FreeSpeechMe Tech Help

MWD
Posts: 180
Joined: Mon Feb 10, 2014 10:31 pm
os: windows
Contact:

FreeSpeechMe Tech Help

Post by MWD »

Hi,

Jeremy (Biolizard89) said to send people here for tech support, and he and I (and people who've solved their own FreeSpeechMe beta issues) can chime in.

Let me know if anyone has any thoughts.

Thanks!
Michael W. Dean, FreeSpeechMe cat herder.
Last edited by MWD on Wed Feb 19, 2014 9:59 am, edited 1 time in total.
Namecoin, Dot-Bit and MeowBit are a complete new Internet ecosystem, building the roads to Web 4.0. http://www.meowbit.com
Dot-Bit Kitty Pix! The ONLY .bit-only kitty cat website in the world! http://dotbitkittypix.bit

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: FreeSpeechMe Tech Help

Post by domob »

Not sure if this is the right thread, but I'll ask anyway. I really love your work on FreeSpeechMe, but I have to admit that while I have installed Convergence for Namecoin (in a version prior to FSM), it is usually disabled. The reason is that I have set a master password on Iceweasel to protect my TLS client certificates, and with Convergence enabled, I'm prompted for the password every single time I open the browser. This is not acceptable for me since I frequently close and re-open the browser, have a strong passphrase, and only really need it (my client certificates) in rare situations.

My guess is that this is the case because Convergence inserts its own root certificate on each browser start and thus the secure module must be unlocked. Is it possible to "fix" this behaviour, for instance by only inserting the certificate once on extension installation and not on each browser start? This would really improve the usability for me significantly. I understand that a strong master password on the browser is probably (unfortunately!) a rare situation with average end-users, but still I believe this is a major usability issue.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: FreeSpeechMe Tech Help

Post by biolizard89 »

domob wrote:Not sure if this is the right thread, but I'll ask anyway. I really love your work on FreeSpeechMe, but I have to admit that while I have installed Convergence for Namecoin (in a version prior to FSM), it is usually disabled. The reason is that I have set a master password on Iceweasel to protect my TLS client certificates, and with Convergence enabled, I'm prompted for the password every single time I open the browser. This is not acceptable for me since I frequently close and re-open the browser, have a strong passphrase, and only really need it (my client certificates) in rare situations.

My guess is that this is the case because Convergence inserts its own root certificate on each browser start and thus the secure module must be unlocked. Is it possible to "fix" this behaviour, for instance by only inserting the certificate once on extension installation and not on each browser start? This would really improve the usability for me significantly. I understand that a strong master password on the browser is probably (unfortunately!) a rare situation with average end-users, but still I believe this is a major usability issue.
Hmm, that's an interesting question. I'm honestly not sure how easy it would be to insert the certificate on installation rather than on browser start. It sounds like that might lead to some interesting security issues, e.g. an attacker poisoning the system with a malicious cert named Convergence, so that the extension thinks it doesn't need to replace it. What do you think about the security ramfications? Would this be a problem?
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: FreeSpeechMe Tech Help

Post by domob »

biolizard89 wrote:Hmm, that's an interesting question. I'm honestly not sure how easy it would be to insert the certificate on installation rather than on browser start. It sounds like that might lead to some interesting security issues, e.g. an attacker poisoning the system with a malicious cert named Convergence, so that the extension thinks it doesn't need to replace it. What do you think about the security ramfications? Would this be a problem?
Not sure about that myself. In principle, if an attacker is able to insert a malicious certificate into your system, then all bets are already lost. However, of course it should be as hard to manipulate as possible in practice. What is needed is a way to store persistent information for your extension that can ideally not be read by other extensions (like preferences presumably can?). Then you could create the Convergence root cert on installation and store its private key there, so that you can use it every time you run the browser to sign ad-hoc website certificates. Of course, that storage could still be read by user-level system access - but if someone has that, they can also manipulate the Convergence sources. (Except if the extension is installed system-wide and only root has write-access. But then, someone can still manipulate a user's profile folder to insert their own rogue certificate with just user privileges.)

