Saturday, March 5, 2016

VeraCrypt Review

It works!  I recently switched to VeraCrypt from TrueCrypt, because TrueCrypt is now unsupported and rumor has it that technology was making TrueCrypt less and less secure.  I do not use Partition/Device encryption or System encryption, only Volume Encryption, meaning that specially-created "container" files in the normal unencrypted Windows environment are mounted as encrypted volumes exactly as if they were separate, encrypted disk drives.  I keep my personal and business files there, and I do it this way because it is simple, because backup of those container files is trivially easy, and because there is zero risk of a complete failure.

If you want to know more about Partition/Device encryption or System encryption, the information in this post may not help you.

A year ago I wrote about TrueCrypt Forks. I didn't like VeraCrypt then because it took a very long time, a minute or more, to open a container after entering the correct password.  This was by design - the VeraCrypt developer, Idrassi, by default uses hundreds of thousands of iterations in the key derivation function, contending that it helps protect against brute-force attacks, where a computer is automatically trying billions of password guesses.  He is right - this method of attack is becoming faster and more effective as computer power increases and multiple processors can be brought to bear.  However, I open and close encrypted volumes frequently and the defaults pushed my patience too far.

Happily, the current version of VeraCrypt, Release 1.17, offers a compromise:  If the password is 20 characters or more, VeraCrypt allows the user to bypass the defaults and choose a lower number of iterations by specifying a Personal Iteration Multiplier (PIM).  The minimum multiplier of 1 will still result in an iteration count 8 to 16 times greater than that used in TrueCrypt, with a very short delay, whereas multipliers in the range of 10 to 100 will increase security but will cause somewhat greater delays.  Those delays might still be acceptable, depending on the speed of the processor. I experimented with several different PIM values.

The PIM is a secret value, chosen when the container file is created, and it must be entered correctly as a separate parameter when the password is entered to mount an encrypted volume.  Therefore, though the PIM may be used to reduce the iteration count and make a brute force attack easier, it also effectively increases the password strength, making the attack more difficult again.

I use passwords of 20 characters or more anyway, so the PIM is a perfect compromise.  During the process of creating new volumes I did have to wait through some long delays, but now that the volumes are created and in place, the delays are quite acceptable.  PIM works.

Also interesting, VeraCrypt can actively coexist with TrueCrypt on the same system, running at the same time.  I created new VeraCrypt containers and copied the encrypted contents of the old mounted TrueCrypt volumes directly into the mounted VeraCrypt volumes with no problems.  During that process, none of the encrypted files were ever decrypted on disk.  That's cool - no disk wiping required.  Actually, VeraCrypt can mount most TrueCrypt volumes (though not my oldest ones), so the applications might not have to coexist, but it was slick.

I rarely use the TrueCrypt or VeraCrypt console, instead using command-line scripts (cmd.exe processor) to automatically mount and dismount volumes, create backups of volumes, copy volumes to the cloud and to other computers, and more.  Every script that worked with TrueCrypt still works with VeraCrypt, after just changing the run path.  It just works, no errors, no problems.

For a thorough, functional test I uploaded a 3 GB encrypted container full of files to the cloud, using both iDrive and CloudBerry, then downloaded that same file back to the desktop.  Using Microsoft's comp program, the files compared exactly with the original in each case.  Also, in each case, the downloaded encrypted container opened without issue, the true proof that the file was not corrupted.

I use VeraCrypt on two computers, a desktop and a laptop,  The desktop runs a clean install of Windows 10 (it once ran Vista), and the laptop runs Windows 10 upgraded from Windows 7.  Both have plenty of RAM and disk, with dual processors in the 2 - 3 GHz range.

My congratulations to Mounir Idrassi, the force behind VeraCrypt.  I'll be making a PayPal donation to the cause.

By the way:  I also downloaded CipherShed, intending to compare it with VeraCrypt.  However, the CipherShed installer informed me that I would have to uninstall TrueCrypt first.  Since I want to keep TrueCrypt around, I did not install CipherShed.

