Post Reply 
prox-config-sidki_2019-01-26b1
Sep. 16, 2019, 03:18 AM
Post: #16
RE: prox-config-sidki_2019-01-26b1
(Sep. 15, 2019 02:42 AM)thypentacle Wrote:  For issue 1, If you don't edit the v2 into a v3 you get several red 'insecure' results with the following two example tests:

https://browserleaks.com/ssl
https://www.ssllabs.com/ssltest/viewMyClient.html

After the edit they pass fine.
The defaults for Proxomitron Reborn are deliberately oriented towards "compatibility" rather than "security", with the overly aggressive behaviour of browsers leaning toward the latter some sites may become inaccessible, even if they were considered "insecure", and Proxomitron lets you access them agan.
(Sep. 15, 2019 02:42 AM)thypentacle Wrote:  I did note that pushing the 'abort' button can crash the app sometimes tho... so maybe I broke the 'bypass' feature when I did that.
That's a known bug which has been there since Scott's, is not easy to fix (which is probably why he didn't do it), and doesn't happen all the time, but is on my list of things to fix for the next release.
Add Thank You Quote this message in a reply
Sep. 16, 2019, 04:33 PM (This post was last modified: Sep. 16, 2019 04:35 PM by JJoe.)
Post: #17
RE: prox-config-sidki_2019-01-26b1
(Sep. 15, 2019 02:42 AM)thypentacle Wrote:  For issue 2 I think I fixed that one on my end by not using Opera.

I use the new Opera portable.

(Sep. 15, 2019 02:42 AM)thypentacle Wrote:  For issue 3 here's a few that fail loading...

https://community.quirky.com/login
https://discordapp.com/channels/@me
https://www.linkedin.com/in/thyinnovation
https://teams.microsoft.com (sometimes works sometimes doesn't)
https://www.vudu.com/content/movies/free (loads kinda but is missing most of it... may not be related)

Ahh... Filtering will break web sites.
The user is expected to add 'Exceptions' to 'Exceptions-U.ptxt' to regain desired behavior.
However, I'll claim discordapp and teams.microsoft.com.

Depending on which cfg you are using, 'Exceptions-U.ptxt' needs at least:
Code:
##community.quirky.com/login
aws1.discourse-cdn.com/                     $SET(0=a_adjs.a_jsprop.)
#OR
aws1.discourse-cdn.com:                     $SET(0=a_adjs.a_jsprop.)

##www.linkedin.com/
www.linkedin.com/   $SET(0=a_refer.)
#OR
www.linkedin.com:   $SET(0=a_refer.)

##teams.microsoft.com - Not needed, if nonce is removed from the Content-Security-Policy header.
teams.microsoft.com/   $SET(0=i_loc_j:0.)
#OR
teams.microsoft.com:   $SET(0=i_loc_j:0.)

Discordapp's Content-Security-Policy header uses nonce.
Code:
default-src https://local.ptron:8443 'unsafe-inline'  'self';
script-src https://local.ptron:8443 'unsafe-inline'  'self' 'unsafe-eval' 'unsafe-inline'
https://cdn.discordapp.com/animations/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/
https://recaptcha.net/recaptcha/ https://js.stripe.com https://js.braintreegateway.com
https://assets.braintreegateway.com https://www.paypalobjects.com https://checkout.paypal.com
'nonce-NjUsMTgzLDEwMywxOTUsMTI5LDMwLDExNyw4MA=='; style-src https://local.ptron:8443
'unsafe-inline'  'self' 'unsafe-inline' https://cdn.discordapp.com; img-src https://local.ptron:8443
'unsafe-inline'  'self' data: https://*.discordapp.net https://*.discordapp.com https://i.scdn.co
https://i.ytimg.com https://i.imgur.com https://*.gyfcat.com https://media.tenor.co
https://media.tenor.com https://*.youtube.com https://*.giphy.com https://static-cdn.jtvnw.net
https://pbs.twimg.com https://assets.braintreegateway.com https://checkout.paypal.com;
font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://status.discordapp.com
https://discordapp.com https://cdn.discordapp.com https://router.discordapp.net wss://*.discord.gg
https://best.discord.media wss://*.discord.media wss://dealer.spotify.com https://api.spotify.com
https://support.discordapp.com https://sentry.io https://api.twitch.tv https://api.stripe.com
https://api.braintreegateway.com https://client-analytics.braintreegateway.com https://origin-analytics-prod.production.braintree-api.com
https://payments.braintree-api.com ws://127.0.0.1:* http://127.0.0.1:*; media-src
'self' blob: https://*.discordapp.net https://*.discordapp.com https://*.youtube.com
https://streamable.com https://vid.me https://*.gfycat.com https://twitter.com https://oddshot.akamaized.net
https://*.giphy.com https://i.imgur.com https://media.tenor.co https://media.tenor.com;
frame-src 'self' discord: https://*.youtube.com https://*.twitch.tv https://open.spotify.com
https://w.soundcloud.com https://sketchfab.com https://player.vimeo.com https://twitter.com
https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/ https://js.stripe.com
https://assets.braintreegateway.com https://checkout.paypal.com https://*.watchanimeattheoffice.com;
child-src 'self' https://assets.braintreegateway.com https://checkout.paypal.com;

