Yet another blog

Abstract
This post describes how Opera users can improve online banking security using a second, hardened profile. In general this can be done on all platforms, you just need to create a second profile. Creating a second profile can be done in different ways and there are many guides out there, handling this topic. I'll describe an (in my opinion) very simple way to get this done with Windows 7 on NTFS.
In a first step, we'll harden Opera using the urlfilter.ini as a whitelist.
Afterwards, we'll tune some Opera settings to improve the security further.

Creating a second profile
By default the Opera profile is located in the directory %AppData%\Opera\<Name of Opera installation directory>. We'll use this fact to get a second profile by creating a symlink to the Opera installation directory. To do this, open a command prompt as an administrator and enter the command

mklink /D <New Opera Folder> <Opera Installation Folder>

Running Opera from the newly created "folder" will create a fresh profile %AppData%\Opera\<New Opera Folder>.
The benefit of this technique is that on the one hand, you don't need to mess around with command line switches to use different profiles, since the profile is chosen in the "natural" way. On the other hand, you stay with one single installation on your computer which need to be updated.

urlfilter.ini as a whitelist
Now we'll change the configuration in the newly generated Opera profile, such that only your online banking pages will be accessible if this profile is used. To reach this goal, we need to edit the urlfilter.ini in %AppData%\Opera\<New Opera Folder>. It is a text file consisting of two sections: One is named include, the second exclude. The include section has by default one entry: *. This means, that all addresses may be accessed by Opera. The =UUID:... parts may be ignored. They are created automatically by Opera and are used for Opera Link.

• Make sure that Opera is closed
• Remove the * entry in the include section
• and include a list of addresses, that will be the only accessible ones. This is depending on the online banking pages you like to use.

How to get the needed addresses:

The easy ones are the addresses, you can read directly in the address bar. Use your default Opera installation and open your online banking site. As Opera uses address bar highlighting, simply copy the black part of the address and include the lines

https://<black part of the address>/*
https://*.<black part of the address>/*

This will allow secure communication with this domain and all of it's sub domains. So Opera will be allowed to communicate with your bank.

Secondly, Opera needs to communicate with the Certificate Authority who has signed your bank's certificate, to check if the certificate is valid. To get the needed addresses, click on the security indicator, click on Details and change to the Certificate tab. Expand the Certificate node and the Extensions node beyond. In the sections X509v3 CRL Distribution Points and Authority Information Access you'll find addresses for OCSP and CRL verification. You need to allow them to be accessed. For example, for VeriSign, I've added

http://*.verisign.com/*

to the include list.

And last, but not least, you should add

https://certs.opera.com/*
http://*.digicert.com/*

to allow updates to the Opera certificate store and to allow Opera to verify the certificate of certs.opera.com.

If the validation fails, the connection will be displayed as not secure in spite of using SSL encryption. So, it's pretty easy to see if you did it right. But the validation results are cached for some time, so the results displayed may not refer to your actual include list if the verification failed/succeeded short time before.

If you did all right, you should be able to access your banking sites, see the green EV security indicators and all other sites should be blocked from being accessed.

Settings in Opera
To enhance the security, we can change some settings in Opera:

• Disable plugins: Plugins aren't affected by Opera's urlfilter.ini, so it may be possible, that they can be used to communicate with other sites.
• Disable Cache and History: For privacy reasons you should disable these features if you share your computer with other people.
• Security Protocols: Disable all protocols with smaller keylength if your bank supports this to make sure a more secure key is used for encryption (i.e. disable the 128bit protocols). Since 128bit AES/MD5 needs to be implemented to fulfill the standard, this shouldn't be done in general. If afterwards an SSL connection isn't possible anymore, undo this change.
• Disable Turbo and Unite

What's the benefit
If you're using this profile for online banking, you can be sure, that your data can't be phished by XSS (Cross Site Scripting) attacks, because internet traffic is limited to your banking sites. It can't be compromised by sites, opened in other tabs using unknown security flaws in Opera. Also, if an attacker succeeds in compromising your bank's server and manipulating the homepage, Opera won't send data to other servers than the bank server.
What still can happen
Through DNS poisoning, it's still possible to get Opera to communicate with other servers. But if you keep an eye on the security indicator, this is very very unlikely to happen, since also valid certificates would be needed. Also you are not protected from keyloggers or other malware installed on your computer, which phishes your keyboard input or manipulates your browser process.

IP(v4) addresses
The IP address identifies a computer. You can compare it to a real postal address. An IP address for the IPv4 protocol consists of four groups of numbers, each between 0 and 255. A very special IP address is 127.0.0.1, which addresses your local computer. Since 127.0.0.1 addresses the computer itself on each machine, it can't be used to address packets to be exchanged between different computers. So, in contrast to a postal address for a house, a computer must have more than one IP address.

