AtomicPup-Nucleus

[8Geee]

One of my recent 'little' projects was to experiment using a small browser thats easier on the old Atom N270 found in most netbooks (remember them?). I had a wow moment recently when OscarTalks linked-up the new version of Netsurf (v. 3.8-Slack 14.0). Just a browser-delta is amazing. AtomicPup-XIX shrank from 152 --> 123Mb ISO, and 460Mb --> 375Mb usage with the FreeOffice intact. And netsurf is Lightning compared to FF27. Just a bit quirky, but using geany to erase URL-history and Cookies works. When I punch-up Geany, there are now 4 files to check, the CUPS error log, the Recent Use xbel, and the two Netsurf files. I can handle that... easy maintanence, clean after use.

Now, in fairness, there are caveats to the simplicity. I would NOT do passwords for personal information purposes such as banking/shopping. A lot of stuff (especially 'buttons'), may not work. But I have found a few places of general interest, including regional weather, and YouTube, with D/L converter site (FORGET streaming).

In a word "useable", and another word "small".

Regards
8Geee

[8Geee]

As an update to the first post,I have used this pup a bit and can confirm a few things.

1.) Free Wifi usually comes with an 'acceptance page' with a button to connect/accept the terms and privacy. Two main sources McD's and Dunkin' cannot connect due to the missing button. Strogly believe this scripted button not allowed in Netsurf3.8... does not appear.

2.) Going to Qualys dot com for the Client-Side test revealed that SSL3, TLS1.0, and TLS1.1 security certs are installed and may be called. I find this unacceptable in 2019, with even certain TLS1.2 certs being compromised.

3.) Based on these two faults, I have decided NOT to release this spin.

Regards
8Geee

[belham2]

2.) Going to Qualys dot com for the Client-Side test revealed
8Geee

Hi 8Geee,

Just curious (I know we both heavily change settings in Firefox to make it more secure and trying, over the years, to encourage others to do the same in the "Security" section on Murga here ), is this what ssllabs spits back when you run a test on your browser setup:

***********************************************************
SSL/TLS Capabilities of Your Browser


Protocol Support
Your user agent has good protocol support.
Your user agent supports TLS 1.2, which is recommended protocol version at the moment. Experimental: Your user agent supports TLS 1.3.

Logjam Vulnerability
Your user agent is not vulnerable.

FREAK Vulnerability
Your user agent is not vulnerable.

POODLE Vulnerability
Your user agent is not vulnerable.


Protocol Features

Protocols
TLS 1.3 Yes
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No

Cipher Suites (in order of preference)
TLS_AES_128_GCM_SHA256 (0x1301) Forward Secrecy 128
TLS_CHACHA20_POLY1305_SHA256 (0x1303) Forward Secrecy 256
TLS_AES_256_GCM_SHA384 (0x1302) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Forward Secrecy 256

Protocol Details
Server Name Indication (SNI) Yes
Secure Renegotiation Yes
TLS compression No
Session tickets Yes
OCSP stapling Yes
Signature algorithms SHA256/ECDSA, SHA384/ECDSA, SHA512/ECDSA, RSA_PSS_SHA256, RSA_PSS_SHA384, RSA_PSS_SHA512, SHA256/RSA, SHA384/RSA, SHA512/RSA, SHA1/ECDSA, SHA1/RSA
Named Groups x25519, secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072
Next Protocol Negotiation No
Application Layer Protocol Negotiation Yes h2 http/1.1
SSL 2 handshake compatibility No


Mixed Content Handling

Mixed Content Tests
Images Passive Yes
CSS Active No
Scripts Active No
XMLHttpRequest Active No
WebSockets Active No
Frames Active No

Related Functionality
Upgrade Insecure Requests request header (more info) Yes
**********************************************************

The three that I am uncertain on are the ones (two) I highlighted in blue and (one) in red. Should those two blue ones be coming back "yes"? If so, what settings in about:config should I change?

Same goes for the red one: how can I get that flipped & stay "No"? Since images are a main attack vector for malware when surfing around the Net, I would imagine having "Image" set passive isn't the best posture/setting. But I am uncertain what to change in about:config to make this a constant "No". Everything I've tried has broken the display of images on many sites.

[8Geee]

Using netsurf3.8-Slackware14.0 pet, I do not see the vunerability tests at all, and the list includes several weak schemes of TLS1.1, 1.0, and SSL3. This from memory, and I will connect again, and repost/edit to confirm. AFAIK, the "about config" stuff is locked out here. Based upon Oscar's pet without deltas.

Regards
8Geee

[8Geee]

OK, got it copied/pasted. Its long and rather poor IMHO.



Protocols
TLS 1.3 No
TLS 1.2 Yes*
TLS 1.1 Yes*
TLS 1.0 Yes*
SSL 3 Yes*
SSL 2 No

Cipher Suites (in order of preference)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  WEAK 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)  WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  WEAK 128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)  WEAK 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)  WEAK 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)  WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  WEAK 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)  WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  WEAK 128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)  WEAK 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)  WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)  WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  WEAK 128
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff) -
(1) When a browser supports SSL 2, its SSL 2-only suites are shown only on the very first connection to this site. To see the suites, close all browser windows, then open this exact page directly. Don't refresh.

Protocol Details
Server Name Indication (SNI) Yes
Secure Renegotiation Yes
TLS compression No
Session tickets Yes
OCSP stapling No
Signature algorithms SHA512/RSA, SHA512/DSA, SHA512/ECDSA, SHA384/RSA, SHA384/DSA, SHA384/ECDSA, SHA256/RSA, SHA256/DSA, SHA256/ECDSA, SHA224/RSA, SHA224/DSA, SHA224/ECDSA, SHA1/RSA, SHA1/DSA, SHA1/ECDSA
Named Groups secp256r1, secp521r1, brainpoolP512r1, brainpoolP384r1, secp384r1, brainpoolP256r1, secp256k1, sect571r1, sect571k1, sect409k1, sect409r1, sect283k1, sect283r1
Next Protocol Negotiation Yes
Application Layer Protocol Negotiation No
SSL 2 handshake compatibility No

regards
8Geee