'Nonce' causes the browser to ignore our 'unsafe-inline' addition and our inline scripts for discordapp.com/channels/@me.
The simple choice is to bypass the affected pages or add Exceptions for the broken routines.
Another is to remove "nonce' from the header.
Warning: This would also allow malicious scripts without the nonce attribute to run.
Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Security-Policy: Remove nonce and hash 19.09.15     [jjoe] (d.0) (In) [add]"
Match = "(\# '(nonce|sha256)-*')+{1,*}\#"
Replace = "\@"

The better (for our point of view) but more time consuming choice would be to capture the nonce and add it to our rewritten scripts.

discordapp is also using the integrity attribute.
Code:
<script src="/assets/dea071166a0cf8791a1e.js" integrity="sha256-0kdB3V4HCTqbit21e3K2rY7ypJiNdjmjyQ9MFnPJHCI= sha512-EtY9vjf3AHCuuRqOurhkNITyJtCXmfgFQmOCD4w/LbtgvstqFufIiFfTetU24nhw+n1CD//myNXaNa59lT9EQg==">

The browser will reject the script if its hash isn't the integrity attribute's value. A filtered script's hash will not match.
The simple choice is to bypass the affected resources. Wink
Warning: This would also allow malicious files to run.
Code:
[Patterns]
Name = "Script: Remove integrity     19.09.15 (multi) [jjoe] (d.0)`"
Active = TRUE
Multi = TRUE
Bounds = "<script\s*>"
Limit = 512
Match = "\1integrity=$AV(*)\2"
Replace = "\1\2"

Name = "Link: Remove integrity     19.09.15 (multi) [jjoe] (d.0)`"
Active = TRUE
Multi = TRUE
Bounds = "<link\s*>"
Limit = 512
Match = "\1integrity=$AV(*)\2"
Replace = "\1\2"

more to come...
Add Thank You Quote this message in a reply
Sep. 16, 2019, 05:57 PM (This post was last modified: Sep. 16, 2019 06:01 PM by thypentacle.)
Post: #18
RE: prox-config-sidki_2019-01-26b1
(Sep. 16, 2019 03:18 AM)amy Wrote:  The defaults for Proxomitron Reborn are deliberately oriented towards "compatibility" rather than "security", with the overly aggressive behaviour of browsers leaning toward the latter some sites may become inaccessible, even if they were considered "insecure", and Proxomitron lets you access them agan.

In the case of the security check sites, they load secure... the insecurity in this case is really just their report showing the following in their scanner information display:

0xc011 TLS_ECDHE_RSA_WITH_RC4_128_SHA INSECURE: RC4, SHA-1
0xc007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA INSECURE: RC4, SHA-1
0x0005 TLS_RSA_WITH_RC4_128_SHA INSECURE: NO PFS, RC4, SHA-1
0x0004 TLS_RSA_WITH_RC4_128_MD5 INSECURE: NO PFS, RC4, MD5

...and the other site showing the same ones to confirm.
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) INSECURE 128
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) INSECURE 128
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128

The editing of the config file just prevents them from being accessible as a cipher option at all I guess. (v2 edit to v3 seems to make them no longer allowed to be used so they are not accessible to test) ?

(Sep. 16, 2019 03:18 AM)amy Wrote:  That's a known bug which has been there since Scott's, is not easy to fix (which is probably why he didn't do it), and doesn't happen all the time, but is on my list of things to fix for the next release.

