An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 4 of 4 < 1 2 3 4
Topic Options
#25245 - 03/03/13 07:18 PM Re: Cocktail and Mountain [Re: artie505]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
There's a lot of money in it. Some of the most highly paid programmers in the world are employed as hackers by Eastern European organized crime. When you have enough money at stake, it's amazing what you can do...
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#25295 - 03/07/13 05:04 PM Re: Cocktail and Mountain [Re: artie505]
ganbustein Offline


Registered: 08/04/09
Originally Posted By: artie505
But why is a "self-signed" key "not trusted?"


If you're talking about com.apple.systemdefault, on my machine (running 10.8.2), it doesn't say that certificate is not trusted. It says "This certificate has not been verified by a third party."

Which is true.

But that doesn't mean it's not trusted. It's trusted on your machine, because it's on your machine, in your keychain, and marked there as trusted. It will not be trusted on any other machine.

Had it been signed by another certificate (and not revoked) it would be accepted on any other machine that accepted the signing certificate. But that's not what it's for. It's for saying "I made this signature, so I trust it, but I don't expect anyone else to."


I don't know what the deal is with Dashboard Advisory. I know what it's for, but I don't know why Apple didn't either put it in System Roots or sign it with something that is (like Apple Root CA).


If you're asking about self-signed certificates in general, they're born untrusted (because anyone can make one), and become trusted by explicit action. One way for a root certificate to become trusted is to be included in the System Roots keychain, which Apple populates as part of system installation. The chain of trust starts with Apple investigating the issuer, and deciding that they're a legitimate Certificate Authority (CA); and then you trust Apple by running their installer.

The other way to become trusted is through explicit interaction. For example, you can open a certificate and change the trust setting to "Always Trust". Or the System Installer can create the self-signed certificate and explicitly mark it trusted. Either way, such trust is established only in that keychain.

A non-root certificate (that is, one that is not self-signed) is valid if its signature can be verified by the signing certificate, if that can be found and is itself valid.

Any certificate, self-signed or not, can expire and/or be revoked. An expired certificate can still be marked trusted, overriding the expiration.

Top
#25298 - 03/07/13 05:16 PM Re: Cocktail and Mountain [Re: ganbustein]
artie505 Online


Registered: 08/04/09
Thanks for that; this thread has become quite a resource, albeit an arcane one.

> If you're talking about com.apple.systemdefault, on my machine (running 10.8.2), it doesn't say that certificate is not trusted. It says "This certificate has not been verified by a third party."

I guess Apple has changed its nomenclature...perhaps because of the very confusion with which we're dealing here?
_________________________
The new Great Equalizer is the SEND button.

Top
#25321 - 03/10/13 01:03 PM Re: Cocktail and Mountain [Re: artie505]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: artie505
Thanks.

That makes sense, but it doesn't make that "Untrusted" label any less disconcerting.

> either the private key that signed it is available, or it's not signed.

I assume you meant unavailable there?



Nope, I said what I meant. If the system has signed it, the key MUST be available locally, for the system to use.
_________________________
I work for the Department of Redundancy Department

Top
#25362 - 03/11/13 10:12 PM Re: Cocktail and Mountain [Re: Virtual1]
artie505 Online


Registered: 08/04/09
Oh! Got it. Thanks.
_________________________
The new Great Equalizer is the SEND button.

Top
#25478 - 03/20/13 06:27 AM Re: Cocktail and Mountain [Re: tacit]
alternaut Offline

Moderator

Registered: 08/04/09
It may be of interest to know that a lively discussion on the topic of passwords and their resistance to cracking developed in the MacInTouch Reader Report on Security-Passwords the last few days. Among the many interesting tidbits brought up there is a link about Password Recovery Speeds as a function of character set used for the password and the class of attack used by the cracker.
_________________________
alternaut moderator

Top
#25481 - 03/21/13 12:12 AM Re: Cocktail and Mountain [Re: alternaut]
artie505 Online


Registered: 08/04/09
Thanks for the interesting links.

Apropos, I recently tried to change my Vanguard password and discovered that they had apparently truncated my old one; needless to say, I wasn't pleased. mad
_________________________
The new Great Equalizer is the SEND button.

Top
#25487 - 03/22/13 02:58 PM Re: Cocktail and Mountain [Re: artie505]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
truncation is unfortunately common. VNC for example. Assign as long of a vnc password as you like for remote desktop. First 8 chars (with anything added) will connect you.
_________________________
I work for the Department of Redundancy Department

Top
#25491 - 03/22/13 03:17 PM Re: Cocktail and Mountain [Re: Virtual1]
artie505 Online


Registered: 08/04/09
I'm not as angry about discovering the truncation as by the fact that what had been an acceptably long password became an unacceptably long one without my having been notified; it was, in effect, unilaterally changed by Vanguard. mad
_________________________
The new Great Equalizer is the SEND button.

Top
#25496 - 03/23/13 08:38 AM Re: Cocktail and Mountain [Re: artie505]
joemikeb Offline
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
I have run across several financial sites where passwords of any length are accepted but only the first 8 characters are significant. In fact I recall many years ago one site was quite open in suggesting you use some phrase of length n but only the first m characters would be significant. That goes back to password rules the site established many years ago when 8 character passwords were the standard and has remained unchanged to avoid requiring many thousands of established customers to change their password.
_________________________
joemikeb • moderator

Top
#25500 - 03/23/13 12:13 PM Re: Cocktail and Mountain [Re: joemikeb]
alternaut Offline

Moderator

Registered: 08/04/09
Originally Posted By: joemikeb
I have run across several financial sites where passwords of any length are accepted but only the first 8 characters are significant.

What you describe here is password truncation, another topic discussed in the MacInTouch link I gave above. The problem with password truncation is that there are sites whose verification systems don't truncate passwords upon return like they did when the password was originally entered. That means that your original password may be denied without you knowing why, in this case because it's 'too long'. You'd have to guess it was truncated, and by how many characters.
_________________________
alternaut moderator

Top
#25508 - 03/23/13 06:14 PM Re: Cocktail and Mountain [Re: joemikeb]
artie505 Online


Registered: 08/04/09
After doing some checking and thinking, I realized that what probably happened was I wasn't paying full attention and entered a longer password than was permissible, but instead of flagging it, Vanguard accepted it but only registered the first n characters, and I never realized what had happened until I tried to change it at a later date.

That's a hell of a way to protect customers' security... Allow them to think they've established secure passwords when, in fact, they haven't.
_________________________
The new Great Equalizer is the SEND button.

Top
Page 4 of 4 < 1 2 3 4

Moderator:  alternaut, dianne, dkmarsh