Securing your browsers: Chromium, Google Chrome or Opera

It took some time for me to write this blog. It was supposed to deal with all three major browsers, but I could not make the time lately. I started a  four year Professional Education last year. Together with my more-than-full-time job I just could not find the time to post anymore. In the meantime POODLE came along and this post is almost outdated before it is even written. Or typed 🙂

I got my bachelor and are now in my second year, hurray! Now, because of an obligatory assignment from school, I am supposed to write six blog posts before January 2015. So this presented the opportunity to start writing again and break this big subject up in parts.

We’ll start with Chromium first. This is also applicable to Google Chrome and Opera. Here we go.

So, because of POODLE, this subject should have your attention. If it does not, be glad you stumbled upon this blog. To secure your browser from any unsafe or insecure settings while visiting HTTPS web pages, do the following:

• Disable SSLv3 (this counters POODLE)
• Disable RC4 cipher suites as much as possible
• Disable SHA1 cipher suites as much as possible
• Disable DES3 cipher suites as much as possible

I have been testing different settings myself for months now, and the problem is that disabling cipher suites which utilize SHA1 hashing or RC4 ciphers altogether probably is not a good idea. Why? Well, for one, Youtube will stop working. Yeah, really. It seems, when visiting Youtube over TLS, your video stream will use an RC4 cipher. It kind of makes sense because RC4 is the least CPU intensive stream cipher. But still it is weird coming from the company that works hardest of all to put old cipher suites to rest.

Denying cipher suites which use SHA1 hashing will probably stop you from being able to visit a minority of sites. You will have to read the error presented to you to recognise why you can’t see a particular webpage. Be aware of this.

Anyway, there aren not any check boxes to check or buttons to push in the GUI, so you have to use start up parameters to force Chromium, Chrome or Opera to comply with thesesecurity settings. Please note that WordPress does not like the double hyphen sign. It replaces it with a dash upon publishing. So replace the dash with two hyphens to make it work. To stop using insecure cipher suites, you will have to start your Chromium, Chrome or Opera executable with the following parameters:

–cipher-suite-blacklist=0x0005,0x0004,0x002f,0xc012,0xc011,0x003c,0xc011,0x0032,0xc007,0xc00c

To stop using SSLv3, you’ll have to use the parameter:

–ssl-version-min=tls1

To do this, you’ll have to edit the shortcut you use to start your browser to let it read:

“<PATH TO>\chrome.exe or opera.exe” –cipher-suite-blacklist=0x0005,0x0004,0x002f,0xc012,0xc011,0x003c,0xc011,0x0032,0xc007,0xc00c —ssl-version-min=tls1

This disables many outdated cipher suites. You can find them by the hex code here. You should know, this does not disable SHA1 nor DES3 altogether. The TLS_RSA_WITH_RC4_128_SHA (RC4-SHA) and TLS_RSA_WITH_3DES_EDE_CBC_SHA (DES-CBC3-SHA) will stay enabled for fallback and compatibility (e.g. Youtube) issues.

You can test your browser and the cipher suites it uses here or here. It should be these:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)

If you’re interested, these are all the parameters I currently use with my Chromium browser:

–cipher-suite-blacklist=0x0005,0x0004,0x002f,0xc012,0xc011,0x003c,0xc011,0x0032,0xc007,0xc00c —ssl-version-min=tls1 –flag-switches-begin –enable-async-dns –enable-download-resumption –enable-encrypted-media –enable-fast-unload –javascript-harmony –disable-pinch –enable-quic –use-simple-cache-backend=on –enable-spdy4 –disable-touch-drag-drop –enable-webgl-draft-extensions –ignore-gpu-blacklist –enable-lcd-text –num-raster-threads=4 –disable-origin-chip –save-page-as-mhtml –touch-events=disabled –flag-switches-end

OK, that’s that. I will post some instructions for Firefox and Internet Explorer soon.