Yep I remembered after messing with it again... my solution was to remove the abort button myself back in the day so I'd simply never use it on accident. (Easy Resource Hacker solution. He also has some crooked text boxes my OCD forced me to repair as well.. even tho they are invisible.) lol

If you are actually planning to fix that feature that would be awesome! Not critical of course, I can always remove the button again... and besides, the bypass seems to work fine as an alternative of sorts. (and it's easy enough to just exit the app if one feels the need to cut n run) Smile!

-----------------------

(Sep. 16, 2019 04:33 PM)JJoe Wrote:  I use the new Opera portable.

I've had nothing but trouble since the newest Opera update. It was already giving me grief in a few ways (full install tho, not portable). This is likely a result of uBlock Origin running on it. (yes I whitelist local.ptron) Firefox handles additional addons much better than Opera seems to. I've not had the bypass button in Proxomitron break even once with Firefox like it did on the full install Opera. I may try the portable version now that you mentioned it however.

(Sep. 16, 2019 04:33 PM)JJoe Wrote:  Ahh... Filtering will break web sites.
The user is expected to add 'Exceptions' to 'Exceptions-U.ptxt' to regain desired behavior.
However, I'll claim discordapp and teams.microsoft.com.

(CUT EDIT)

more to come...

I've been adding in exceptions to get around all of them and it seems to work fine. I'll play around with those new filters you made. (even tho they make things unsafe it could be interesting to test)

Looking forward to what more there is to come? Big Teeth

----------------------

Beyond replies above, I wanted to say again it's great you two are working on this. It seems like a great idea if we could maybe make the next release of Proxomitron Reborn perhaps be bundled with a new default (less strict / novice user type) filter set to get everyone going? I mean it's nice to throw in a setting that has everything plus the kitchen sink, but messing with cookies, cache, and JS too much these days essentially breaks about every large website there is that is popular. (even when I set to 'minimum' with current config, a lot is broken and requires manual repair by jumping into text files... at lowest level even my gmail login doesn't work till I manually disable one of the JS filters in the anti-scripting section) Would be nice if a default setting was a bit more user friendly.

Site specific fixes are not fully practical either and having a less strict default would prevent the need. (it's too hard to keep up and update that stuff even if it's created by a company, let alone a hobby project) It may be better to just have a default stock option to allow more function and if the user wants to get 'heavy duty' they can activate the 'advanced' option in the config. (I'd also drop the proxmenu overlay... even with the most ideal config I still can't get it to show up all the time... maybe 90%.)

Finally (sure yer glad to read that word) it would be very handy if a pack could be made with the latest available drivers already included. (zlib/SSL) Newest zlib I can get working is 1.2.8.1 / and newest SSL I can find is 1.0.1q. Would be even better (and safer) if it was at all possible to get the newest versions of them to work. I've tried newest 32bit builds of zlib and SSL but both fail.

Just would be awesome if new people that find this great software can just download one thing and run it and be essentially done and ready to go out of the box after a simple change of their proxy settings. (with the option of course to get into more complex filtering by raising the filter level or creating their own filters)

Ok nuff said. I'll shutup now. :P
Add Thank You Quote this message in a reply
Sep. 16, 2019, 06:19 PM (This post was last modified: Sep. 16, 2019 06:43 PM by thypentacle.)
Post: #19
RE: prox-config-sidki_2019-01-26b1
Forgot to mention... another thing you may want to either drop or only have in an advanced config, is the ad blocking. To do that well requires constant updates so as not to break websites all over the place. (see uBlock Origin and similar) You can put in a compromise in the form of simply allowing host blocking. I myself just manually add hosts to block from various text list sources and put that in one of the ptext files. The ad blocking in Proxomitron was a good idea back when the development was active... not so much these days. It's better to let ads through than to have to add website exceptions all the time and they get through anyways cause of the exception.

Most people will be running this along side a full ad blocker anyways. (and it's best not to have multiple ones going)

I'd concentrate on making a default set about safety. Some ads could be blocked if they are the more 'tracking' type perhaps, but otherwise let users handle that with host/block lists additions or the use of other software. Most people are likely not going to use Proxomitron for ad blocking when the before mentioned one above and others are super popular and already available. (and receive constant updates)

In fact, if you want to make even the hosts blocking easier, you could do it how uBlock does some of its stuff and link to the source block lists for Proxomitron to read and update itself with. (optional of course, some users prefer manual updates)

I'll shutup for real now. lol
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: