old file format? the auditee has only heard of pagesigner first yesterday
surely they used the latest version
oh, or you mean the .py you pasted just now?
proslogion joined the channel
sup
waxwing
BB-Martino: yes, that auditor.py file is from a couple of months back
but it's the best fit to what you need
i just have to updated it.
give me an hour, should be about that long
proslogion
if it's of use to anyone, my certs are apparently stored under .mozilla/firefox/<random string>.default/cert8.db
BB-Martino
all righty. please pm me when done, thanks
hearn joined the channel
waxwing
BB-Martino: git pull browserless branch of AdamISZ/taas-poc-1-auditee and run tlsnotary-auditor.py as before, should work now.
notes: 1, of course I don't intend you to have to use a separate repo for this, will integrate it into pagesigner-browserless which is supposed to contain the tools you need to use pagesigner without JS.
2, this currently ignores the server name field, and just prints out the cert fingerprint to the domain file. this should be fixed.
BB-Martino
where's the git again?
waxwing
it's a result of the fact that dansmith streamlined the notarization file format, previously it stored the server name and modulus inside it, now it only stores the raw DER format, so i have to do some parsing
sorry i'm a bit of noob with this, let me know if i should be doing something different
waxwing
it takes the master branch by default
so do git fetch
then do git checkout browserless
and yes, the filesize is bigger than that now, 9K
BB-Martino
sorry, i'm confused plus haven't slept a lot, what do i enter :)
waxwing
yes i know it's a pain, i didn't intend it, it's just getting it up and running properly will take time
git fetch
git checkout browserless
cd src/auditee
python tlsnotary-auditor.py <filename>
BB-Martino
befor git fetch what?
waxwing
should see:
Notary pubkey OK
Notary signature OK
Commitment hash OK
HTML decryption with correct HMACs OK.
Audit passed! You can read the html at:
BB-Martino
start from the beginning
waxwing
you already did git clone
BB-Martino
oh, i deleted that
hold on
waxwing
then cd taas...*
then the above
MrMoneyBags joined the channel
back in a minute
BB-Martino
thanks. sorted.
waxwing
so what's the upshot? can you run it as above?
MrMoneyBags has quit
MrMoneyBags joined the channel
hearn joined the channel
BB-Martino: ^
MrMoneyBags has quit
MrMoneyBags joined the channel
BB-Martino
yes, it extracted the decrypted page, thanks
waxwing
ok, good. the messages tell you what was checked OK. I'm working on getting the server name extracted so in principle you'll again be able to cross check the domain name against the certificate pubkey
of course it still leaves this whole big issue of cert verification being flaky.
asn1 is basically insane :)
proslogion has quit
hearn joined the channel
proslogion joined the channel
proslogion
waxwing: the great thing about mac check is that if it breaks, it will fail
so we can just pull all the tricks, shenanigans, hacks, to make it pass
waxwing
proslogion: i don't quite follow
proslogion
if it passes then the authenticity is assured
waxwing
yes, i got that part, but don't understand what you mean by 'pull all the tricks'
proslogion
to sum up: there won't be false positives, so if it works, then we do it right somehow
waxwing
friends don't let friends parse asn1
proslogion
if it were not crypto, then false positives can happen for all kinds of reasons
waxwing
proslogion: sure, but it's orthogonal to whether (a) the notary sig is valid, (b) the server cert is trusted.
i think the set of checks we do is both necessary and sufficient
proslogion
i am just saying, people can use it as long as it works, stability state is not ideal, but security is still guaranteed
waxwing
ok you're talking about that asymmetry, yes, i have always found that comforting
yes we'll never get a fake notarization passing tests.