Wednesday, June 17, 2015

Cloud Backup Review, IDrive vs Cloudberry

My desktop running Windows Vista Ultimate is already backed up thoroughly by a command-line script that I start every night when I go to sleep.  The script shuts down certain processes (e.g. FTP server, open TrueCrypt volumes, KeePass password vault) and copies all important files to other local hard disks.  

I also need a cloud backup, though, in case of a disaster like a fire, flood, theft, vandalism, sinkhole, asteroid, apocalypse, whatever, because all of my hard disks are in the same building.  A close friend did have a fire and lost everything. What the fire doesn't get, the filthy, soaking, ash-filled water does.  In my view everyone needs a cloud backup these days, and maybe it's the other local disks that are unnecessarily redundant.  I have 62,000 files to upload, totaling 7+ GB, including a 3GB TrueCrypt volume file.

Because I already have a time-tested command line backup script, I want my cloud backup to fit in and be part of it. At the least, the script should be able to start the cloud backup from the command line, know when it's done, and preferably log any errors that occur.  Then, when the cloud backup is done, the script can perhaps do other cleanup tasks and shut down the computer, or put it to sleep, or get going on other things that it needs to do.

At least two cloud backup offerings seem to have a sufficiently robust command-line interface and with "chunk" backup capabilities (more later): IDrive and CloudBerry.

IDrive is a complete backup solution, offering an installed application program, a web-based interface, a command-line interface, and storage.  Backups are physically kept on IDrive's own web servers.  The Basic Plan is FREE, with 5 GB file storage space and another 5 GB of "sync" space (files kept automatically in sync.).  You can also get "credits" for referring IDrive to others.  

I did that and used the free plan for my 7 GB for a whole year, before something failed and I needed help.  Since then I have upgraded to IDrive Personal, with 1000 GB of storage, which cost me $39.95 for the first year.  That's not expensive, and it's my impression that cloud backup prices are going down, so I doubt that cost will go up much.

Features important to me:
  • Incremental backup is standard, of course.  Only new or updated files are sent to the cloud.
  • "Chunk" backup for large files allows backup of only the parts of the file that have changed.  Automatic in IDrive.
  • Command line interface.
  • Data transmission and file storage are both encrypted.
  • The IDrive Application program failed this month, and I was unable to get it going again without help.  The online chat support did the trick, but the technician went so fast that I was unable to see what s/he did.  I believe that s/he changed permissions in c:\Program Files (x86)\IDriveWindows and c:\ProgramData\IDrive, then did something with the VSS Service.  I asked the tech what s/he did, and got an answer like "fixed your computer," for which s/he gets a "D" for customer communication.  My concern is that it may fail again after some Microsoft update.
  • The command line interface utility that comes with the newest IDrive download doesn't work on Windows.  Log in fails.  I use an older one that does work.
  • For file encryption, you get a choice of a default key or a private key.  A year ago I chose the default, but suddenly this month the program demanded my private key.  Since I didn't have one, my data was lost and I had to upload the whole 7 GB again.  Now I do have a private key, but will it always work?
Validation:  After the most-recent backup I downloaded the 3GB Truecrypt container file and compared it bit-by-bit with the original here, using the comp utility.  There were no differences.  Further, I was able to open that downloaded file with TrueCrypt, highly unlikely if the file was corrupted at all.

CloudBerry is a front end application program for use with any number of cloud storage space vendors.  Its most robust implementation, though, is with Amazon S3 storage, and that is how I am using it because I need some features only available with Amazon S3.  For desktop (or laptop) use, there is a Freeware version called CloudBerry Explorer which does have some command line functionality, but I don't know how much, and I don't know if it handles "chunks."

