Maxdamantus | Lock switch epoxy replaced. | 11:32 |
---|---|---|
Guest56062 | most of https sites give 'no common cipher' error. how could i solve that on fremantle? | 11:51 |
Maxdamantus | Personally, I just use a MITM proxy that I wrote, where certificates are created on-the-fly, signed by my own root certificate. | 12:02 |
Maxdamantus | (so Opera has my own root certificate in its trusted store) | 12:03 |
Maxdamantus | https://gist.github.com/Maxdamantus/e32ab94dbc5d9d43298428400020620e | 12:04 |
Maxdamantus | Have been meaning to refactor it so it does everything in one thread, but haven't got round to it. | 12:04 |
Maxdamantus | (it spawns a new thread for each connection) | 12:05 |
sicelo | Halftux also compiled nginx and runs it as a proxy on the N900. you may have a look in talk.maemo.org for the binary and config | 12:15 |
Maxdamantus | Hm. I wonder how that works. | 12:20 |
Maxdamantus | Found post: http://talk.maemo.org/showthread.php?p=1563641 | 12:21 |
Maxdamantus | Doesn't sound like something that should work. | 12:22 |
Guest49746 | i missed the conversation, can someone explain what should i do? | 12:24 |
Maxdamantus | Unless the browser is willing to to do some very insecure use of proxies, you basically need to be able to come up with a certificate for each domain name. | 12:24 |
Maxdamantus | Guest49746: my solution is this: https://gist.github.com/Maxdamantus/e32ab94dbc5d9d43298428400020620e | 12:24 |
Maxdamantus | Guest49746: that's a MITM proxy I wrote that I run on the N900. It generates certificates for any domain, signed by the given "cacert" and proxies the connection through a regular SSL client connection (with host verification provided by OpenSSL). | 12:25 |
Guest49746 | how i make it run? even gcc wasn't in repos | 12:27 |
L29Ah | what sites give the error? | 12:28 |
L29Ah | google wox | 12:29 |
Guest49746 | Maxdamantus: ^ | 12:30 |
Maxdamantus | L29Ah: from memory, github is one example. | 12:30 |
Guest49746 | L29Ah: myabandonware.com | 12:31 |
Maxdamantus | Guest49746: I think you'll need to add some repositories listed here: http://repository.maemo.org/ | 12:32 |
Guest49746 | frustrates me how even wikipedia refuses to do simple http | 12:32 |
Guest49746 | those web people fascinated with phasing stuff out | 12:33 |
Maxdamantus | Phasing things that should be phased out out. | 12:34 |
Guest49746 | Maxdamnatus: i have the maemo.org repos, it is not an installation candidate there | 12:34 |
Guest49746 | Maxdamantus: the worst thing you could do with wikipedia over http is to feed misinformation | 12:35 |
Guest49746 | i don't mean old ssl | 12:35 |
Maxdamantus | Would you want your ISP knowing what you're looking at on Wikipedia? If common unsecured HTTP were still a thing nowadays, the ISPs would be selling all your requests to ad companies. | 12:38 |
Guest49746 | they still have your dns requests unless you have DoH or tunnel it through tor. | 12:39 |
Maxdamantus | Right, but DNS requests are not as useful. Browsers very likely cache DNS requests so you can't even tell how frequently someone uses a website. | 12:40 |
Maxdamantus | Overall not very useful to advertisers. | 12:40 |
Guest49746 | also everything should be secure by default, but security should not be compulsory. it would start intefering with everything everywhere | 12:40 |
Guest49746 | if that was case, android is more secure than OpenBSD | 12:41 |
L29Ah | i'm okay with selling all my requests to ad companies | 12:42 |
L29Ah | now gimme my wikipedia | 12:42 |
Guest49746 | i am 'trying' to make http connection to the open-source website that loves taking screenshots of itself using all the weird browsers of the last 25 years, and it even doesn't support old ssl | 12:43 |
Maxdamantus | I guess the ISP can already see how much you're using each site anyway, since they can track traffic use to domain names (either using DNS or SNI or just figuring things out based on IP address) | 12:43 |
L29Ah | i recall taking a train in .il and the onboard isp just blocks https, that wasn't fun when half of sites just redirect you to https on their http | 12:43 |
Maxdamantus | but regardless, all of that is a lot less useful than the actual requests. | 12:43 |
Maxdamantus | I find advertising morally undesirable. | 12:44 |
Guest49746 | i just want it to work, they could just make a big red warning on top of the pages. | 12:44 |
Maxdamantus | So I'm generally in favour of technical decisions which limit its effectiveness. | 12:44 |
KotCzarny | advertising was a lot easier to cut/filter out with http | 12:45 |
KotCzarny | with https you have to use in-browser methods | 12:45 |
KotCzarny | unless you start your own recerting/bumping proxy | 12:45 |
Guest49746 | there are anti-ad DNS servers, they work well | 12:45 |
Guest49746 | AdGuard at least | 12:46 |
KotCzarny | they dont cut ads based on url unfortunatelly | 12:46 |
Guest49746 | however, how i compile mitm.c? | 12:47 |
