|
Idea: N900 security update (openssl, browser etc)
I would like to propose some ideas in terms of improving the security of the N900 system.
1.We should look at the installed-by-default packages and where there are updates or patches out there that improve security (but which can be used on maemo without breaking things) we should bring them into cssu git repository on github and make them available. Its already being done with newer upstream versions of openssl0.9.8, zlib, libxml2 and some others). 2.we should look to bring in either the latest openssl or libressl and use it for all those packages which use openssl and for which we have source code. (there is no reason we cant keep openssl0.9.8 and something newer around side-by-side as far as I know) 3.Same for any other packages where there is a newer more-secure non-ABI-compatible upstream version we can pull in. 4.We should look at how microb does security and figure out if we can upgrade all the security and crypto and ssl bits in order to support the latest standards (like TLS1.2) so people using a N900 to browse the web are secure. This also includes modifying things where possible to disable the same depreciated algorithms and protocols and stuff that Mozilla, Google and others have disabled so they don't get used. Updating the browser engine (e.g. trying to support the latest HTML5/web 2.0 stuff etc) isn't really possible (too many things rely on it like Flash and Maps and the browser UI) but I bet we can do some things with the security stuff to improve things (including maybe even back-porting any critical patches that we can find and that are worth back-porting) 5.We should look at the installed set of root CAs and make sure its up to date with what everyone else is shipping so we aren't vulnerable and 6.We should consider creating a "security update" for Maemo Fremantle with the criteria for what goes into it being similar to the various "long term" security updates for Linux distros like Debian and Ubuntu. In particular, it would be more conservative than even CSSU-stable and wouldn't ship any new-feature-work (like the portrait/screen rotation stuff) http://wiki.maemo.org/Fremantle/Repositories actually proposes exactly what I suggested for #5. Yes these are just ideas and yes it needs people who can actually do the work (I can certainly help where my time and skills allow) but its a thought on how we can make one of the best cellphones ever produced secure enough to survive out there in today's increasingly dangerous online environment. |
Re: Idea: N900 security update (openssl, browser etc)
For #2, here is a list of packages that use openssl:
adobe-flashplayer (adobe flash player, closed source) as-daemon-0 (Microsoft ActiveSync/Mail For Exchange, closed source) clinkc0 (UPnP AV library, open source) connui-conndlgs-wlan (WLAN connectivity dialogs, closed source) connui-iapsettings-wlan (WLAN configuration wizard, closed source) connui-iapsettings (internet settings control panel, closed source) funambol-cpp-api (SyncML stack, closed source) libcurl3 (file transfer library for curl, open source) liblomesa0 (low level image viewer API, closed source) libloudmouth1-0 (jabber library, open source) libmaemosec-certman-applet0 (maemo security certificate manager applet library, open source) libmaemosec-certman0 (maemo security certificate manager library, open source) libmaemosec0 (maemo security library, open source) libsofia-sip-ua-glib3 (SIP glib bindings, open source) libsofia-sip-ua0 (SIP library, open source) location-proxy (daemon for communicating between cellular modem GPS hardware and SUPL server, closed source) maemosec-certman-applet (maemo security certificate manager control panel, open source) maemosec-certman-tools (maemo security certificate manager tools, open source) maesync-backend (maesync backend library, closed source) microb-eal (microb browser web engine, open source) nokiamessaging (nokiamessaging daemon, closed source) osso-backup (backup application, closed source) osso-wlan-security (handles security for WiFi connections, closed source) ota-settings (handles GPRS IAP settings sent over-the-air, closed source) sharing-service-ovi (service for sharing on ovi, closed source) signond0 (single sign-on daemon, closed source) tablet-browser-ui (tablet browser main executable, closed source) xserver-xorg-core (x.org server binary, open source) Pulling these closed-source binaries apart and figuring out which openssl functions they are using is something I am planning to look into) |
Re: Idea: N900 security update (openssl, browser etc)
Thank you for your post.