I am have just purchased CloudBerry Backup (for Windows Desktop), a "Pro" version, for $29.99 plus $6.00 for an annual update service.  I'm happy to pay that. The Amazon S3 storage cost is trivial for my 7 GB:  The first 5 GB is free for 12 months, and prices thereafter are 3 cents per GB per month, at most. That will be $0.21 per month, or less than $3.00 per year. There are also transaction fees (for GET and PUT requests).  In this first month my Amazon S3 bill is so far $0.34 (34 cents), most of which is transaction fees for the initial upload of files.  I'll be happy to pay the Amazon costs too.

Features important to me:
  • Incremental backup is standard, as with IDrive.  Only new or updated files are sent to the cloud unless a full backup is specifically ordered.
  • "Chunk" backup of huge files is available with Amazon S3, and it is possible to configure the size of the chunks.
  • Command line interface.
  • Data transmission and file storage can both be encrypted.
  • Amazon S3 is complicated, and you have to sign up for that separately.  I recommend sticking with as many defaults as possible.  I tried Google Cloud too, and it is simpler, but fewer features are available.
  • The CloudBerry command line interface CBB.exe has many, many commands, a confusing array in fact.  Further, when starting a backup with a pre-existing backup plan, CBB simply starts another program, CBBackupPlan, and then quits, so the batch script can only know when the actual backup is done by looping, waiting for CBBackupPlan to disappear.  I'll be happy to supply that code or the whole script if anyone wants it.  It's all in CMD command line language.
  • When performing a backup, the progress reports on the screen are mostly nonsensical.  It pulls up a list of 1000 files are a time, and sort of tells you how it's doing with that 1000. The Overall Progress bar shows about 33% most of the time, for some reason.  The backup works, so it doesn't really matter, and it does show a count of files uploaded, so if you know how many there are, you can figure progress yourself. 
Validation:  I have several times downloaded the 3GB Truecrypt file and compared it with the original from my computer. There were no differences.  Further, I was able to open that downloaded file with TrueCrypt, highly unlikely if the file was corrupted at all.

Some speed comparisons:

First, I am using a DSL connection to the internet, with 26Mbps download and about 0.9Mbps upload.  
  • For both CloudBerry and IDrive, the upload time for my full 7GB is almost a day. I hope not to do a full backup very often!
  • I have one 3GB encrypted file which downloads in 21 minutes with CloudBerry and 71 minutes with IDrive. Big difference.
  • Smaller files download in no time, of course, and both providers make file selection and destination selection easy.
  • Daily incremental backups take about 9 minutes with CloudBerry and 21 minutes with IDrive. Also a big difference, but I'm asleep anyway.
A SERIOUS CAUTION ABOUT CLOUD BACKUP:  If you end up needing it, you will be required to supply passwords.  In the case of Cloudberry, for example, you may need a password to access the CloudBerry program on a new computer, and if you use Amazon S3 services for storage, CloudBerry will ask you for a lot of information.  You will need your Access Key ID (long), your Secret Access Key (longer yet), the Encryption Password, and possibly the name of your Amazon S3 Bucket.  

For any other storage provider you will need similar information.  For IDrive you need at least the IDrive Password, and also the Private Encryption Key if you have chosen your own.

Obviously, it's no good backing that stuff up on the cloud with everything else!  It's inaccessible.  These passwords and keys will not change often, and you should have them offsite, far away from your computers.  I keep mine on a gold archival DVD in a safe deposit box.  A thumb drive might be more convenient in the future, but there are folks who believe that thumb drives are not a good archival medium.  My next computer will have a Blu-Ray (and DVD/CD) drive anyway. But I might keep a thumb drive in the safe box too, as backup.  :-)

Just sayin'

Sunday, January 25, 2015

Truecrypt Forks

January 25, 2015:

As everyone knows, the anonymous creators of Truecrypt have declared it unsupported and hinted that it might be defective. While no one believes that Truecrypt has a security hole (see Gibson for example), and an initial audit did not find one, everyone wants to find a supported substitute.