Ports
The port is used to address a specific service on a computer, which should receive the packet. In our comparison with the postal address, the different services running on a computer would relate to different people, living in a house. A very famous port is port 80, which is commonly used for (unencrypted) HTTP traffic.

Outgoing/incoming requests
This is pretty straight forward. An outgoing request is a connection attempt initiated by your computer to another computer. In this case, you can use the following information to decide if the request is legit or not:

• the application, which sent the request (who wants to send information)
• the destination IP address (who should receive the information)
• the destination port (may give a hint, what's the type of the transmission)

An incoming connection attempt is a request sent to your computer by somebody else. In this case you have the following information to determine if the request is legit in first place:

• the source IP address (who sent the request)
• the destination port (may give a hint, what's the type of the transmission)

To identify the application/service on your computer, for which the incoming request is meant to (on a windows os), open a command prompt with administrator privileges and type netstat -a -b -f. This will give you a list with all used ports on your computer. Search for the destination port and have a look at the application listening on this port. If there's no application listening on this port, the connection will fail.

As you can see, the port is dependent of the applications running on the destination server and the configuration of the applications. (You could also tell a web server to listen on port 81 instead of port 80) So the port does only give hints on the type of transmission.

Network ranges and subnets (for IPv4)
While network ranges are also straight forward, the (complete) understanding of subnets needs some further introduction into IP addresses and the binary numbers.

Network ranges:
An IP address a.b.c.d is contained in an IP range e.f.g.h - i.j.k.l if and only if e<=a<=i and f<=b<=j and g<=c<=k and h<=d<=l
For example the IP address 192.168.178.25 is contained in 192.168.178.0 - 192.168.178.255 while 192.168.179.25 is not. Further the range 192.168.178.25 - 192.168.178.25 contains exactly one IP address, while 192.168.178.25 - 192.168.178.24 is an empty range.

Subnets:
A subnet consists of an IP address contained in this net segment and a subnet mask, which has the same format as an IP address - but a different meaning. A typical subnet in an home environment is 192.168.178.25 / 255.255.255.0 which is exactly the network range 192.168.178.0 - 192.168.178.255 from above.

Binary numbers: Any number can be written as sum of powers of two.
For example, 25 = 2^4+2^3+2^0.
You can write this differently: 25 = 1*2^4+1*2^3+0 *2^2+0 *2^1+1*2^0
To get the dual number, simply take all the coefficients and write them side by side and you get the result: 25 in the decimal system corresponds to 11001 in the dual system. By the way, it's the same with the decimal system - but you probably never noticed that: Every number can be written as a sum from powers of 10 and coefficients 0-9 (e.g. 25 = 2*10^1+5*10^0). So converting from decimal to dual means changing the base from 10 to 2.

Fine, back to the IP addresses: To get an idea, how this is working, you'll have to convert IP address and subnet mask to the binary system. Additionally, you'll have to fill up the numbers with leading zeros to 8 digits. (Maybe you recognized the magical number - each IP address consists of 4 Bytes, this means 4*8 bits).
This does really work - 0 corresponds to 00000000, while 255=1*2^7+1*2^6+1*2^5+1*2^4+1*2^3+1*2^2+1*2^1+1*2^0 corresponds to 11111111. Any number between 0 and 255 can be written in this format.
Now write down the IP address and the subnet mask in binary format:
11000000.10101000.10110010.00011001 (192.168.178.25)
11111111.11111111.11111111.00000000 (255.255.255.0)

Now, to decide if another IP address is in the same subnet, write it also in binary format. The address is in the same subnet, if and only if for each position where the subnet mask has the value 1, both IP addresses have the same value. If the subnet mask has the value zero on a specific position, the values of the IP addresses may differ.
So, in our example, exactly the IP addresses starting with 192.168.178. will suffice this criterion.

Common ports
DHCP: 67 (needed to receive an IP address from your router if you're using automatic configuration)
DNS: 53 (needed to translate hostnames like www.opera.com to IP addresses)
HTTP: 80 / HTTPS: 443 (browsing the web, also used for many other things like verifying digital signatures or Microsoft Update for example)
SMTP: 25, 587 / SMTPS: 465 (sending mails)
POP3: 110 / POP3S: 995 (receiving mails)
IMAP: 143 / IMAPS: 993 (receiving mails)
NTP: 123 (time synchronization)
NetBIOS: 137-139, 445 (used for netwkork shares, RPC; should be blocked for communication outside your home network)
RDP: 3389 (remote desktop protocol)
VNC: 5900 (VNC is an application similar to the Remote Desktop Client)

Interesting network zones
Here a list of network zones, I'm using. For sure, the zones are not complete and maybe I'll update them in case I find further addresses which belong to one of these groups.

