Category Archives: Encryption

My Heartbleed Recommendations

There are plenty of good resources (and a lot of not so good resources) with information and recommendations regarding the Heartbleed Bug, CVE-2014-0160. My top resource:

If you use LastPass to store your passwords, you can use the LastPass Security Challenge to have LastPass check all of your stored passwords.

LastPass’ checker provides a nice Assessment that tells you whether to chance you password now or to wait.

Once you’ve determined which sites need to update your password, make sure you do the following:

Change your password
Because Session Cookies may have been compromised – Sign out all sessions. Some examples:
- In Gmail, scroll to the bottom of you mail window, click ‘details’ in the bottom right, and click the ‘Sign out all other sessions’ button
- In Facebook click the downward pointing triangle, click ‘Settings’, click ‘Security’ in the left sidebar, click ‘Where You’re Logged In’, and click ‘End All Activity’
Remember to change your app specific passwords. While these usually have restricted access to your accounts, these passwords would have been vulnerable to compromise too. Some examples:
- For Google, go to Account Security Settings, click ‘App Password Settings’, revoke all of your existing App Specific passwords, create new application-specific passwords.
- For Yahoo!, go to your account settings, click ‘Manage your app passwords’, click ‘Remove All’, and regenerate passwords.

Edit 4/16/14: Removed references to the CNET affected sites list, because it seems to contain false positives. Added a link to The Register’s technical explanation of the bug.

Secure DreamHost Mail Settings

Even though the settings aren’t listed on http://wiki.dreamhost.com/POP3_Accounts, DreamHost supports secure POP3, IMAP, SNMP, and webmail access.

Server: mail.dreamhost.com – use this, because the mailserver’s certificate is issued for this domain name. This works even though DreamHost says to use mail.<yourdomain.com>
POP3 using SSL/TLS: Port 993
IMAP using SSL/TLS: Port 995
SMTP using STARTTLS: Port 587 or 25
Webmail: https://webmail.dreamhost.com – Make sure you enter “https:”, because DreamHost does not automatically upgrade a http connection to https.
Username: <username>@<yourdomain.com>

If you want to use STARTTLS for POP3 or IMAP, use the following ports:

POP3: Port 110
IMAP: Port 143

I recommend using SSL/TLS when possible. Since a STARTTLS session begins as plaintext, because it just adds one (admittedly minor) point of attack. You have to perform a SSL/TLS handshake anyway, why expose yourself to the risk of a STARTTLS upgrade failure too?

Configuring proXPN on iOS

Update: January 10, 2016

With recent changes to proXPN’s setup this guide no longer works. Currently, the proXPN free server is 196.52.21.65 on UDP ports 443, 80, and 8080. With the OpenVPN Connect iOS app, I can connect and authenticate with my free account; however, I cannot ping the route-gateway 192.168.125.1.

Original Post

I’ve been hearing about proXPN on Security Now! and figured I’d give their free (OpenVPN) offering a try. Their free offering limits you to a single VPN server and either 300 kb/s or 600 kb/s of bandwidth (different pages give different restrictions). A VPN is important for protecting unencrypted cookies and other data sent over a coffee shop, hotel network, or other unsecured network.

First of all if you’ve been receiving Transport Error: Transport error on 'd1.proxpn.com': NETWORK_RECV_ERROR errors when trying to import a MacOS or Windows proxpn.ovpn file, simply change your remote server to ios-d2.proxpn.com. As far as I can tell, proXPN has a specific server for iOS OpenVPN clients and their other server disconnects iOS devices resulting in an infinite connect/retry loop.

If you have no idea what I just said, don’t worry, I have two step by step guides. The first is basic; however, it requires you to install an additional app on your phone. The second is advanced and requires editing of config files.

Basic Setup

Get started by going to proXPN and create your account. If you decide to pay for a account, I recommend using offercode SN20 which supports the Security Now! podcast and gives you 20% off.

On your iPhone or iPad, install the OpenVPN Connect and proXPN VPN apps.

Launch the proXPN VPN app. Enter the email address and password you used when setting up your account with proXPN. Tap “Not now…” when offered to upgrade to Premium. Tap “VPN Setup ->” and then tap “Import OpenVPN Profile”.

Tap “Open in OpenVPN”.

Wait for OpenVPN Connect to open (this takes a few seconds). Tap the green plus to import the configuration.

Enter your username and password, move the ‘Save’ slider (if you don’t want to re-enter your password each time), and tap the slider under ‘Disconnected’.

Your traffic is now protected by a VPN. OpenVPN says ‘Connected’ and ‘VPN’ appears in the status bar next to the network signal strength. Tap the slider under ‘Connected’ to disconnect.