I use Truecrypt encrypted container files to encrypt sensitive data on my Windows systems.  A container is a file which can be mounted as if it were a separate unencrypted volume.   Truecrypt can also encrypt entire disk volumes, though I do not use that mode, because of the complication and because containers are so easily backed up with full encryption to multiple destinations including the Cloud, Blu-Ray discs, hard discs, and thumb drives.

  • To reduce the likelihood of a hole or a back door, the software must be open source.  This rules out all commercial encryption software.
  • It must support some kind of portable encrypted containers.
  • It should have a credible support team.
BitLocker is not a candidate because it is not open source and does not conveniently produce encrypted containers.

In my search for a Truecrypt substitute, here is what I found today. Things are moving fast, so this may not hold true for long:, UK, Germany, Asia  Available as pre-alpha release Truecrypt 7.1a  FranceRev 1.0f-1 downloaded and working

CipherShed is currently in a pre-alpha release only, apparently using some Truecrypt code and some new code. They caution against using it in production. Purportedly it will eventually all be new code, and with a team to support it. Currently I'll stick with Truecrypt 7.1a until (1) a problem is discovered in it, or (2) CipherShed or some other supported program is available. (also called TCnext) seems to be two Swiss guys who want to fork Truecrypt but, for now, are simply offering Truecrypt 7.1a, the final good release, on a download site. I suspect they are watching CipherShed and may eventually support that.

Veracrypt is the only fork currently available as an official release, and is a modest modification of the original Truecrypt open-source code. Apparently it is mostly written and supported by one Frenchman, Idrassi, and long-term support may be dependent on him, though there is a lively discussion board.

I have installed it, to discover that opening a container takes a long time, but he defends that as necessary to defeat a brute force attack.  In that respect, he believes that Veracrypt is quite superior to Truecrypt.  That judgment is above my pay grade.  Otherwise it walks and talks just like Truecrypt.  I have not tried any command-line arguments yet - I use those a lot in Truecrypt.

The delay on opening is dependent on a particular iteration count, and there is discussion about allowing the user to trade off password length versus iteration count, so that a longer password could result in a shorter opening time.

Veracrypt containers are not compatible with Truecrypt containers, but Veracrypt does have a Truecrypt mode.  I tried that and it did successfully open a Truecrypt container. I didn't try modifying the files in that container.

I recommend tuning in to those sites from time to time, to keep abreast of their progress.  I may or may not blog about it again.

Friday, August 15, 2014

IDrive Backup Review

It works and I like it.  IDrive is a backup and file-sync facility with lots of good features, supporting a wide array of computer operating systems and mobile devices.  The features that I particularly like are:
  • The command-line options that allow me to incorporate this cloud backup facility into the rest of our normal, every-night archive system; and
  • The sophisticated incremental backup features which back up only the files which have been modified since the last backup, and then back up only the modified sectors of large modified files.
Example: I have one 2 GB encrypted file which gets modified every day, but only a little.  At DSL upload speeds it took hours to upload that file the first time, but IDrive can upload the daily modifications in just a few minutes.   A download "restore" of last night's uploaded file confirms that it compares perfectly with the current file, bit for bit, all 2 GB.  I used the Windows comp program for that comparison (several times for several downloads), but also if the file was at all corrupt I would not be able to decrypt it, and it decrypts just fine.

Desktop Application:

IDrive has both a GUI desktop application and a brower-based application, with similar but not identical functionalities.  It took me a little while to get used to the two and determine which to use for what purpose.  There are similar applications for many different computer operating systems and mobile devices.  I was able to install and use the GUI desktop app on Windows XP Pro, Vista Ultimate, Windows 7, and Windows 8.1, with no obvious differences in functionality.


Although upload appears to go as fast as my DSL link allows, about 900 kbps or about 3 hours per GB, download through the GUI desktop application appears to be throttled to about 5 Mbps, roughly 2 GB per hour.  My DSL is about three times that fast, almost 16 Mbps, so it should go faster, as do most other downloads.  The browser-based application actually downloads a little faster than the GUI desktop application, maybe 25% faster when restoring my 2 GB encrypted file, finishing the download in 45 minutes instead of 57, though this is still well below half of the maximum speed of the DSL connection.