CIS update:
download.comodo.com
eu1.download.comodo.com
eu2.download.comodo.com
eu3.download.comodo.com
eu4.download.comodo.com
eu5.download.comodo.com
epdown.edin.colo.comodo.com
vip1.fra1.cachefly.net

OCSP/CRLs (checking validity of digital certificates):
ocsp.verisign.com
ocsp.verisign.net
crl.verisign.net
crl.verisign.com
ocsp.usertrust.com
crl.usertrust.com
ocsp.comodoca.com
crl.microsoft.com
ocsp.thawte.com

But actually, these hostnames resolve to multiple IPs and CIS doesn't support that at the moment :'(

Hier gibt's die deutschen Sprachdateien für COMODO Internet Security 5

Anleitung:
Die Dateien aus dem Archiv einfach in das <Translations-Verzeichnis> entpacken und die alten Dateien überschreiben.

Hinweis:
Neuerdings prüft COMODO anscheinend auch, ob sich die Sprachdateien von den aktuellen auf dem COMODO-Server unterscheiden und meldet, dass ein Update verfügbar ist, wenn diese verschieden sind. Es gibt wohl momentan keine Möglichkeit, das separat abzuschalten.

Sprachdateien für CIS 5.5 und ohne Chat-Button.
Sprachdateien für CIS 5.8
Sprachdateien für CIS 5.9
Sprachdateien für CIS 5.10

Hier gibt's die aktuellsten deutschen Sprachdateien für COMODO Internet Security

Dabei handelt es sich um eine kostenlose Suite, die eine Firewall, einen Virenscanner und ein HIPS (Host Intrusion Prevention System) bietet.

Anleitung:
Die Dateien aus dem Archiv einfach in das <Translations-Verzeichnis> entpacken und die alten Dateien überschreiben.

Sprachdateien für CIS 3.14.x.587

Das Skript ist veraltet und wird nicht mehr gepflegt!


Ich möchte Euch mein User-JavaScript für Lokalisten.de vorstellen. Es erweitert das Lokalisten-Interface um einige nützliche Funktionen:

• Die Home- und Profilseiten, Freundes- und Nachrichtenlisten werden in einem bestimmten Intervall automatisch neu geladen.
• Gibt es neue Nachrichten oder Hinweise, so wird ein Sound abgespielt
• Blinkendes Ausrufezeichen im Titel bei ungelesenen Nachrichten oder Hinweisen
• Die Option eigene Nachrichten zu speichern ist standardmäßig aktiviert
• Wird die Maus bei gedrückter Strg-Taste über ein Thumbnail gezogen, wird das Bild vergrößert eingeblendet
• Ein Klick auf das vergrößerte Thumbnail zeigt das Bild in Originalgröße an, mit gehaltener Maustaste kann das vergrößerte Thumbnail verschoben werden
• Werbeboxen, die -anzeige- enthalten, werden ausgeblendet
• Die Information, wo man auf ein Profil geklickt hat, kann versteckt werden (Vorsicht: Noch nicht ausführtlich getestet!)

Fix für Opera 11.1: Die Sound-Benachrichtigung funktioniert wieder.

Die beschriebenen Konfigurationsmöglichkeiten können am Anfang des Skripts mit einem beliebigen Texteditor vorgenommen werden:

• reloadTime gibt an, in welchem Intervall (in Minuten) die Seite neu geladen werden soll. Standardwert ist 5
• notifyOnlyAtHome gibt an, ob der Benachrichtigungsklang nur abgespielt werden soll, wenn man sich gerade auf seiner Home-Seite befindet. Standardwert ist false
• soundFile enthält den BASE64-kodierten Klang für neue Nachrichten.
• animateTitle gibt an, ob die Titelleiste bei einer ungelesenen Nachricht/Hinweis animiert werden soll. Standardwert ist true
• saveSent gibt an, ob die Option zum Speichern von versendeten Nachrichten standardmäßig aktiviert ist. Standardwert ist true
• maxThumbSize gibt an, wie groß die vergrößerten Thumbnails maximal sein dürfen (in Pixeln). Standardwert ist 400
• hideObviousAds gibt an, dass Werbeboxen, die "-anzeige-" enthalten ausgeblendet werden. Standardwert ist true
• persStorage gibt an, ob statt Cookies der neue Web Storage (ab Opera 10.5) zum speichern von Informationen benutzt werden soll. Standardwert ist false
• hideSrc gibt an, dass bei einem Klick auf einen User keine Information übertragen wird, wo man auf diesen geklickt hat. Standardwert ist false. Dieses Feature muss noch getestet werden.

Die oben erwähnten Informationen werden dazu benötigt, damit die Benachrichtigung bei neuen Nachrichten funktioniert. Es müssen also entweder Session-Cookies akzeptiert oder (ab Opera 10.5) der Web Storage verwendet werden, damit das Skript richtig funktioniert.
Für die automatische Benachrichtigung mit Sound müssen zusätzlich die Plugins (wenigstens für diese Seite) aktiviert sein.

Falls ihr an weniger Werbung bei den Lokalisten interessiert seit, solltet Ihr Euch auch mal mein Stylesheet ansehen.