I actually feel this is the sort of thing CSSU-Stable is for. Stable - the "LTS" of Maemo. I don't see the reason for the additional repository. As long as CSSU-Stable will continue to run with the same UX as PR1.3.1 OTB, I feel another repository would be more work for little gain. These security patches and fixes should run through the usual devel>testing>stable setup that has served us well in weeding out the bugs over the years. As for browsing, I feel long term the stock browser would need to be replaced, from what I believe parts are closed which restrict any upgrades. As flash is phased out of sites we need a HTML5 compatible browser in the future. In the meantime yes it is important to disable depreciated algorithms, especially as we have little alternatives to use. |
Re: Idea: N900 security update (openssl, browser etc)
ok I confirmed that yes microb-engine is using its own crypto code (NSS) and not openssl so we need to look into that.
It does however tap into the maemosec stuff for its root certificates (makes sense, that way there is only one set of root certificates for the entire device) As for cssu-stable, does it not install extra stuff like orientationlock/rotation? I want something that has zero no features whatsoever. |
Re: Idea: N900 security update (openssl, browser etc)
there are some packages there, sharing-service-ovi + nokiamessaging for example that afaik do nothing now that the related service is defunct. if so best security option there may just be removal.
i seem to remember an open source location-proxy, can't remember if it was maemo related or suggested as a replacement. regarding microb replacement, I've been looking at netsurf 3.1. gtk2 support, currently uses old mozjs component but is being replaced with duktape. hit an issue with dependency on libffi6. it build on stock gcc but fails tests, on thumb it just..well it's got lots of errors. I agree with sixwheeledbeast. cssu-stable cherry picks updates from testing. orientation lock is optional seperate package in testing. with your recent work in cssu-devel, is the plan to replace connui-* packages eventually? |
Re: Idea: N900 security update (openssl, browser etc)
Yes we should remove any services that dont work anymore (I would advocate removing activesync/mailforechange too except that there are people who may actually be using it... :)
Not sure about location-proxy, I have described various inner workings in the past but I am unaware of any open source clone (and I cant find one with Google either). Its probably not that hard to clone though if you could figure out the handful of liblas calls it makes and know how to talk to a SUPL server properly) as for microb, if you make the new browser implement the microb interfaces (e.g. for bookmark stuff and for starting a web page via dbus) and you keep the old browser engine around for use by rtcom-messaging-api, tutorial-home-applet and nokia maps (which FYI still works just fine and shouldn't be removed or depreciated) then the only real issue with a newer browser would be adobe-flashplayer, libssoautologin, tablet-browser-mediaplayer-plugin and tablet-browser-default-plugin (dont know what libssoautologin is for or how important it is and I bet you could write replacements for tablet-browser-mediaplayer-plugin and tablet-browser-default-plugin without massive amounts of work) Unless I am reading things wrong, http://repository.maemo.org/communit...antle/install/ shows status-area-applicationlock-applet as being part of community-stable. An for connui-* and systemui-* and things, my aim is to just clone whatever I feel like cloning and whatever I am able to clone, I am currently halfway though reverse engineering libcodelockui (UI for the device and SIM pin lock number pad screens) with plans to clone it at some point along with osso-systemui-devlock and osso-applet-devicelock and maybe libdevlock |
Re: Idea: N900 security update (openssl, browser etc)
I'm using MfE :o Do keep thinking of switching it to IMAP now hotmail/live/outlook/new-name-for-same-service supports it but it didn't want to update correctly last time I tried it.
Regarding location-proxy, I think I may have been thinking of http://sourceforge.net/projects/supl/. Whether it is of an use or valuable as a reference during a RE/rewrite project who knows. status-area-orientationlock-applet is part of CSSU but it is not installed by default. https://talk.maemo.org/showpost.php?...04&postcount=5. The idea of a CSSU-Security as mentioned in your link seems sound enough but it needs a little expansion. Due to devices running thumb, would we require security and security-thumb or do we use it as a, excuse the wording, fast push/release on discovering an issue and then push a thumb specific build later. Another idea would be to keep it purely to what it says in your link, just maintaining the infrastructure, in which case would it be better referring to as CSSU-Infrastructure? Any plans I have on looking at browser are currently dependant on what I can actually get working before looking at maintaining compatibility. For Netsurf, libffi6 is failing tests related to unwind.cc on stock gcc. I also need libmozjs185 which is way out of date (IIRC Firefox 8 era) and not sure if I can use a newer version. Upstream is testing DukTape as an alternative which *looks* pretty straight forward to build. Debian lists the arm depends as libgcc-4.4 on a lot of the packages. Flash support, given the age and probable security issues, is very low on my list of requirements. I would ditch it on all devices if it weren't for a few mainstream sites still using it. libcodelockui will be of great use to me for my GTK3 port of the control panel. I'm currently building without any MAEMO_TOOLS support. libsystemui related packages are one of the big hurdles preventing me using some of our RE'd packages at the moment hence the use of those from Nemo. |
Re: Idea: N900 security update (openssl, browser etc)
The idea is that all security fixes would end up in cssu-devel, cssu-testing, cssu-thumb, AND cssu-stable/cssu-security/whatever.