IDrive isn't very expensive, $37.12 per year for 300 GB, but I am still using the free version because we don't yet need the extra space or features of the professional versions.  Perhaps download speed is throttled for freeloaders like myself - I don't know, and I wouldn't blame them.  It's not an issue in our application, though, because file recovery will be seldom if at all, mostly just for testing, and at 2 GB per hour it won't require more than two or three hours to download everything we have up there in any case.

Technical Support:

Excellent so far - I've had two interactions with them, one via chat and another through a submitted bug report.  They know that I have a free account, I'm sure, but seem interested in solving my problems anyway.  There is also a forum, in which IDrive participates quite actively.  I submitted one problem there and was soon advised to submit the problem as a regular bug report.


Command-line options are implemented through a program called idevsutil.exe, found in the IDrive programs folders (C:\Program Files (x86)\IDriveWindows\... in Windows).  However the one that is supplied by the IDrive installer didn't actually work - I had to go to the Getting Started page and download the idevsutil.exe that actually does work.

Cloud backup provides the ultimate off-site backup, to protect against a disaster such as fire, flood, theft, even death of a principal person.  However, it's no good if the files are inaccessible due to a lost usrname or password.  Be sure to have those somewhere else safe, perhaps in a safe deposit box.

Wednesday, June 18, 2014

LG Blu-Ray Disc Rewriter Model WH16NS40 Review

This is an internal drive which can write and read virtually all forms of CD, DVD, and Blu-Ray (BD) discs, including four-layer 128GB BDs.  It works perfectly so far.

Test System: 
LG Blu-Ray Write/Read Drive
Model WH16NS40

Seven-year-old mini-tower computer, home-built from an Intel DP35DP motherboard hosting an E6750 CPU with dual 2.66 GHz processors, 8 GB memory at 800 MHz, system bus 1066 MHz, running Windows Vista Ultimate. Hard disks are SATA 2TB Seagate hybrid disks.

The system is used as a computer, not as a video player. This review is about data backup. It should apply to copying video files as well, but you might want a newer, faster CPU to actually play or manipulate the video files.  The owners' manual lists the E6750 CPU at 2.66 GHz as the minimum system.

The originally-installed Samsung SH-203B DVD Drive is still in place and functioning well after seven years.  It can read and write DVD+R DL (dual layer) discs, though I only use it with standard and archival single-layer DVD's.  Each month, sometimes more often, I create a backup copy of our own important files (not system files or application executables) on a MAM-A DVD-R gold archival disc for long-term storage, then copy that disc to regular DVD's for shorter-term offsite storage.  Those important files have grown beyond the DVD's 4.7GB capacity, however, so the new LG Blu-Ray Disc (BD) Drive will bump that limit up to about 25GB.  A firmware update from version 1.00 to 1.01-A0 is available for the drive but not yet installed.  (First rule of life:  If it works, you can't fix it.)

Test Method:

The new BD drive was installed in the mini-tower just below the DVD drive.  The generic
Windows Vista software was used to write each disc initially.  ISO Recorder 3.1 was used to restore each disc back to an ISO file, or to write that out to another disc. The following tests were performed to demonstrate single-drive data integrity as well as cross-drive data integrity:

CD read:  On the BD drive, restore two of our oldest archival CD's, going back to 1997.  No read errors.  Open a few files to verify data integrity.

CD write/read, using Verbatim CD-R discs:  Write a disc on each drive, restore each disc back to a desktop ISO file using each drive (four ISO files).  No errors reported.  With the Windows utility called comp, compare the two ISO's which were created from a disc written on one drive and restored from the other.  This is a byte-for-byte comparison, and no differences were reported.