You can verify that your traffic is being sent through the VPN by opening your browser (Safari, Chrome, etc.) and going to www.whatismyip.com before and after connection to the VPN. whatismyip.com will report a different physical location and internet service provider (ISP).

Advanced Setup

Get started by going to proXPN and create your account. If you decide to pay for a account, I recommend using offercode SN20 which supports the Security Now! podcast and gives you 20% off.

On your iPhone, install the OpenVPN Connect app.

Download the Windows Installer or Mac Installer (the downloads start automatically when going to these pages). Install the proXPN desktop client. If you don’t wan to install the desktop client, I’ve heard it’s possible to extract the necessary config file from the source here; however, I haven’t tried this.

With the desktop clients, the config files can be found at:

(Windows) C:\Program Files (x86)\proXPN\config\
- ProXPN.ovpn
- ssl\ca.crt
- ssl\client.crt
- ssl\client.key
(MacOS after running proXPN) ~/Library/Application Support/proXPN/Configurations/
- proxpn.ovpn
- ssl/ca.crt
- ssl/client.crt
- ssl/client.key
(MacOS ‘Show Package Contents’) [proXPN Location]/proXPN.app/Contents/Resources/
- proxpn.ovpn
- ca.crt
- client.crt
- client.key

Open all of the config files in a text editor (I like Notepad++ for Windows and TextWrangerl for MacOS).

In the proxpn.ovpn file, make the following additions:

Add a line with remote ios-d2.proxpn.com 443. If you want to follow convention, add this after the prot tcp line.
Delete or comment out the ca ssl/ca.crt, cert ssl/client.crt, key ssl/client.key.
At the end of the file add:
```
<ca>
[ENTIRE CONTENTS OF ca.crt]
</ca>
```

At the end of the file add:

<cert>
[ENTIRE CONTENTS OF client.crt]
</cert>

At the end of the file add:

<key>
[ENTIRE CONTENTS OF client.key]
</key>

Load the proxpn.ovpn file on your iOS device and open it in the OpenVPN Connect app. You can load the file through iTunes and sending it directly to the app or transfer it using another means (e.g. email, DropBox). Open the OpenVPN Connect app, tap the green plus to import the profile, enter your credentials, and tap the slider below ‘Disconnect’. Your VPN is now configured and active.

Eliminating Mixed Content Warnings with Amazon Associates

Once I enabled SSL for tidgubi.com for free, I realized that most Amazon.com content is plain HTTP, so it was causing Google Chrome to give me mixed content (encrypted page with some unencrypted elements) warning messages:

Two as I dug into the HTML, I found that the Amazon Banner Ads, Widgets, and Payments Button were the cause of the mixed content warnings.

Banner Ads and Widgets

All of the Amazon Associates banner ads and widgets can be loaded over HTTPS; however, the banners any widget that displays product images load these images over HTTP. I couldn’t figure out a way to force the widget/javascript based ads to use HTTPS for images, but I was able to find a little trick to get the iframe based ads to use HTTPS. To do this, simply add &internal=1 to the end of the URL in the iframe’s src attribute and removed http: from the beginning of the URL. Removing http: tells the browser to use the same type of connection that was used to load the page, so these links automatically switch between HTTP and HTTPS. For example my "Kindle Banner" is <iframe src="//rcm-na.amazon-adsystem.com/e/cm?t=tidgubi-20&o=1&p=48&l=ur1&category=kindlerotating&f=ifr&internal=1" width="728" height="90" scrolling="no" border="0" marginwidth="0" style="border:none;" frameborder="0">

Warning: "internal=1" is used in Amazon’s example banners, so while it doesn’t strip associate IDs from links, it might cause these clicks not to count.

Donate/Pay Button

There are two easy fixes for the Donate/Pay button image.

The first option is to download the image and host it on from your webserver. For me the donate image is now at www.tidgubi.com/wp-content/themes/tidgubi/img/golden_small_donate_withmsg_whitebg.gif.

The second option is to link to Amazon’s SSL image server. To do this, just replace http://g-ecx.images-amazon.com with https://images-na.ssl-images-amazon.com. Since Amazon uses a different domain name for HTTP and HTTPS, there aren’t any tricks with HTML to switch how the image is loaded. If you always use HTTPS, it will make the page marginally slower since it needs to establish an HTTPS connection to ssl-images-amazon.com each time. If a page dynamically generates this HTML, you can dynamically pick the imager server based on the protocol used to load the main webpage.