Anyone running Thumb is going to be somewhat bleeding-edge anyway because you need a new kernel and some other "riskier" parts. |
Re: Idea: N900 security update (openssl, browser etc)
Also what else beyond libcodelockui is going to help you with your gtk3 work?
|
Re: Idea: N900 security update (openssl, browser etc)
3 Attachment(s)
For the people developing clutter to pick an idea and stick to it! I mean some of the animation code has had to be adapted to a new API before it can be adapted to a replacement for that API. :mad: Even better, this "new" API is hardly used by anyone, they're all still using deprecated functions. The animation code for the task switcher for example is using a ClutterTimeline to keep everything in sync and activates it when it wants. New clutter automatically animates, have to be removed from an object before they can be reapplied....
Joking aside, if, or more like when, I need help with a particular element I'll post online. It's still a pet project at the moment to investigate what's possible. The problem comes with any closed source elements that are referred to by the open source replacements. If I can't build some of the libsystemui elements I don't think I can use Fremantle mce. Then again, it might be more preferable to use Nemo bits so that some one else is maintaining them and possibly open it up to more devices. For the most part I'm able to adapt/remove the Maemo specific stuff. HildonPannableArea was pretty much a reworked GtkScrolledWindow with touch support. As GTK3 has touch, all I did was rework it to extend GtkScrolledWindow with scroll_to() etc. I'm currently working on an issue with button width allocations, been putting it off whilst I get some other bits going but now I need to look at it. Date and Time buttons also cause segfault. As you can see from the images, tick box is missing from check buttons and widths are not taking into account there containers limits. I think it's probably minimum-size being set rather than natural but I'll find out when I look at it. Button heights seem fine though. |
Re: Idea: N900 security update (openssl, browser etc)
I'm in full support of your ideas.
When connecting to gmail with MicroB I get the yellow ssl notification bar 'gmail.com verified by (null)' (null) doesn't sound very secure. Would be great to update the certificates.. |
Re: Idea: N900 security update (openssl, browser etc)
Quote:
|
Re: Idea: N900 security update (openssl, browser etc)
Not my preferred provider either, only for a few things.
My private mail is on a proper privacy friendly provider :) Also still compatible with the built in email client. G-m does not work due to supposedly outdated client, hence MicroB. Disregarding privacy, the G-m seem to have their security protocols quite top notch. In any case, replacing certificates where needed and other security updates would be more than helpful if we are able to achieve 2015/16 security standards. |
Re: Idea: N900 security update (openssl, browser etc)
This would mean updating the whole system, no?
