address, it's the Schmoog's way, nobody else's:

https://groups.google.com/d/msg/mozilla.dev.security/abSHPU4EaP8/s-5UMFJsCAAJ

(such as, it don't let me view it with Dillo, the shingilibindildiyots!)

EDIT END

(

Anyway, only the Schmoog, really, could come up with such a standard for http addresses. The Schmoog rapist of the standards, like with the SPDY and the HTTP2, which you can read about in the topic which this one you're reading follows on the heels of; but I must not give you the link, as that would surge the views of it, and some people would get upset... Find the link in the first post...

Which first post of this topic will be expanded with some more necessary details only when no shadow of doubt is left as to authenticity of the event of the apparent Moz cloud autodownload into my machine, non-decryptable for me, the user, having happened when I claim, by the virtue of the traffic dump and the screencast being verifiable to have been taken when I posted that first post in this topic) 

Which first post of this topic will be expanded with some more necessary details when more views, by different viewers, dispell any shadow of doubt in the authenticity of the traffic dump and screencast.

And only then can I also change the title of this topic to "Mozilla Cloud non-Decryptable Download?"

)

Regarding my post to Mozilla dev-security ML, let's see if I get any info back...Last edited by miroR on Sun Nov 01, 2015 7:46 pm; edited 1 time in total

----------

## miroR

All is in the:

http://www.croatiafidelis.hr/foss/cap/cap-151029-MozCloud/

and I checked it by downloading it. Sums are right, and digitally verified with my PGP signature...

----------

## miroR

I'm not letting go of this. I'll try and ask on Wireshark ML, if I don't get any replies from Moziila devs. I mean any real replies...

The last reply, so far, is so general, and so dry... So hitting-oneself-in-the-mind's-eyes and beating-ones-brain to churn out a dry-kind empty reply... that it makes me sad.

Looks like really this is some abuse attempted on my machine, from Mozilla Cloud addresses.

But... Before I change the title; which is not yet, too few views, at which time I can take the opportunity to say it more forcefully, right there upfront and very clearly in the first post...

Which I can not edit, the first post, yet, because of the shintilibidintitty "advice" there posing like a thought exudision...

Before that, I am advising readers who wish to understand what this is about, that they need to study the link given upfront, else they can not figure this issue here at all...

Again, get familiar with this:

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox 

https://forums.gentoo.org/viewtopic-t-1029408.html

else you can not understand here.

----------

## miroR

There could be the solution on the way, and the autodownload couldl be legitimate.

I got a kind reply by Andrew Sutherland:

https://groups.google.com/d/msg/mozilla.dev.security/abSHPU4EaP8/9NitJEGICAAJ

More work for me... as usual, at turtle-speed.

Regards!

----------

## khayyam

 *miroR wrote:*   

> Over in a new topic of mine:
> 
> Mozilla Cloud non-Decryptable Download? 
> 
> (which I can not change the subject of the topic into the one above yet, for reasons easily understood if you read there)
> ...

 

miro ... more nonsense, its not like everyone (steveL, krinn, and many others) haven't said the exact same thing, so, no, I'm certainly "over" it (whatever that "it" happens to be in your imagination). If you have a problem with the post, or my previous posts, then use the 'report' button.

best ... khay

----------

## miroR

 *khayyam wrote:*   

>  *miroR wrote:*   However, if this is something interesting (just take a look at how interesting this topic of mine [...] appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic. 
> 
> miro ... yes, and if you include a URL in every post you make (as you do) then crawlers will harvest those links, and so the views increase ... isn't technology amazing. Your posts, this one especially, are esencially nonsensical, and you seem to be under the impression that people are reading.
> 
> best ... khay

 

Just, that topic of mine:

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox

https://forums.gentoo.org/viewtopic-t-1029408.html

is now:

8726

views.

----------

## Ant P.

Eight thousand views from Googlebot, your best friend!

----------

## khayyam

 *miroR wrote:*   

> Just, that topic of mine is now: 8726 views.

 

... shall I explain again how 'views' are calculated, and how meaningless they are as a metric for quality?

----------

## Akkara

 *miroR wrote:*   

> Just, that topic of mine:
> 
> SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
> 
> https://forums.gentoo.org/viewtopic-t-1029408.html
> ...

 

miroR: Please stop bumping this.  A good half those views are from myself and other moderators wondering what to do with it.  They are NO indication whatsoever of the quality (or lack thereof) of the topic.  And by you posting here, this thread's count wil go up by a few 100 as I, others, and a myriad of Google/Bing/Alibaba/etc bots all come around to see what's new and index it all.  And, by my posting this, the count here will go by a bunch more.  Did you know that if you view your own thread, the count goes up?  Wheee! let's play the game, can we make it to 9000?

You have been warned.

Locked.

----------