Free SSL on Dreamhost

Dreamhost supports SNI to enable SSH/TLS on their shared hosting offerings. While I wanted to enable SSL/TLS on my site, I thought I would have to buy a certificate from one of the major Root Certificate Authorities. I was happily surprised when I found StartSSL.com which offers free SSL Certificates. StartSSL.com is a trusted root CA on MacOS, Windows, and Mozilla; so compatibility is not a major concern. StartSSL.com is located in Israel, so I feel more comfortable with this free offering than say a Russian company.

Generating a CSR

The first step is to generate a Certificate Signing Request (CSR). You need a computer with OpenSSL to follow these steps. All files below should be located in the same folder and all commands should be run from within this folder.

DigiCert has a very nice CSR Creation Tool. Fill in the required fields, click ‘Generate’, and copy the generated command. StartSSL only supports RSA keys.
(optional) Gather additional entropy.
1. Go to a number of entropy providing sites or password generating sites. Copy the output into text files in the folder you will be generating your CSR in. The exact format of the text isn’t important, as OpenSSL will just add the data to the entropy pool. For the examples later, I’ll assume you’ve named your file(s) entropy1.txt, entropy2.txt, etc./li>
2. Some sites to gather entropy from are:
  - Steve Gibson’s Ultra High Entropy PRNG
  - PC Tools by Symantec Secure Passord Generator, or use this link to generate a password with all options enabled (except avoiding similar characters).
  - Random.org Password Generator
3. Add -rand entropy1.txt:entropy2.txt:entropy3.txt to the command from Step 1.
(optional) Use a stronger hash algorithm
1. If you’re using RSA add -sha256 to the command from Step 1. You can use -sha512; however, sha512 is not commonly used with certificates and might not be supported by all servers and clients. sha256 might not be supported by older clients. Currently OpenSSL only supports SHA-1 with DSA and ECDSA certificates.
Run the command from Step 1 with any optional adjustments, for example:
- openssl req -new -newkey rsa:2048 -nodes -out www_tidgubi_com.csr -keyout www_tidgubi_com.key -sha256 -rand entropy1.txt:entropy2.txt -subj "/C=US/ST=California/L=San Luis Obispo/O=Kenji Yoshino/CN=www.tidgubi.com"
The .key and .csr files will be used later.

Get your CSR Signed

Begin by registering with StartSSL.com. Make sure you do this from a private computer, because StartSSL.com will generate an identification certificate and install it in your browser. This certificate will be used to identify you on subsequent visits to StartSSL.com.

Click ‘Validations Wizard’
Select ‘Domain Name Validation’
Enter your domain without any prefixes (e.g. www)
You will need to specify an email address associated with your domain to verify domain ownership. Another verification code will be sent to this email address.
Enter the verification code in StartSSL.
Click ‘Certificates Wizard’
Select ‘Web Server SSL/TLS Certificate’
Skip having StartSSL generate a CSR for you.
Copy and paste the entire CSR including the “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–“
Select your domain and click ‘Next’
Add the “www” subdomain (Startssl requires you to add one) and click ‘Continue’
Copy the entire certificate text including the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“. Save the text to a .crt file.
Download the intermediate CA file and optionally the root CA file.
If you downloaded the root CA, combine the two files by running cat sub.class1.server.ca.pem ca.pem > chain.pem. The root CA provides browsers with the full certificate chain. Most browsers do not need the root CA to be included to trust the intermediate CA, so it is up to you if you want to include the root CA.

Configure SSL on Dreamhost

Login ot your panel at panel.dreamhost.com
Click ‘Manage Domains’
Click ‘Add’ or ‘Certificates’ in the Secure Hosting column. If adding, leave unique IP as none and click ‘Add Now’, and then ‘Edit’.
Select ‘Manual Configuration’
- Delete or replace the CSR text (it is just informational)
- Copy the text from your certificate including “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–“
- Copy our your private key including “—–BEGIN RSA PRIVATE KEY—–” and “—–END RSA PRIVATE KEY—–“
- Copy the certificate chain, either the intermediate CA certificate or the intermediate and root CA certificate concatenated together.
- Click ‘Save Changes Now!’
It too about 4 minutes for changes on tidgubi.com to take effect.

Now your Dreamhost site allows SSL. Dreamhost only uses the TLS_RSA_WITH_RC4_128_SHA cipher suite with TLSv1.0 or SSLv3.0, so while it doesn’t provide great security, it’s better than nothing. I’m now tunneling my administrative traffic through TLS and SSH. From Securing Administration of Shared Hosting, I just changed 80:www.tidgubi.com:80 to 443:www.tidgubi.com:443 to specify the HTTPS port (443) instead of the standard HTTP port (80).