DVD write/read, using TDK DVD-R discs:  Same procedure as for CD's.  No errors, no differences.
DVD+R DL write/read, using Verbatim DVD+R DL discs:  Same procedure as for CD's.  The discs were filled to about 5.25GB, so that both disc layers would be used.  No errors, no differences.

BD-R write/read, using Verbatim 25GB 6x BD-R discs:  Write a disc containing 21 GB of data including thousands of files (photos).  Restore that back to an ISO.  Write the ISO to another BD-R disc, restore that back to a second ISO, compare.  No errors, no differences.

BD-R 50GB, 100GB, and 128GB: Not tested - I don't need this functionality now, but I have no reason to doubt that it will work when it is needed, and perhaps disc prices will be better.

Data integrity test results:

The LG Blu-Ray Disc Rewriter Model WH16NS40 performed perfectly.  I am impressed, and I now have renewed confidence in the old Samsung DVD drive as well.

Vista Speed-display Issue:

On this "old" Vista system the writing speed, estimated time left, and progress bar were all displayed incorrectly for the BD discs.  Specifically, the Windows software reported that it intended to write at 39x, and the ISO Recorder program thought it would write at 351x.  I seriously doubt that either was correct.

For both drives and all discs, I always allowed the write to take place at the maximum displayed speed (i.e. 39x or 351x), not attempting to reduce it.  I have no idea what the actual write speed was for the BD discs, and I did not time any of the operations, but the data files were obviously recorded without error.

First actual Blu-Ray backup:

Write encrypted and unencrypted files to a Delkin 6x 25GB Archival Gold BD-R.
Restore that disc back to the desktop as an ISO file.
Write that ISO to each of three Verbatim 6x 25GB BD-R discs for offsite storage.
Open and verify some encrypted files on the last of those discs as a final check.

This procedure worked flawlessly, backing up about 12GB, except that one of the Verbatim BD-R discs failed immediately when ISO Recorder 3.1 tried to write to it.  That one disc was discarded with no attempt at diagnosis.  I attribute the failure to the disc, not the drive, and comments on other blogs confirm that such failures can occur.

I believe that this process creates archival Blu-Ray discs which will last at least as long as there are drives capable of reading them.  The Delkin Archival Gold BD-R discs cost me about $10 each in a pack of of 5, and the Verbatim BD-R discs about $1 each in a spindle of 25.  Both are cheaper in larger quantities, and other brands are available.  The LG Owner's Manual recommends Sony and Panasonic discs for BD-R 25GB, but does not say whether Delkin or Verbatim discs were ever tested.

Blu-Ray versus Flash for Archival Storage:

Removable-media technology seems to be moving away from optical discs and toward USB flash drives these days, and video is increasingly downloadable, so Blu-Ray discs may never enjoy the popularity of DVD's.  Flash for archival storage is controversial, however, and it is still at least as expensive as Blu-Ray for similar capacity, so Blu-Ray is a better choice for now.

Friday, September 6, 2013

Automatically Delete Local Shared Objects

Also called "flash cookies," Local Shared Objects" (LSO's) can be used by any web site to store information about your web browsing.  Web developers explain that this capability is used "to enhance your web-browsing experience," but skeptics (like me) know that it can also be used to track a user's browsing in detail and even to share that information with unsavory sites.  LSO's may or may not be cleared when you attempt to clear your browser's cookies.

LSO's may be important to some applications.  Games, for example, may save the current state of the game in LSO's, so that the game can be stopped and then resumed.  However, in my computer usage I do not know of any such beneficial application of LSO's and I prefer to delete them.

