An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 4 of 4 1 2 3 4
Re: Cocktail and Mountain
artie505 #25245 03/04/13 03:18 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
There's a lot of money in it. Some of the most highly paid programmers in the world are employed as hackers by Eastern European organized crime. When you have enough money at stake, it's amazing what you can do...


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Cocktail and Mountain
artie505 #25295 03/08/13 01:04 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: artie505
But why is a "self-signed" key "not trusted?"


If you're talking about com.apple.systemdefault, on my machine (running 10.8.2), it doesn't say that certificate is not trusted. It says "This certificate has not been verified by a third party."

Which is true.

But that doesn't mean it's not trusted. It's trusted on your machine, because it's on your machine, in your keychain, and marked there as trusted. It will not be trusted on any other machine.

Had it been signed by another certificate (and not revoked) it would be accepted on any other machine that accepted the signing certificate. But that's not what it's for. It's for saying "I made this signature, so I trust it, but I don't expect anyone else to."


I don't know what the deal is with Dashboard Advisory. I know what it's for, but I don't know why Apple didn't either put it in System Roots or sign it with something that is (like Apple Root CA).


If you're asking about self-signed certificates in general, they're born untrusted (because anyone can make one), and become trusted by explicit action. One way for a root certificate to become trusted is to be included in the System Roots keychain, which Apple populates as part of system installation. The chain of trust starts with Apple investigating the issuer, and deciding that they're a legitimate Certificate Authority (CA); and then you trust Apple by running their installer.

The other way to become trusted is through explicit interaction. For example, you can open a certificate and change the trust setting to "Always Trust". Or the System Installer can create the self-signed certificate and explicitly mark it trusted. Either way, such trust is established only in that keychain.

A non-root certificate (that is, one that is not self-signed) is valid if its signature can be verified by the signing certificate, if that can be found and is itself valid.

Any certificate, self-signed or not, can expire and/or be revoked. An expired certificate can still be marked trusted, overriding the expiration.

Re: Cocktail and Mountain
ganbustein #25298 03/08/13 01:16 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Thanks for that; this thread has become quite a resource, albeit an arcane one.

> If you're talking about com.apple.systemdefault, on my machine (running 10.8.2), it doesn't say that certificate is not trusted. It says "This certificate has not been verified by a third party."

I guess Apple has changed its nomenclature...perhaps because of the very confusion with which we're dealing here?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Cocktail and Mountain
artie505 #25321 03/10/13 08:03 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: artie505
Thanks.

That makes sense, but it doesn't make that "Untrusted" label any less disconcerting.

> either the private key that signed it is available, or it's not signed.

I assume you meant unavailable there?



Nope, I said what I meant. If the system has signed it, the key MUST be available locally, for the system to use.


I work for the Department of Redundancy Department
Re: Cocktail and Mountain
Virtual1 #25362 03/12/13 05:12 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Oh! Got it. Thanks.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Cocktail and Mountain
tacit #25478 03/20/13 01:27 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
It may be of interest to know that a lively discussion on the topic of passwords and their resistance to cracking developed in the MacInTouch Reader Report on Security-Passwords the last few days. Among the many interesting tidbits brought up there is a link about Password Recovery Speeds as a function of character set used for the password and the class of attack used by the cracker.


alternaut moderator
Re: Cocktail and Mountain
alternaut #25481 03/21/13 07:12 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Thanks for the interesting links.

Apropos, I recently tried to change my Vanguard password and discovered that they had apparently truncated my old one; needless to say, I wasn't pleased. mad


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Cocktail and Mountain
artie505 #25487 03/22/13 09:58 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
truncation is unfortunately common. VNC for example. Assign as long of a vnc password as you like for remote desktop. First 8 chars (with anything added) will connect you.


I work for the Department of Redundancy Department
Re: Cocktail and Mountain
Virtual1 #25491 03/22/13 10:17 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I'm not as angry about discovering the truncation as by the fact that what had been an acceptably long password became an unacceptably long one without my having been notified; it was, in effect, unilaterally changed by Vanguard. mad


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Cocktail and Mountain
artie505 #25496 03/23/13 03:38 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
I have run across several financial sites where passwords of any length are accepted but only the first 8 characters are significant. In fact I recall many years ago one site was quite open in suggesting you use some phrase of length n but only the first m characters would be significant. That goes back to password rules the site established many years ago when 8 character passwords were the standard and has remained unchanged to avoid requiring many thousands of established customers to change their password.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Cocktail and Mountain
joemikeb #25500 03/23/13 07:13 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Originally Posted By: joemikeb
I have run across several financial sites where passwords of any length are accepted but only the first 8 characters are significant.

What you describe here is password truncation, another topic discussed in the MacInTouch link I gave above. The problem with password truncation is that there are sites whose verification systems don't truncate passwords upon return like they did when the password was originally entered. That means that your original password may be denied without you knowing why, in this case because it's 'too long'. You'd have to guess it was truncated, and by how many characters.


alternaut moderator
Re: Cocktail and Mountain
joemikeb #25508 03/24/13 01:14 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
After doing some checking and thinking, I realized that what probably happened was I wasn't paying full attention and entered a longer password than was permissible, but instead of flagging it, Vanguard accepted it but only registered the first n characters, and I never realized what had happened until I tried to change it at a later date.

That's a hell of a way to protect customers' security... Allow them to think they've established secure passwords when, in fact, they haven't.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Page 4 of 4 1 2 3 4

Moderated by  alternaut, dianne, dkmarsh 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.036s Queries: 39 (0.030s) Memory: 0.6366 MB (Peak: 0.7534 MB) Data Comp: Zlib Server Time: 2024-03-28 13:22:00 UTC
Valid HTML 5 and Valid CSS