Critical glibc bugs: https://rhn.redhat.com/errata/RHSA-2015-0090.html https://rhn.redhat.com/errata/RHSA-2015-0092.html ... Last time ppl tried using latest libc/glibc builds from debian random apps would break (calendar etc) |
Re: Idea: N900 security update (openssl, browser etc)
Quote:
http://wiki.maemo.org/Community_SSU/Changelog#Tmaemo11 I guess this one should go in next cssu-stable if nobody reported any issue (?). But others security issues might still be hiding in our not-so-young glibc, and it looks like we're still forced to backport patches instead of upgrading. |
Re: Idea: N900 security update (openssl, browser etc)
Yeah, forgive maritime metaphor, but it's like patching the sails when the boat is leaking
|
Re: Idea: N900 security update (openssl, browser etc)
as said in Deus Ex Human Revolution:
"You don't fix an entire firewall, you find the loophole and plug it." Many loopholes..luckily we are on dry land? |
Re: Idea: N900 security update (openssl, browser etc)
Quote:
|
Re: Idea: N900 security update (openssl, browser etc)
Quote:
I prefer not to potentially compromise security in favour of ease of use. The N900 is a mighty beast, however can it stay safe by updating security protocols and removing outdated ones? |
Re: Idea: N900 security update (openssl, browser etc)
To improve security on the N900 for web browsing, we need to do 2 things. First we need to make sure the root certificate store is up-to-date (CSSU has it in maemo-security-certman repo so we need to update it there if there is anything that needs doing to that repo) and secondly we need to upgrade/fix/improve nss inside microb-engine (and make the relavent changes to microb-engine as well). Its definatly possible in that all the relavent bits are 100% FOSS, it just needs someone that understands Gecko, NSS and microb-engine who can do the work :)
|
Re: Idea: N900 security update (openssl, browser etc)
One thing we definatly need to do if we upgrade NSS or otherwise update the security for the N900 is to make sure it passes this test page
https://www.ssllabs.com/ssltest/viewMyClient.html and doesn't bring up any red flags on there. Right now it shows a bunch of red flags. Bringing in a newer version of NSS would probably solve a lot of this (since it would have SSL3 turned off and TLS1.2 support and not support weak ciphers and etc) |
Re: Idea: N900 security update (openssl, browser etc)
Quote:
Some call it security. Others call it vendor-locking. |
Re: Idea: N900 security update (openssl, browser etc)
This post from Sulu made me curious about the current state of browsers used in Fremantle.
As mentioned by jonwil there is a website to do a certain browser security test. Quote:
Stock browser - Insecure in Protocol Support, Logjam Vulnerability, Poodle Vulnerability, Cipher Suites (6x), Protocol Details Surf (easy Debian) - insecure in Cipher Suite (5x), Protocol Details eww - Emacs (doesn't have javascript enabled) - insecure in Cipher Suite (6 and 3 weak), Protocol Details Iceweasel (easy Debian) - no security issues Not sure what the worst offenders are, but at least Iceweasel seems to be okay for secure browsing. Of course this is based on the assumption that the test provided by ssllabs is a good one. So use the other browsers at your own risk ;) I will not stop using Surf or eww but in some cases that I need / want security to be improved I will use Iceweasel. |
Re: Idea: N900 security update (openssl, browser etc)
In comparison, the same test run on...
1. My daughter's Android 4.4.2 tablet, stock browser: loads the page in split second, shows a sea of red (Logjam, Freak, Poodle, SSL3, 4 cipher suites...) 2. Jolla stock browser: takes ages to load the page, mostly green (4 cipher suites in red, different from the above) |
Re: Idea: N900 security update (openssl, browser etc)
Quote:
Tbh - I have no idea what the red flags are all about and what are the worst issues. Most red flags doesn't necessarily mean the least secure. I am also wondering what the risks are if you are just avoid browsing the sketchy sites. I usually use my N900 to browse one of the more well known news sites, a couple of boards or emacs sites so I feel relatively safe. And even if you're targeted.. what can they do? What are the real world risks for browsing the web with an insecure browser with an N900, Android or Jolla phone? In a worst case scenario an attacker can take over your phone, extract all data and delete your files - how much of a chance is that? The attacker might also try to install a windows file on your N900. Good luck with that... So it might look worse than the situation actually is. Any security experts here? |
Re: Idea: N900 security update (openssl, browser etc)
Quote:
Quote:
Quote:
Neither of these are 'low hanging fruit' with regard to N900 by any means and would require more work. Quote:
But we really should not be complacent, either! :) |
Re: Idea: N900 security update (openssl, browser etc)
It depends on the type of vulnerability. Some can expose your computer to a rogue script on a dodgy website but, as far as I understand, all of those on ssllabs are about SSL/TLS vulnerabilities. In other words, vulnerability to the man in the middle (MITM) attack.
