Category Archives: Web

Chrome for Windows CLI Options

If you thought there were a lot of options in chrome://flags, there a ton options available as command line switches. See http://peter.sh/experiments/chromium-command-line-switches/ for a list of the available switches.

If you’re using Google Chrome on Windows, it is pretty easy to launch Chrome with these command line options. This assume you are launching Chrome from your start menu, an icon pinned to your taskbar, or a shortcut you created somewhere else. Note: You must do this for each shortcut you use to launch Chrome.

(taskbar only) Right-click on the Chrome icon
Right-click on your shortcut, in this case "Google Chrome"
Click on "Properties"
In the "Target" field, move the cursor all the way to the right (past chrome.exe) and add the switches you want to use.
For example, adding --ssl-version-min=tls1 disables SSLv3.0:

My Heartbleed Recommendations

There are plenty of good resources (and a lot of not so good resources) with information and recommendations regarding the Heartbleed Bug, CVE-2014-0160. My top resource:

If you use LastPass to store your passwords, you can use the LastPass Security Challenge to have LastPass check all of your stored passwords.

LastPass’ checker provides a nice Assessment that tells you whether to chance you password now or to wait.

Once you’ve determined which sites need to update your password, make sure you do the following:

Change your password
Because Session Cookies may have been compromised – Sign out all sessions. Some examples:
- In Gmail, scroll to the bottom of you mail window, click ‘details’ in the bottom right, and click the ‘Sign out all other sessions’ button
- In Facebook click the downward pointing triangle, click ‘Settings’, click ‘Security’ in the left sidebar, click ‘Where You’re Logged In’, and click ‘End All Activity’
Remember to change your app specific passwords. While these usually have restricted access to your accounts, these passwords would have been vulnerable to compromise too. Some examples:
- For Google, go to Account Security Settings, click ‘App Password Settings’, revoke all of your existing App Specific passwords, create new application-specific passwords.
- For Yahoo!, go to your account settings, click ‘Manage your app passwords’, click ‘Remove All’, and regenerate passwords.

Edit 4/16/14: Removed references to the CNET affected sites list, because it seems to contain false positives. Added a link to The Register’s technical explanation of the bug.

Secure DreamHost Mail Settings

Even though the settings aren’t listed on http://wiki.dreamhost.com/POP3_Accounts, DreamHost supports secure POP3, IMAP, SNMP, and webmail access.

Server: mail.dreamhost.com – use this, because the mailserver’s certificate is issued for this domain name. This works even though DreamHost says to use mail.<yourdomain.com>
POP3 using SSL/TLS: Port 993
IMAP using SSL/TLS: Port 995
SMTP using STARTTLS: Port 587 or 25
Webmail: https://webmail.dreamhost.com – Make sure you enter “https:”, because DreamHost does not automatically upgrade a http connection to https.
Username: <username>@<yourdomain.com>

If you want to use STARTTLS for POP3 or IMAP, use the following ports:

POP3: Port 110
IMAP: Port 143

I recommend using SSL/TLS when possible. Since a STARTTLS session begins as plaintext, because it just adds one (admittedly minor) point of attack. You have to perform a SSL/TLS handshake anyway, why expose yourself to the risk of a STARTTLS upgrade failure too?

Configuring proXPN on iOS

Update: January 10, 2016

With recent changes to proXPN’s setup this guide no longer works. Currently, the proXPN free server is 196.52.21.65 on UDP ports 443, 80, and 8080. With the OpenVPN Connect iOS app, I can connect and authenticate with my free account; however, I cannot ping the route-gateway 192.168.125.1.

Original Post

I’ve been hearing about proXPN on Security Now! and figured I’d give their free (OpenVPN) offering a try. Their free offering limits you to a single VPN server and either 300 kb/s or 600 kb/s of bandwidth (different pages give different restrictions). A VPN is important for protecting unencrypted cookies and other data sent over a coffee shop, hotel network, or other unsecured network.

First of all if you’ve been receiving Transport Error: Transport error on 'd1.proxpn.com': NETWORK_RECV_ERROR errors when trying to import a MacOS or Windows proxpn.ovpn file, simply change your remote server to ios-d2.proxpn.com. As far as I can tell, proXPN has a specific server for iOS OpenVPN clients and their other server disconnects iOS devices resulting in an infinite connect/retry loop.

If you have no idea what I just said, don’t worry, I have two step by step guides. The first is basic; however, it requires you to install an additional app on your phone. The second is advanced and requires editing of config files.

Basic Setup

Get started by going to proXPN and create your account. If you decide to pay for a account, I recommend using offercode SN20 which supports the Security Now! podcast and gives you 20% off.

On your iPhone or iPad, install the OpenVPN Connect and proXPN VPN apps.

Launch the proXPN VPN app. Enter the email address and password you used when setting up your account with proXPN. Tap “Not now…” when offered to upgrade to Premium. Tap “VPN Setup ->” and then tap “Import OpenVPN Profile”.

Tap “Open in OpenVPN”.

Wait for OpenVPN Connect to open (this takes a few seconds). Tap the green plus to import the configuration.

Enter your username and password, move the ‘Save’ slider (if you don’t want to re-enter your password each time), and tap the slider under ‘Disconnected’.

Your traffic is now protected by a VPN. OpenVPN says ‘Connected’ and ‘VPN’ appears in the status bar next to the network signal strength. Tap the slider under ‘Connected’ to disconnect.

You can verify that your traffic is being sent through the VPN by opening your browser (Safari, Chrome, etc.) and going to www.whatismyip.com before and after connection to the VPN. whatismyip.com will report a different physical location and internet service provider (ISP).

Advanced Setup

Get started by going to proXPN and create your account. If you decide to pay for a account, I recommend using offercode SN20 which supports the Security Now! podcast and gives you 20% off.

On your iPhone, install the OpenVPN Connect app.

Download the Windows Installer or Mac Installer (the downloads start automatically when going to these pages). Install the proXPN desktop client. If you don’t wan to install the desktop client, I’ve heard it’s possible to extract the necessary config file from the source here; however, I haven’t tried this.

With the desktop clients, the config files can be found at:

(Windows) C:\Program Files (x86)\proXPN\config\
- ProXPN.ovpn
- ssl\ca.crt
- ssl\client.crt
- ssl\client.key
(MacOS after running proXPN) ~/Library/Application Support/proXPN/Configurations/
- proxpn.ovpn
- ssl/ca.crt
- ssl/client.crt
- ssl/client.key
(MacOS ‘Show Package Contents’) [proXPN Location]/proXPN.app/Contents/Resources/
- proxpn.ovpn
- ca.crt
- client.crt
- client.key

Open all of the config files in a text editor (I like Notepad++ for Windows and TextWrangerl for MacOS).

In the proxpn.ovpn file, make the following additions:

Add a line with remote ios-d2.proxpn.com 443. If you want to follow convention, add this after the prot tcp line.
Delete or comment out the ca ssl/ca.crt, cert ssl/client.crt, key ssl/client.key.
At the end of the file add:
```
<ca>
[ENTIRE CONTENTS OF ca.crt]
</ca>
```

At the end of the file add:

<cert>
[ENTIRE CONTENTS OF client.crt]
</cert>