Category Archives: Windows

Creating a UDF TrueCrypt Volume

I had an old hard drive I wanted to use as a secure, cross platform file transfer device, so I thought of TrueCrypt and UDF. Unfortunately, TrueCrypt for MacOS only supports formatting drives as Mac OS Extended and TrueCrypt for Windows only supports NTFS and FAT32. I ended up using TrueCrypt for Mac OS and the Mac’s command line formatting utility.

  1. Login as an Administrator
  2. Connect the drive you want to protect with TrueCrypt
  3. Open TrueCrypt and create a TrueCrypt Volume like normal, but select "None" when asked to select a filesystem
  4. Wait for the encryption to complete
  5. From TrueCrypt, click the "Select File…" or "Select Device…" to select your newly encrypted volume and click "Mount"
  6. Enter the password and any other authentication credentials required for the Volume. Check "Do not mount" before clicking "OK"TrueCrypt-Mount
  7. Back in the main TrueCrypt window, select the Volume and click "Volume Properties…"
  8. Record the Virtual Device value. In this case "/dev/disk3"TrueCrypt-Properties
  9. Open a Terminal window
  10. Run sudo newfs_udf /dev/disk3 to format the TrueCrypt volume with the UDF filesystem
  11. From now on, the UDF filesystem will automatically be mounted when mounting the TrueCrypt volume on Window or Mac OS

Bypassing Basic Download Filters

The other day, I was trying to update the driver for my EVGA GeForce GTX460 Video Card, but the download kept stopping at 180MB out of 271MB. After re-starting the download a few times, realized that my ISP or firewall was flagging something malicious and interrupting the download. I figured I had 4 options:

  1. Download the driver on my server, and then download it to my PC using SFTP.
  2. Download it over a VPN. Being limited to 300kb/s bandwidth on the free ProXPN VPN didn’t seem like a good option either.
  3. Download it over public Wi-Fi. Just annoying.
  4. Download it over https.

Assuming it worked, I figured option 4 would be the easiest. The default download link too me to http://us.download.nvidia.com/Windows.... By changing the link to https://us.download.nvidia.com/Windows..., I received a certificate mismatch message, but the download worked when I overrode the warning. A closer look at the warning, shows the https certificate is for the domain name a248.e.akamai.net. This seems safe to me, since Akamai is a CDN, so it makes sense that NVIDIA could be using Akamai to distribute their drivers. I would be more cautious if the certificate was not issued to a CDN or NVIDIA itself. Remember to check that the installer was signed by the appropriate company (NVIDIA in this case).
Cert Error

I haven’t tried this on other downloads, but I think it should work on a fair percentage of them.

Converting from Chrome to Firefox

I’ve been a long time Google Chrome user, but Chrome’s lack of certificate revocation checking persuaded me to switch to Firefox as my secure browser. I’ve relegated Chrome to being my media browser to take advantage of it’s built in and automatically updated Flash player.

After a few days back on Firefox, I’m happy with the switch. Firefox’s certificate revocation checking seems to be faster than Chrome’s (completely subjective) and Firefox’s security is much easier to customize.

Transition Process

Add-Ons

under Settings → Add-Ons, I added:

  • LastPass – works about the same, but seems to be slightly less stable
  • NoScript – more mature than ScriptSafe
  • CipherFox – provides ciphersuite information in a dropdown and allows easy enabling and disabling of RC4 based ciphersuites (check "Disable RC4 cipher" in the Extension preferences).

I also installed HTTPS Everywhere. It seems to be more mature and easier to manage than the Chrome version, with the exception of adding custom rules. Custom rules must be added to a folder in the filesystem and cannot be edited from within Firefox.

Plugins

Under Settings → Add-Ons → Plugins

I set all of my media plugins like Google Talk and Microsoft Silverlight to "Ask to Activate".

I set to Java (it got installed when I was doing some Java development) to "Never Activate".

Preferences/Options

Under Advanced → Data Choices, I disabled Firefox Health Report and Crash Reporter, because these could inadvertently disclose sensitive information.

Under Advanced → Certificates, click the Validation button and check "When an OCSP server connection fails, treat the certificate as invalid".

Advanced Configuration

Type "about:config" into the address bar.

Disable SSLv3.0
security.tls.version.min = 1
Disable DSS based authentication
security.ssl3.dhe_dss_aes_128_sha = false
security.ssl3.dhe_dss_aes_256_sha = false
Disable Triple DES based ciphersuites
security.ssl3.dhe_rsa_des_ede3_sha = false
security.ssl3.ecdhe_rsa_des_ede3_sha = false
security.ssl3.dhe_rsa_des_ede3_sha = false
security.ssl3.ecdhe_rsa_des_ede3_sha = false
security.ssl3.rsa_des_ede3_sha = false
Minimize Session Data Storage
browser.sessionstore.restore_on_demand = false
browser.sessionstore.resume_from_crash = false

Summary

These configurations give you good control over what runs on each page through NoScript and Ask to Activate.

The most sites use RSA or ECDSA certificates and support AES. I generally find that sites that don’t support AES, only support RC4, so disabling Tripple DES doesn’t reduce compatibility. I use CipherFox to enable RC4 on an as-needed basis, because some sites that support AES, prioritize RC4 (e.g. BarclayCard). Due to Dreamhost’s server configuration, this site only supports RC4.

At this point, I rarely encounter a site that does not support at least TLSv1.0, so I figure it’s time to disable SSLv3.0.

Configuring Chrome’s SSL/TLS

As of version 34.0.1847.116, Google Chrome defaults to the following ciphersuites:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5

Overall I think the list is pretty good. I’d rather not use the ciphersuites in red, because of the MD5 message authentication and the DSS site authentication. I also think it is very unlikely these will prevent you from accessing any common sites. The more security conscious users will probably want to disable the orange cipher suites as well, because RC4 and TDES are both weaker than AES. As you make changes, the SSL Labs Client Test is an easy way to see which ciphersuites are enabled. It also gives you the hex code for each ciphersuite, which is used to disable them.

Unfortunately Google Chrome doesn’t have a nice interface for configuring ciphersuites like Firefox and Opera, so you need to use command line switches to selectively disable ciphersuites. I have instructions for using command line switches on Windows and MacOS.

To disable the red ciphersuites, add the following switch:

--cipher-suite-blacklist=0x0004,0x0032

To disable the red and orange ciphersuites, add the following switch:

--cipher-suite-blacklist=0x0004,0x0032,0x0005,0x000a,0xc011,0xc007

If you’re concerned about the NSA, the following disables all ciphersuites without perfect forward secrecy:

--cipher-suite-blacklist="0x0004,0x0005,0x000a,0x0035,0x002f,0x009c,0x0032

I also recommend disabling SSLv3.0 with the following switch:

--ssl-version-min=tls1

Chrome for Windows CLI Options

If you thought there were a lot of options in chrome://flags, there a ton options available as command line switches. See http://peter.sh/experiments/chromium-command-line-switches/ for a list of the available switches.

If you’re using Google Chrome on Windows, it is pretty easy to launch Chrome with these command line options. This assume you are launching Chrome from your start menu, an icon pinned to your taskbar, or a shortcut you created somewhere else. Note: You must do this for each shortcut you use to launch Chrome.

ChromeWinProperties

  1. (taskbar only) Right-click on the Chrome icon
  2. Right-click on your shortcut, in this case "Google Chrome"
  3. Click on "Properties"
  4. In the "Target" field, move the cursor all the way to the right (past chrome.exe) and add the switches you want to use.

    For example, adding --ssl-version-min=tls1 disables SSLv3.0:ChromeWinCmdOpt