Category Archives: Browser

Certificate Authorities (CA) in Google Chrome / Chromium and Firefox on Linux

Firefox ships with its own set of root CAs ("Builtin Object Token" as the Security Device in advanced preference settings). Here is the list of all root CAs included in Firefox along with their fingerprints:
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport

Builtin root CAs are hardcoded in /usr/lib/firefox/libnssckbi.so . You can see a list of all CAs in Firefox preferences (advanced settings).

CAs marked as "Software Security Device" are usually intermediate certificates that are downloaded from websites and stored locally. These CAs that are not builtin are either stored on a PKCS#11 compatible smartcard attached to your PC/laptop or saved to your home directory:
certutil -d $HOME/.mozilla/firefox/xxx.default -L

Chromium / Google Chrome does not ship with its own CA list but uses the CAs from the underlying operating system:
https://www.chromium.org/Home/chromium-security/root-ca-policy

In Ubuntu 16.04 these CAs are hardcoded in /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so which is part of the package "libnss3". You should therefore update this package as soon as there is an update available to keep your builtin CA list up-to-date.

CAs that are not builtin and that you installed manually are stored in your home directory:
certutil -d sql:$HOME/.pki/nssdb -L

Important things to note:

  • The security of SSL encrypted websites (https://...) depends on the root CA which is used to sign the website certificate. These CAs are stored locally on your device in different locations based on the browser you are using.
  • There are 2 kinds of CAs:
    1. Builtin CAs that ship with your browser or linux installation. They are stored in shared object files. There is probably no easy way to edit this list unless you change the source files and recompile the package. Nevertheless in both browsers you can remove all trust from a builtin certificate which is basically the same as deleting it.
    2. Manually added CAs are stored in your home directory. You can easily edit that list within the settings of the browser or on the command line.
  • Both Firefox and Chromium / Google Chrome use NSS certificate databases to store manually added CAs that are not builtin. But they use different directories. Maybe you could use symbolic links to point both directories to the same database. That way both browsers would be using the same manual CA list.Currently Firefox uses by default the legacy dbm database version (cert8.db, key3.db) and Chromium / Google Chrome uses by default the new SQLite database version (cert9.db, key4.db). There seems to be an environment variable NSS_DEFAULT_DB_TYPE that makes Firefox use the new SQLite database version as well (s. https://wiki.mozilla.org/NSS_Shared_DB_Howto).
  • Neither Firefox nor Chromium / Google Chrome are using CAs from the package "ca-certificates".
Share

How to download Twitter videos (animated GIFs)

There are 2 types of Twitter videos: animated GIFs and real videos. This post is about animated GIFs. They have the text "GIF" printed on them when they are not playing.

To download animated GIFs there doesn't seem to be an easy way in Google Chrome unless you use an extension.

In Firefox:

  • open the tweet
  • right click on the video
  • choose "This Frame" -> "Page Info"
  • Under "Media" choose the mp4-file and click "Save As..."

 

Share

Secure download of Ubuntu ISO installation images

Please follow the instructions on this page:
https://help.ubuntu.com/community/VerifyIsoHowto

There is another website, but it doesn't use SSL / HTTPS:
http://www.ubuntu.com/download/how-to-verify

The procedure is the same as I have already described for CentOS or Debian in my previous posts:

  1. Import the GPG-key and verify its fingerprint.
  2. Download the checksum file and verify its signature with the GPG-key.
  3. Check the iso file with the checksum file.

Again the fingerprint of the GPG-key is on a SSL encrypted website where you have to check the website certificate and its root CA.

Firefox ships with its own set of root CAs ("Builtin Object Token" as the Security Device in advanced preference settings). Here is a list of all root CAs included in Firefox along with their fingerprints:
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport

Builtin root CAs are hardcoded in /usr/lib/firefox/libnssckbi.so

CAs marked as "Software Security Device" are usually intermediate certificates that are downloaded from websites and stored locally. These CAs that are not builtin are either stored on a PKCS#11 compatible smartcard attached to your PC/laptop or saved to your home directory:
certutil -d ~/.mozilla/firefox/xxx.default -L

Chromium / Google Chrome does not ship with its own CA list but uses the CAs from the underlying operating system:
https://www.chromium.org/Home/chromium-security/root-ca-policy

On Ubuntu 16.04 these CAs are hardcoded in /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so which is part of the package "libnss3".