So in total I don't really see security problems, but I also haven't (yet) thought about it thoroughly.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: FreeSpeechMe Tech Help

Post by biolizard89 »

domob wrote:
biolizard89 wrote:Hmm, that's an interesting question. I'm honestly not sure how easy it would be to insert the certificate on installation rather than on browser start. It sounds like that might lead to some interesting security issues, e.g. an attacker poisoning the system with a malicious cert named Convergence, so that the extension thinks it doesn't need to replace it. What do you think about the security ramfications? Would this be a problem?
Not sure about that myself. In principle, if an attacker is able to insert a malicious certificate into your system, then all bets are already lost. However, of course it should be as hard to manipulate as possible in practice. What is needed is a way to store persistent information for your extension that can ideally not be read by other extensions (like preferences presumably can?). Then you could create the Convergence root cert on installation and store its private key there, so that you can use it every time you run the browser to sign ad-hoc website certificates. Of course, that storage could still be read by user-level system access - but if someone has that, they can also manipulate the Convergence sources. (Except if the extension is installed system-wide and only root has write-access. But then, someone can still manipulate a user's profile folder to insert their own rogue certificate with just user privileges.)

So in total I don't really see security problems, but I also haven't (yet) thought about it thoroughly.
Makes sense. Can you make an issue on GitHub namecoin/Convergence for this request?
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

georgem
Posts: 82
Joined: Wed Aug 21, 2013 1:46 pm
os: windows

Re: FreeSpeechMe Tech Help

Post by georgem »

Can't we have a separate sub-forum for freespeechme, and not only a single thread?

I have a lot of bugs and screenshots I want to talk about... this will mess up the communication if we have to post everything here in one thread.

I'd rather open a new thread for every problem. Is that possible?


Or am I supposed to put a [FreeSpeechMe] tag in the threads name?
I would prefer a separate sub-forum.

Deafboy
Posts: 6
Joined: Tue May 22, 2012 5:58 pm
os: linux

Re: FreeSpeechMe Tech Help

Post by Deafboy »

I've just noticed a strange thing. I get "Namecoin: Verification success" in the browser even though the fingerprint on the web server does not match the one inside the blockchain.
Is it just accepting any fingerprint if the hostname in the cert is correct?

MWD
Posts: 180
Joined: Mon Feb 10, 2014 10:31 pm
os: windows
Contact:

Re: FreeSpeechMe Tech Help

Post by MWD »

georgem wrote:Can't we have a separate sub-forum for freespeechme, and not only a single thread?

I think it's ok to start more FreeSpeechMe questions on this Tech Help forum. Just make sure you put
FreeSpeechMe
in the subject line of the new thread.

MWD
Namecoin, Dot-Bit and MeowBit are a complete new Internet ecosystem, building the roads to Web 4.0. http://www.meowbit.com
Dot-Bit Kitty Pix! The ONLY .bit-only kitty cat website in the world! http://dotbitkittypix.bit

fwb3
Posts: 6
Joined: Wed Feb 19, 2014 6:54 pm
os: linux
Location: Texas
Contact:

Re: FreeSpeechMe Tech Help

Post by fwb3 »

Hi folks. First post to the forum. I'm running an ubuntu desktop (12.04 LTS) with firefox 27.0. I didn't have namecoind or nmcontrol or a wallet installed on this box, so I installed freespeechme with the bundle. The install seemed to complete. That is, freespeechme shows up in my firefox extensions, and on the toolbar. I assumed the blockchain was downloading. Next morning, I try browsing a .bit site (such as https://dot-bit.bit/), I get a connection was reset page. When I open freespeechme's option dialog, I see the message...

namecoind not responding, try again in a couple minutes.

This has been this was since the exension was installed. Port 80 is working fine. No evidence of this being a firewall issue. I fear I'm missing something obvious. Any suggtions?

thanks!

MWD
Posts: 180
Joined: Mon Feb 10, 2014 10:31 pm
os: windows
Contact:

Re: FreeSpeechMe Tech Help

Post by MWD »

fwb3 wrote: namecoind not responding, try again in a couple minutes.


thanks!

I know on Windows when I get that, if I go to the Options/Stauts tab, hit "OK", I see the CMD windows open again (I know they're hidden on GNU/Linux), and somehow, that "restarts" the functions of the program.

Kind of reminds me of Fonzie hitting the Jukebox, but it works.

MWD
Namecoin, Dot-Bit and MeowBit are a complete new Internet ecosystem, building the roads to Web 4.0. http://www.meowbit.com
Dot-Bit Kitty Pix! The ONLY .bit-only kitty cat website in the world! http://dotbitkittypix.bit

Post Reply