Third parties have created extensions for some of the browsers which will delete LSO's automatically.  However, this script will also do it, without installing an extension:

    TITLE "Delete Local Shared Objects"

:: Delete Local Shared Objects in a very heavy-handed way:

    SET SYSPATH="%APPDATA%\Macromedia\Flash Player\\support\flashplayer\sys"
    SET IE2LSO="%APPDATA%\Macromedia\Flash Player\#SharedObjects"
    SET GOOPATH="%LOCALAPPDATA%\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\\support\flashplayer\sys"
    SET GOOGLSO="%LOCALAPPDATA%\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects"
:: Delete LSO's for IE and FireFox, preserving the flash settings:

    XCOPY /y /q /h /r %SYSPATH%\settings.sol %TEMP%\*
    RMDIR /s /q %SYSPATH%
    RMDIR /s /q %IE2LSO%
    XCOPY /y /q /h /r %TEMP%\settings.sol %SYSPATH%\*
    DEL /f /q %TEMP%\settings.sol

:: Delete LSO's for Chrome, nevermind the flash settings (use defaults):

    RMDIR /s /q %GOOPATH%
    RMDIR /s /q %GOOGLSO%

:: Optionally start one of the browsers.  Also possible to specify a "home" URL here:

    START "" "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
::  START "" "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
::  START "" "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"


Put this code in a script file with a .CMD extension, e.g. DELETELSO.CMD.  Then create a shortcut to that script and set Properties/Shortcut/Run to Minimized.  Put the shortcut on your desktop, or Quick Launch bar, or wherever you want it.  Use it any time you want to clear the LSO's.  It can also be used to start the browser of your choice after it clears the LSO's, see the code.  That's how I use it.  If you have trouble copying the code from this screen, try this instead, making your screen wide.

Note:  This is a VERY HEAVY-HANDED way to approach the problem and could produce unanticipated and hard-to-diagnose results.  Please check for problems with your favorite web-based applications before you forget that you did this and start looking for problems in the wrong places.  This script comes with no warranty, and you can only sue me for the amount that you paid for it.

The above script has been tested and is in use on Vista and Windows 7.  It has not been tested on Windows 8, and it will not work without modification on Windows XP.

I've had this in place for several months now, using it to start Chrome any time I want a browser, and have not identified any problems in my use of the Chrome browser.

Comments, complaints?

Friday, March 18, 2011

Use BLAT With STUNNEL To Send Email Via SSL On Windows

An earlier post described a Windows command-line script which sends a detailed email at bootup, like PC Phone Home (tm). It worked on our computers for a year and a half, and then stopped. We discovered that our internet service provider, trying to reduce the amount of spam sent through their servers, had blocked port 25, the standard unencrypted email port. They encouraged their customers to switch to SSL, encrypted transmission, using a different port.

The BootMail script uses a free utility called blat to actually send its email. Unfortunately, blat does not support SSL connections. However another free utility, stunnel (secure tunnel?), can convert data from an SSL-ignorant program like blat and send it to an SSL-aware computer or connection. Stunnel can do lots of other things too, and in fact I found the documentation to be thoroughly daunting, but installation turned out to be quite simple, basically the same on Windows 7, Vista, and XP:
  • Download stunnel-4.35-installer.exe from
  • Run it and accept the defaults. This installs the software on the disk, in c:\Program Files\stunnel on a 32-bit system or c:\Program Files (x86)\stunnel on a 64-bit system.
  • In Start/Programs go to the new stunnel folder and right-click on "Edit Stunnel.conf." Click Run as Administrator (Vista or W7), or click Open (XP). This brings the configuration file into Notepad with rights to modify it. You may be prompted for permission in this and following steps.
  • Delete everything in the file, and copy in the four lines example below, modifying them for your use. "Accept" is the port on which blat sends the email (this can be changed), and "connect" is the server name and port that your ISP wants you to use. Save and quit.
  • In Start/Programs, right-click "Service Install" and click Run as Adminstrator.
  • In Start/Programs, right-click "Service Start" and click Run as Administrator.
Example stunnel.conf file which could be used to send email through gmail:
client = yes
accept  = 25
connect =
In the script which runs blat, or in the registry, you will want to specity the server as follows: "-server localhost:25".

(tm) PC PhoneHome is a trademark of Brigadoon Software.