Important things to note:

  • Verification of ISO images is based on GPG-keys which have to be checked by its fingerprints. You can get that fingerprint from a SSL secured website.
  • The security of a website depends on the root CA which is used to sign the website certificate. These CAs are stored locally in different locations based on the browser you are using.
  • Neither Firefox nor Chromium / Google Chrome are using CAs from the package "ca-certificates".
Share

Farmville 2 on Ubuntu Linux (Flash)

If you have trouble running Farmville 2 on you Linux installation in your browser, you should consider upgrading to the latest Ubuntu 16.04 version. I was experiencing some strange problems with an older Ubuntu 14.04 installation and from one day to the next could not run Farmville 2 any longer:

  • Farmville 2 was showing the initial loading screen with the progress bar right in the center, but the progress bar was not moving at all. There was no sound, no error message. Other flash applications were working fine.
  • I tried different browsers with no success: Chromium, Google Chrome, Firefox
  • I tried different Flash versions with no success: adobe flash, pepperflash

Upgrading to Ubuntu 16.04 (see one of my previous posts) solved the problem. I am using the following versions:

  • Chromium (chromium-browser 50.0.2661.102)
  • Flash (pepperflashplugin-nonfree 1.8.2, flash version 21.0.0.242)

Make sure your browser is using the right flash plugin by typing "about:plugins" in the address bar of your Chromium browser (UPDATE: this page is not working anymore, s. https://bugs.chromium.org/p/chromium/issues/detail?id=615738). It might be that you have several flash versions installed on your computer and Chromium is using an old one. Check your flash version on the official Adobe website: http://www.adobe.com/software/flash/about

Chromium is storing flash plugin information in the folder /etc/chromium-browser/customizations. For every installed flash plugin, there is a flash configuration file:

  • 10-flash (adobe-flashplugin / flashplugin-installer)
  • pepperflashplugin-nonfree (pepperflashplugin-nonfree)

Move the file of the flash package you are not using to a backup location and restart Chromium. The flash configuration file also sets the file location of the flash plugin that gets loaded into your browser. Make sure the plugin file path is pointing to the official flash plugin shared object (/usr/lib/pepperflashplugin-nonfree/libpepflashplayer.so).

With that configuration I am now able to run Farmville 2 on Facebook and use all of its features (which were not all working before either):

  • Full screen mode
  • Sound on/off toggle
  • Screenshot

WARNING:

  • Flash is known to have frequent security issues. If you do not absolutely need Flash, you should remove it from your computer.
  • If you choose to install it, at least make sure to only run Flash applications after you have confirmed them manually. Both Firefox and Chrome/Chromium allow you to configure this option.
  • You might also want to install a second browser without Flash for regular internet surfing, and only use your Flash enabled browser for Farmville 2.
  • Make sure to regularly update your Flash package as soon as there is a new version available.
Share

Browser blank page / white page with php script (WordPress, etc.)

I recently had a completely white / blank browser page when I tried to reset my WordPress password. It was from a local WordPress installation on my Debian 8 Jessie server. I was resetting my password for the admin login. It turned out that there was a problem with my php.ini settings. I had to add the following paths to the open_basedir variable:

open_basedir = /usr/share/php:/usr/share/php5

When resetting the WordPress password, WordPress includes some php files to send a reset email in wp-includes/pluggable.php:

require_once ABSPATH . WPINC . '/class-phpmailer.php';
require_once ABSPATH . WPINC . '/class-smtp.php';

The problem is that with the standard wordpress package on Debian 8 Jessie, class-phpmailer.php and class-smtp.php are symbolic links to /usr/share/php/... . If this path is not included in open_basedir, the php script just terminates without sending any error messages. I couldn't find anything in the apache logs either. The browser showed a blank page.

This might also be a problem with other php web applications. So if you experience a similar situation (no output of php script, blank page) you might want to check the open_basedir variable in you php.ini and make sure that all required / included php files and symbolic links are part of it.

If you have any ideas how to find out if a php script is trying to include a file outside of open_basedir, please leave a comment.

Share

Make imdb work with Google Chrome browser (blank black video)

Recently Google Chrome introduced the ability to activate plugins only after user confirmation. While this is a very good setting to increase your security level (especially for flash plugin), it prevents certain sites to display their content, e.g. imdb.com.

The video window on imdb.com will stay black, no error message, no way to activate the flash plugin. If you want to make it work, add an exception to the plugin content settings.

Within chrome, go to "Settings" -> "Privacy" -> "Content settings..." -> "Plugins" -> "Manage exceptions..." and add the following to the list of plugin exceptions:

[*.]imdb.com              allow
Share