It is easy to be targeted. Especially on a mobile device using WiFi. All you need is another device on the same network and eavesdrop on your traffic. This might be trickier on networks you are in charge of (such as at home), but easy on public networks or even at your workplace. What is the worst thing they can do? Sure, installing malware would be about as bad as it can get but that is unlikely to happen through a MITM attack. It is more likely to simply sniff your traffic and hope to extract from it some sensitive info. If you can avoid it, do not do online banking (including eBay/Amazon/flight ticket etc purchase) on a public WiFi. |
Re: Idea: N900 security update (openssl, browser etc)
Quote:
Tunneling your browsing via your own home server (e.g. over SSH or openvpn) would prevent many of these attack vectors, but of course it'll be slower. |
Re: Idea: N900 security update (openssl, browser etc)
Quote:
I would never do a bank transfer with a mobile phone, only with a live boot cd with a system and browser you trust. However to make maemo more secure we need to fix the root of the problem. We need to get rid of the closed blobs. Then we can have a new kernel and make an up to date development environment. After that porting maemo to other hardware, this will increase the intrest in maemo. The result will be that many people have the intrest to keep maemo updated and it would be much easier than now with an outdated development environment. But who has the power to do so? Make huge donation to hire somebody? Or all the rest of the developer should work together and focus on one problem and go on step by step through a list? In general it would be nice to have more wiki documentations about reverse engineering, one page to read to get kernel compilation from nowdays with provided source and config from all different kernels. The community need to learn how to deal with the problem I guess many want to help but they have not the knowledge to do. So please share as much as possible. I know to become a good hacker you need to read and try many things but to gain more power for the next generation you need to teach that the future goes on and not standing still on the same place or level. Sorry many things maybe already said If you feel so you could just ignore me. |
Re: Idea: N900 security update (openssl, browser etc)
Quote:
As has already been mentioned, the main threat comes from MitM attacks but the problem is not only limited to wireless networks. Given these vulnerabilities in MicroB, I'd assume that pretty much all communications including passwords and other sensitive data are being intercepted. Global surveillance programmes have been well documented. |
Re: Idea: N900 security update (openssl, browser etc)
Quote:
Not perfect test honestly. |
Re: Idea: N900 security update (openssl, browser etc)
Did anyone ever look at reviving gtkmozembed by hooking it up to embedlite?
|
Re: Idea: N900 security update (openssl, browser etc)
Quote:
|
Re: Idea: N900 security update (openssl, browser etc)
Quote:
Even if rootsh isn't installed, the user may not be safe. The default setup allows it to be installed without root privileges. In my opinion rootsh should be removed from the repositories but this probably wouldn't even be enough. If you ask me, Maemo is very broken in this respect. It's not that hard for an attacker to create some malware, create multiple Garage accounts and then vote it up for promotion to Extras. Actually, they probably don't even need to do that. They can just enable Extras-devel and install anything from that. It's part of the reason why I want to replace Maemo with Debian. |
Re: Idea: N900 security update (openssl, browser etc)
So I've been playing around with web browsers in Easy Debian (jessie). One option that I like is Midori which is available in jessie-backports. It passes all of the Cipher Suites tests from SSL Labs. It fails the Mixed Content Tests but it's not clear what are the implications these failures. I think I'm going to make it my main browser.
Here are some Midori usage tips if anyone is interested:
If anyone has any spare time, it would be nice to update the Midori and libwebkit packages in Extras to the latest versions. |
Re: Idea: N900 security update (openssl, browser etc)
Quote:
Quote:
|
Re: Idea: N900 security update (openssl, browser etc)
Quote:
I tried with webkitgtk-2.4.11 from debian sid. |
Re: Idea: N900 security update (openssl, browser etc)
Any idea how is the security today or is it at the same level as before? Did anyone do anything to these security matters or is there somewhere like the basic safety and security instructions on using N900? I have just been using it and haven't really thought of how to make it more secure. I would like to know: I have cssu-testing (maybe devel).