L29Ah | i remember being able to install gcc on n900 by adding the dev repos | 12:48 |
Maxdamantus | Once you've got gcc and a recent version of openssl, should be `gcc mitm.c -o mitm -lcrypto -lssl` | 12:48 |
Guest49746 | L29Ah: dev = devel? | 12:49 |
L29Ah | otherwise you can make a debian arm chroot w/ qemu-user on your pc | 12:49 |
L29Ah | dunno lol | 12:49 |
Maxdamantus | Actually, `gcc mitm.c -o mitm -D_BSD_SOURCE -D_POSIX_SOURCE -lcrypto -lssl -lpthread -std=c99 | 12:50 |
Maxdamantus | ` | 12:50 |
KotCzarny | Guest49746: you can try my sdk chroot | 12:50 |
KotCzarny | just download and unpack on ext3 filesystem on n900 | 12:50 |
Guest49746 | chroot:not found | 12:51 |
KotCzarny | http://talk.maemo.org/showthread.php?p=1522157 | 12:52 |
untakenstupidnic | yes but chroot itself | 12:52 |
KotCzarny | its inside | 12:52 |
KotCzarny | and a script to run it also | 12:53 |
untakenstupidnic | chroot: can't execute '/bin/sh' | 12:56 |
untakenstupidnic | No such file or directory | 12:56 |
KotCzarny | what are you trying to do? | 12:56 |
untakenstupidnic | chroot n900_sdkchroot | 12:57 |
untakenstupidnic | chroot is only there using root shell, which is strange | 12:57 |
KotCzarny | interesting because i dont see any downloads | 12:58 |
untakenstupidnic | i had it downloaded before | 12:58 |
KotCzarny | ahm ok | 12:58 |
KotCzarny | you should use the script go-n900 | 12:59 |
KotCzarny | not the chroot command alone | 12:59 |
KotCzarny | you have to customize the script too | 13:00 |
untakenstupidnic | where can i find the script? | 13:00 |
KotCzarny | inside? | 13:00 |
KotCzarny | n900_sdkchroot/go-n900 | 13:00 |
untakenstupidnic | only home and opt there | 13:01 |
KotCzarny | bad download/unpack then | 13:01 |
KotCzarny | and keep in mind you shouldnt unpack it on vfat, it wont work | 13:02 |
untakenstupidnic | vfat is the emmc's default? | 13:02 |
KotCzarny | i think in /opt you should have ~500MB of free space | 13:02 |
KotCzarny | try df -T | 13:02 |
untakenstupidnic | i see no mention of vfat | 13:03 |
KotCzarny | most likely /home/user/MyDocs is using vfat | 13:05 |
untakenstupidnic | it is in /home/user | 13:05 |
KotCzarny | check if you didnt run out of free space | 13:06 |
KotCzarny | gotta run, bbl | 13:13 |
untakenstupidnic | is normal gcc really supposed to be in devel? | 13:15 |
KotCzarny | hah. | 14:02 |
KotCzarny | yes | 14:02 |
KotCzarny | because of lack of space on device | 14:02 |
KotCzarny | and devel != sdk | 14:02 |
KotCzarny | devel == untested, work in progress packages repo | 14:02 |
KotCzarny | sdk == software devel/packaging env | 14:03 |
untakenstupidnic | KotCzarny: does sdk repo work on n900? gotta test it | 14:16 |
KotCzarny | no | 14:16 |
KotCzarny | you will break your rootfs | 14:16 |
KotCzarny | that's why i've created the chroot | 14:16 |
untakenstupidnic | how do i unpack tar.xz | 14:17 |
KotCzarny | xz -dc file.tar.xz | tar -xp | 14:18 |
KotCzarny | make sure you are unpacking in a place with enough space | 14:18 |
KotCzarny | ~600MB or more | 14:18 |
KotCzarny | if you have normal pc you can also just use sdk vm | 14:19 |
KotCzarny | might be easier for you | 14:19 |
bencoh | that's definitely your best bet | 14:19 |
bencoh | and it will be faster | 14:20 |
KotCzarny | bencoh: he just needs to compile single binary i think | 14:20 |
bencoh | ah | 14:20 |
KotCzarny | so if you have time and sdk hand you might help him if you want | 14:20 |
KotCzarny | :) | 14:20 |
KotCzarny | s/hand/handy/ | 14:20 |
bencoh | The server hosting my sdk vm is currently down | 14:21 |
KotCzarny | hmm | 14:21 |
bencoh | It's the one hosting maemo.muarf.org by the way | 14:21 |
KotCzarny | i might provide a mirror if you want | 14:21 |
bencoh | I need to setup a replacement (I have a mirror stored on another server) | 14:22 |
KotCzarny | offtopic, flop of the month: https://mobile.twitter.com/mohammadaskar2/status/1301263551638761477 | 14:32 |
freemangordon | hmm, maemo.org down? | 22:10 |
KotCzarny | seems so | 22:11 |
KotCzarny | but only www. | 22:11 |
freemangordon | yeah | 22:11 |
freemangordon | I can ssh to the machine, weird | 22:12 |
warfare | apache crashed. Just needed a restart | 22:15 |
freemangordon | thanks! | 22:16 |
KotCzarny | exploiting in progress? | 22:16 |
warfare | Nah, just midgard acting up and eating all memory. | 22:16 |
warfare | Happens from time to time. | 22:16 |
KotCzarny | ah, good ol' oom | 22:16 |
untakenstupidnic | KotCzarny: sdk chroot works but it's openssl doesn't look new | 22:36 |
untakenstupidnic | since i think Maxdamantus' gist required new ssl | 22:38 |
KotCzarny | since you have sdk now, you can try compiling ssl too, and compiling that gist statically against new ssl | 22:39 |
untakenstupidnic | do you think it's feasible to try pkgsrc on it? | 22:40 |
KotCzarny | what's a pgksrc? | 22:40 |
untakenstupidnic | pkgsrc.org | 22:40 |
KotCzarny | never used, so i cant comment | 22:41 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!