Tag Archives: chrome

Chrome Update Web Forgery

In viewing one of those "…you won’t believe what happens next…" sites, I ran across a pretty well formed fraudulent website attempting to get me to install malware/spyware. I’m used to most of these attempts sounding very alarmist as they try to get me to download and install something.

Other than the Chrome logo and the URL, this is a well formatted and convincing page. It’s even accurate. I was using Chrome 35 on Windows.

Looing at the source:

The "Accept and Install" button would have downloaded "Chrome_Setup.exe". Unfortunately I don’t have a system I want to risk installing this on to see what it actually is.

Converting from Chrome to Firefox

I’ve been a long time Google Chrome user, but Chrome’s lack of certificate revocation checking persuaded me to switch to Firefox as my secure browser. I’ve relegated Chrome to being my media browser to take advantage of it’s built in and automatically updated Flash player.

After a few days back on Firefox, I’m happy with the switch. Firefox’s certificate revocation checking seems to be faster than Chrome’s (completely subjective) and Firefox’s security is much easier to customize.

Transition Process

Add-Ons

under Settings → Add-Ons, I added:

LastPass – works about the same, but seems to be slightly less stable
NoScript – more mature than ScriptSafe
CipherFox – provides ciphersuite information in a dropdown and allows easy enabling and disabling of RC4 based ciphersuites (check "Disable RC4 cipher" in the Extension preferences).

I also installed HTTPS Everywhere. It seems to be more mature and easier to manage than the Chrome version, with the exception of adding custom rules. Custom rules must be added to a folder in the filesystem and cannot be edited from within Firefox.

Plugins

Under Settings → Add-Ons → Plugins

I set all of my media plugins like Google Talk and Microsoft Silverlight to "Ask to Activate".

I set to Java (it got installed when I was doing some Java development) to "Never Activate".

Preferences/Options

Under Advanced → Data Choices, I disabled Firefox Health Report and Crash Reporter, because these could inadvertently disclose sensitive information.

Under Advanced → Certificates, click the Validation button and check "When an OCSP server connection fails, treat the certificate as invalid".

Advanced Configuration

Type "about:config" into the address bar.

Disable SSLv3.0: security.tls.version.min = 1
Disable DSS based authentication: security.ssl3.dhe_dss_aes_128_sha = false; security.ssl3.dhe_dss_aes_256_sha = false
Disable Triple DES based ciphersuites: security.ssl3.dhe_rsa_des_ede3_sha = false; security.ssl3.ecdhe_rsa_des_ede3_sha = false; security.ssl3.dhe_rsa_des_ede3_sha = false; security.ssl3.ecdhe_rsa_des_ede3_sha = false; security.ssl3.rsa_des_ede3_sha = false
Minimize Session Data Storage: browser.sessionstore.restore_on_demand = false; browser.sessionstore.resume_from_crash = false

Summary

These configurations give you good control over what runs on each page through NoScript and Ask to Activate.

The most sites use RSA or ECDSA certificates and support AES. I generally find that sites that don’t support AES, only support RC4, so disabling Tripple DES doesn’t reduce compatibility. I use CipherFox to enable RC4 on an as-needed basis, because some sites that support AES, prioritize RC4 (e.g. BarclayCard). Due to Dreamhost’s server configuration, this site only supports RC4.

At this point, I rarely encounter a site that does not support at least TLSv1.0, so I figure it’s time to disable SSLv3.0.

Configuring Chrome’s SSL/TLS

As of version 34.0.1847.116, Google Chrome defaults to the following ciphersuites:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5

Overall I think the list is pretty good. I’d rather not use the ciphersuites in red, because of the MD5 message authentication and the DSS site authentication. I also think it is very unlikely these will prevent you from accessing any common sites. The more security conscious users will probably want to disable the orange cipher suites as well, because RC4 and TDES are both weaker than AES. As you make changes, the SSL Labs Client Test is an easy way to see which ciphersuites are enabled. It also gives you the hex code for each ciphersuite, which is used to disable them.

Unfortunately Google Chrome doesn’t have a nice interface for configuring ciphersuites like Firefox and Opera, so you need to use command line switches to selectively disable ciphersuites. I have instructions for using command line switches on Windows and MacOS.

To disable the red ciphersuites, add the following switch:

--cipher-suite-blacklist=0x0004,0x0032

To disable the red and orange ciphersuites, add the following switch:

--cipher-suite-blacklist=0x0004,0x0032,0x0005,0x000a,0xc011,0xc007

If you’re concerned about the NSA, the following disables all ciphersuites without perfect forward secrecy:

--cipher-suite-blacklist="0x0004,0x0005,0x000a,0x0035,0x002f,0x009c,0x0032

I also recommend disabling SSLv3.0 with the following switch:

--ssl-version-min=tls1

Chrome for Mac CLI Options

If you thought there were a lot of options in chrome://flags, there a ton options available as command line switches. See http://peter.sh/experiments/chromium-command-line-switches/ for a list of the available switches.

If you’re using Google Chrome on MacOS X, it is pretty easy to launch Chrome with these command line options. Unfortunately MacOS doesn’t make this as seamless as it should be. I looked at a few different proposed methods, and using Automator seemed like the best combination of ease, stability, and MacOSness.

Launch Automator from /Applications
Click ‘New Document’ in the bottom right of the ‘Open’ dialog.
Select ‘Application’ and click ‘Choose’
Select ‘Utilities’ from the left column
Drag ‘Run Shell Script’ from the next column to the workflow area

Replace cat with

args='--args --ssl-version-min=tls1' #single place to update command line switches
                                     #--args is a switch to 'open', not Chrome
                                     #--ssl-version-min=tls1 disables SSLv3.0
if [[ -r "$1" ]]; then # check if a readable file or directory was passed as input
   open -a "Google Chrome" "$1" $args #open Chrome and pass it a file or directory
else
   open -a "Google Chrome" $args #open Chrome normally
fi

Change the ‘Pass Input’ drop down to ‘as arguments’
Save the workflow as an Applications. I named mine ‘Launch Chrome’
(optional) Chang the Icon
1. Get Info for Google Chrome
2. Click on the icon in the top left
3. Select Copy from the Edit menu
4. Get Info for ‘Launch Chrome’
5. Click on the icon in the top left
6. Select Paste from the Edit menu
Opening Launch Chrome opens Google Chrome or brings it into focus. Dropping a file or directory on Launch Chrome opens the file or directory in Chrome.

Automator Screenshot:

Chrome for Windows CLI Options

If you’re using Google Chrome on Windows, it is pretty easy to launch Chrome with these command line options. This assume you are launching Chrome from your start menu, an icon pinned to your taskbar, or a shortcut you created somewhere else. Note: You must do this for each shortcut you use to launch Chrome.

(taskbar only) Right-click on the Chrome icon
Right-click on your shortcut, in this case "Google Chrome"
Click on "Properties"
In the "Target" field, move the cursor all the way to the right (past chrome.exe) and add the switches you want to use.
For example, adding --ssl-version-min=tls1 disables SSLv3.0:

tidgubi.com

(computer) tips, security, tools