Author Archives: Kenji Yoshino

About Kenji Yoshino

Twitter: @tidgubi

Disabling Windows 7 Automatic Root CA Update

Windows comes with a small list of trusted CAs installed but automatically imports CAs as necessary from the Microsoft Windows Update service (Windows 7 Home Premium SP1 64bit for a while, I figure I’d imported all of the CAs I really need I figured I could mitigate the risk of forged certificates (e.g. Iraq/Gmail, Diginotar) by ensuring I don’t import any additional CAs. Sure the CAs I already trust could be compromised, but this significantly reduces the attack surface.

For Windows 7 Processional and Ultimate, Microsoft provides instructions for disabling Automatic Root Certificates Update using the Group Policy Editor; however, the Group Policy Editor cannot be installed on Windows 7 Starter and Home editions. If you have Windows 7 Starter or Home, or don’t want to deal with the Group Policy Editor, a simple registry update will turn Automatic Root Certificates Update off or on.

Note: You must be an Administrator to make any of these changes, and if you have a Group Policy set for Automatic Root Certificates Update, it will overwrite your registry changes.

I’ve created three .reg files you can download, and open to automatically update the correct registry keys:

Disable.reg (view) – this disables Automatic Root Certificates Update.
Enable.reg (view) – this disables Automatic Root Certificates Update.
Remove.reg (view) – this removes the registry entry effectively enabling Automatic Root Certificates Update.

Note: You will most likely receive security warnings downloading and opening these files. If you want to be safe, open the files in a text editor and double check the contents.

If you would rather directly edit your registry, do the following:

Start regedit by clicking the Start menu, entering “regedit” in the search field, and pressing <enter>.
Expand HKEY_LOCAL_MACHINE/Software/Policies/Microsoft/SystemCertificates/AuthRoot
Right-click on AuthRoot and select New -> DWORD (32-bit) Value
Enter name: DisableRootAutoUpdate
Double-click on DisableRootAutoUpdate
Set the Value data to 1, click OK, and close regedit.

Deleting DisableRootAutoUpdate or setting it to 0, re-enables downloading new CAs from Microsoft.

Hotel Rice Cooking

Growing up in an Japanese household, I love my sticky white rice. Many times, going on a trip means leaving sticky white rice behind, but I received a Tupperware Microwave Rice Cooker. I was skeptical at first, but after experimenting with it on a long business trip, I can make passable rice in the microwave.

The hotel I was staying in had a 1200W Microwave. For this microwave, I found 1 cup of rice, 1.5 cups of water, and 15 minutes on 50% power seemed to be just about right. For smaller, less powerful microwaves, you’ll need to increase the cooking time or power level.

My initial try was 1 cup of rice, 2 cups of water, and 5 minutes at 100% power. There was still a lot of water sloshing around, so I poured some out and put it back in for 2 more minutes. The remaining water boiled over and ended up leaving my rice dry.

Yahoo News Digest and iPhone Battery Life

I love the Yahoo News Digest app for iPhone, but hate how it kills my battery life (as of app version 1.1, February 24, 2014). Turning off Background App Refresh seemed to help a little, but only made a marginal difference.

If you want to use the Yahoo News Digest app without draining your battery, you’ll have to manually force the app to close when you’re done using it. Just double-click the Home button, find the Yahoo News Digest app, and swipe up.

Configuring proXPN on iOS

Update: January 10, 2016

With recent changes to proXPN’s setup this guide no longer works. Currently, the proXPN free server is 196.52.21.65 on UDP ports 443, 80, and 8080. With the OpenVPN Connect iOS app, I can connect and authenticate with my free account; however, I cannot ping the route-gateway 192.168.125.1.

Original Post

I’ve been hearing about proXPN on Security Now! and figured I’d give their free (OpenVPN) offering a try. Their free offering limits you to a single VPN server and either 300 kb/s or 600 kb/s of bandwidth (different pages give different restrictions). A VPN is important for protecting unencrypted cookies and other data sent over a coffee shop, hotel network, or other unsecured network.

First of all if you’ve been receiving Transport Error: Transport error on 'd1.proxpn.com': NETWORK_RECV_ERROR errors when trying to import a MacOS or Windows proxpn.ovpn file, simply change your remote server to ios-d2.proxpn.com. As far as I can tell, proXPN has a specific server for iOS OpenVPN clients and their other server disconnects iOS devices resulting in an infinite connect/retry loop.

If you have no idea what I just said, don’t worry, I have two step by step guides. The first is basic; however, it requires you to install an additional app on your phone. The second is advanced and requires editing of config files.

Basic Setup

Get started by going to proXPN and create your account. If you decide to pay for a account, I recommend using offercode SN20 which supports the Security Now! podcast and gives you 20% off.

On your iPhone or iPad, install the OpenVPN Connect and proXPN VPN apps.

Launch the proXPN VPN app. Enter the email address and password you used when setting up your account with proXPN. Tap “Not now…” when offered to upgrade to Premium. Tap “VPN Setup ->” and then tap “Import OpenVPN Profile”.

Tap “Open in OpenVPN”.

Wait for OpenVPN Connect to open (this takes a few seconds). Tap the green plus to import the configuration.

Enter your username and password, move the ‘Save’ slider (if you don’t want to re-enter your password each time), and tap the slider under ‘Disconnected’.

Your traffic is now protected by a VPN. OpenVPN says ‘Connected’ and ‘VPN’ appears in the status bar next to the network signal strength. Tap the slider under ‘Connected’ to disconnect.

You can verify that your traffic is being sent through the VPN by opening your browser (Safari, Chrome, etc.) and going to www.whatismyip.com before and after connection to the VPN. whatismyip.com will report a different physical location and internet service provider (ISP).

Advanced Setup

Get started by going to proXPN and create your account. If you decide to pay for a account, I recommend using offercode SN20 which supports the Security Now! podcast and gives you 20% off.

On your iPhone, install the OpenVPN Connect app.

Download the Windows Installer or Mac Installer (the downloads start automatically when going to these pages). Install the proXPN desktop client. If you don’t wan to install the desktop client, I’ve heard it’s possible to extract the necessary config file from the source here; however, I haven’t tried this.

With the desktop clients, the config files can be found at:

(Windows) C:\Program Files (x86)\proXPN\config\
- ProXPN.ovpn
- ssl\ca.crt
- ssl\client.crt
- ssl\client.key
(MacOS after running proXPN) ~/Library/Application Support/proXPN/Configurations/
- proxpn.ovpn
- ssl/ca.crt
- ssl/client.crt
- ssl/client.key
(MacOS ‘Show Package Contents’) [proXPN Location]/proXPN.app/Contents/Resources/
- proxpn.ovpn
- ca.crt
- client.crt
- client.key

Open all of the config files in a text editor (I like Notepad++ for Windows and TextWrangerl for MacOS).

In the proxpn.ovpn file, make the following additions:

Add a line with remote ios-d2.proxpn.com 443. If you want to follow convention, add this after the prot tcp line.
Delete or comment out the ca ssl/ca.crt, cert ssl/client.crt, key ssl/client.key.
At the end of the file add:
```
<ca>
[ENTIRE CONTENTS OF ca.crt]
</ca>
```

At the end of the file add:

<cert>
[ENTIRE CONTENTS OF client.crt]
</cert>