1. Is there a way to update the certificates of the device/microb? 2. If you have rootsh installed do you need to set a root password (haven't seen instructions for that shared or mentioned too much on this forum)? 3. Is Glenwall firewall valid and are there good instructions somewhere for a basic user what to use while just browsing? 4. Are people still interested these things or should I just wait for Maemo Leste to be a proper solution? 5. I have been using Mobile Hotspot for sharing my wifi to N810. It uses only WEP encryption so is there a better option which people use? 6. I have set up with the stock email app connection to my secure email provider with imap and ssl etc. Is there some problems with that email app and should I use some other (it just works so fine and would not want to change to something not as good)? 7. Is using a browser with easy debbie more secure by default or is it related to a newer browser (netsurf 3.8)? 8. Noticed that in some post it was mentioned that "just update global trust list with mozillas and you are good to go". Seems as a good option compared not doing anything. Is it good option and how to do it, or is there a better option and how to do that? Would really like to know what I should have understood in the beginning when started to use this device. |
Re: Idea: N900 security update (openssl, browser etc)
Concerning #2
rootsh doesn't need a password ... (I wouldn't ...nor device password...there are a good long list of threads and posts titled like : "forgot password , locked out of device , help!?!?" next thing you know you forget it....then you are up a fast flowing body of water without a handheld device to navigate with) concerning all your other many questions ... essentially what you want is someone to do the leg work for you and hunt down answers and forum links to answers... And it may take a lot of time to do just that.. Some here may know one or two... or a couple of quick answers... But... Why not use the the search button to your right? That is how people figure things out here. Asking for answers for the list of questions you have ... before looking and trying the answers provided in forum posts by those who have posted the most recent successes .. is working backwards. I would suggest looking first. That is the whole point of keeping a decade plus of past threads and posts... to research them. If you have a hard time after hunting down your questions... and after finding answers ... whether due to the solutions being outdated ... or no answers at all found... Then definitely ask for help. But with your particular questions... I think you won't find it too difficult to hunt down the requisite posts concerning the topics... They quite common questions ... So there should be plenty of documentation readily available .. via the search function here. |
Re: Idea: N900 security update (openssl, browser etc)
I think that would just not be wise. I have been here now for a year. There are people who have been maybe ten and are still using their device daily. I believe that if they use it daily they have probably sorted out some security stuff. Now if some new person starts to use N900 I don't see a real value for him to need to use lots and lots of time reading different threads in this forum trying to find answers to many questions if there are people who know the answers and could easily give them.
I have tried to search answers but in many threads it goes the same way as in this: a good title making you think that from that thread you will find answers. Well I didin't find answers, just talk about many things what would be good to be done but I don't know what happened. Did someone find solutions? I see making my questions (which I thought first to put on a new thread "Security of N900 in 2019" to make it easier for everyone to have one thread under which to disguss about it but because I would have probably got an answers "do not start a new thread if there is already a similar thread" I searched one which had ended with only questions and ideas in the air without solutions or answers) in this particular thread a very wise thing to do. If someone knows the answers and will answer them in this thread which is left as kind of unfinished state then if there comes a next person searching for answers from this same thread then he will find the answers and the title of the thread is not kind of misleading or a disappointment. If there is a thread or a wikipage of the security of N900 which clearly guides a new N900 user through things explaining these very serious matters well, then my bad. Just say there is one and I will shame. But if there isn't such, there should be. To make a new N900 user to search about this kind of matters from many many different threads which may or may not give answers which may or may not be updated (some may have answers predating cssu, cssu testing or cssu devel solutions). I think that this forum would have more value if there would be a procedure of keeping some wikipages updated that way that always when there comes a new user asking the same guestions you could just say "first read all these pages for new users". Now I have got answers from some or just "read through the forum" sometimes. I just don't think it is a wise thing to do and I think this should change. You have done your part really well endsormeans with your guide for N8x0 which you updated now when there was a dead link. You can always point a person to read it. So should be with security matters if they are not dealt with installing cssu updates (maybe they are but it was left unaswered in this thread, on a mere idea stage). If someone knows these answers I don't know why he would not like to answer. Only proper reason would be that the answers are already there easily found. I claim they aren't and that there are only few here who really knows and who knows which threads are dead ends and which threads have real answers which are still up to date and which are unneccessary or may even make things worse. I think I have right to ask. You have the right not to answer. From my point of view to go through threads which do not give answers is wasted time and not wise thing to do. You may oppose and see a value there. And we may stay thinking about this matter differently and its perfectly ok. I understand people are thired of answering same questions to new users. I'm trying to help to make it stop. "The perfect setup for N900", they are good. If someone would like to make one about N900 security that would be very helpfull to all I think. |
| All times are GMT. The time now is 09:38. |
vBulletin® Version 3.8.8