Chrome for Mac CLI Options

If you thought there were a lot of options in chrome://flags, there a ton options available as command line switches. See http://peter.sh/experiments/chromium-command-line-switches/ for a list of the available switches.

If you’re using Google Chrome on MacOS X, it is pretty easy to launch Chrome with these command line options. Unfortunately MacOS doesn’t make this as seamless as it should be. I looked at a few different proposed methods, and using Automator seemed like the best combination of ease, stability, and MacOSness.

Launch Automator from /Applications
Click ‘New Document’ in the bottom right of the ‘Open’ dialog.
Select ‘Application’ and click ‘Choose’
Select ‘Utilities’ from the left column
Drag ‘Run Shell Script’ from the next column to the workflow area

Replace cat with

args='--args --ssl-version-min=tls1' #single place to update command line switches
                                     #--args is a switch to 'open', not Chrome
                                     #--ssl-version-min=tls1 disables SSLv3.0
if [[ -r "$1" ]]; then # check if a readable file or directory was passed as input
   open -a "Google Chrome" "$1" $args #open Chrome and pass it a file or directory
else
   open -a "Google Chrome" $args #open Chrome normally
fi

Change the ‘Pass Input’ drop down to ‘as arguments’
Save the workflow as an Applications. I named mine ‘Launch Chrome’
(optional) Chang the Icon
1. Get Info for Google Chrome
2. Click on the icon in the top left
3. Select Copy from the Edit menu
4. Get Info for ‘Launch Chrome’
5. Click on the icon in the top left
6. Select Paste from the Edit menu
Opening Launch Chrome opens Google Chrome or brings it into focus. Dropping a file or directory on Launch Chrome opens the file or directory in Chrome.

Automator Screenshot:

Chrome for Windows CLI Options

If you’re using Google Chrome on Windows, it is pretty easy to launch Chrome with these command line options. This assume you are launching Chrome from your start menu, an icon pinned to your taskbar, or a shortcut you created somewhere else. Note: You must do this for each shortcut you use to launch Chrome.

(taskbar only) Right-click on the Chrome icon
Right-click on your shortcut, in this case "Google Chrome"
Click on "Properties"
In the "Target" field, move the cursor all the way to the right (past chrome.exe) and add the switches you want to use.
For example, adding --ssl-version-min=tls1 disables SSLv3.0:

Unaffected by Heartbleed

tidgubi.com was not affected by the Heartbleed bug. For HTTPS connections, tidgubi.com uses OpenSSL without the vulnerable heartbeat feature enabled.

My Heartbleed Recommendations

There are plenty of good resources (and a lot of not so good resources) with information and recommendations regarding the Heartbleed Bug, CVE-2014-0160. My top resource:

If you use LastPass to store your passwords, you can use the LastPass Security Challenge to have LastPass check all of your stored passwords.

LastPass’ checker provides a nice Assessment that tells you whether to chance you password now or to wait.

Once you’ve determined which sites need to update your password, make sure you do the following:

Change your password
Because Session Cookies may have been compromised – Sign out all sessions. Some examples:
- In Gmail, scroll to the bottom of you mail window, click ‘details’ in the bottom right, and click the ‘Sign out all other sessions’ button
- In Facebook click the downward pointing triangle, click ‘Settings’, click ‘Security’ in the left sidebar, click ‘Where You’re Logged In’, and click ‘End All Activity’
Remember to change your app specific passwords. While these usually have restricted access to your accounts, these passwords would have been vulnerable to compromise too. Some examples:
- For Google, go to Account Security Settings, click ‘App Password Settings’, revoke all of your existing App Specific passwords, create new application-specific passwords.
- For Yahoo!, go to your account settings, click ‘Manage your app passwords’, click ‘Remove All’, and regenerate passwords.

Edit 4/16/14: Removed references to the CNET affected sites list, because it seems to contain false positives. Added a link to The Register’s technical explanation of the bug.

Secure DreamHost Mail Settings

Even though the settings aren’t listed on http://wiki.dreamhost.com/POP3_Accounts, DreamHost supports secure POP3, IMAP, SNMP, and webmail access.

Server: mail.dreamhost.com – use this, because the mailserver’s certificate is issued for this domain name. This works even though DreamHost says to use mail.<yourdomain.com>
POP3 using SSL/TLS: Port 993
IMAP using SSL/TLS: Port 995
SMTP using STARTTLS: Port 587 or 25
Webmail: https://webmail.dreamhost.com – Make sure you enter “https:”, because DreamHost does not automatically upgrade a http connection to https.
Username: <username>@<yourdomain.com>

If you want to use STARTTLS for POP3 or IMAP, use the following ports:

POP3: Port 110
IMAP: Port 143

I recommend using SSL/TLS when possible. Since a STARTTLS session begins as plaintext, because it just adds one (admittedly minor) point of attack. You have to perform a SSL/TLS handshake anyway, why expose yourself to the risk of a STARTTLS upgrade failure too?