Sometimes your email server gets a new SSL security certificate, or you have just set up your email account for the first time on this computer. In those cases, you may need to accept & save the email servers SSL security certificate. This works well with Mac OSX 10.5 (Leopard) and up, it is possible, but more difficult in 10.4 (Tiger) and earlier. Below are screen pictures from Apple Mail (OS X10.5.8), other systems will be similar. What we need to do is to tell the computer that it is OK to trust this mail server, even if the name does not exactly match. For the moment, I’m assuming that you are connecting to the correct server, and we are not in the middle of an attack. We just need to clear out this annoying message.
The problem looks like this. ” The identity of mail.YourDomainName.com cannot be verified. ”

1_dialog_cert unVerified

 

If you just click “Connect” you will be OK but only until Mail is restarted. Then it will ask again. What we need to do is to tell the computer that it is OK to trust this mail server, even if the name does not exactly match. If you pay a lot more for email than most people do, you can buy a unique SSL certificate just for your domain name, but that is beyond the scope of this article.  So what we are going to do is click the button for “Show Certificate” This reveals a checkbox that says; Always trust *.mail.server.com when connecting to mail.YourDomainName.com Yes, we want to put a check mark in that box! Then press the button to “connect”.

2_Verify cert Trust xbox

The computer will ask for your admin password to save this certificate. Enter that & you’re all set.

3_Cert trust pw req

It may ask you again if you have multiple email accounts on different servers. Go ahead & run through this again for those, if necessary.

{ 0 comments }


THE BAD NEWS

From  heartbleed.com
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

LA TIMES article says:
“Avoid things like online banking and avoid sensitive sites if you’re not sure,” said Andrew Storms, director of DevOps at CloudPassage. “Some people will see it as overkill. But I think that’s the simplest guidance. If you can hold off doing something online for a couple days, then you should.” http://www.latimes.com/business/la-fi-web-vulnerability-20140409,0,3935723.story#ixzz2yNFIPszd

NY Times article says:
“The most immediate advice from security experts to consumers was to wait or at least be cautious before changing passwords. Changing a password on a site that hasn’t been fixed could simply hand the new password over to hackers.”   http://tinyurl.com/l3hh9j6

Art Zemon of Hens Teeth Network says: “Breathe and wait a few days before embarking on such a labor-intensive course as changing passwords everywhere.”
This is such a major problem that I would expect most servers to be updated within a week.

THE GOOD NEWS

The GOOD NEWS is that you’re probably OK if you and the server are using older software (prior to Dec 2011). All (or most) Macs & Mac servers have good versions of OpenSSL. To be clear, Macs & Mac servers don’t seem to be in any danger of being attacked directly. However, the danger of a server being attacked and leaking data is still there. To see if the server you want to use is vulnerable or not, see below “How to test other servers”.

From heartbleed.com :
What versions of the OpenSSL are affected?

Status of different versions:
• OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable (BAD)
• OpenSSL 1.0.1g is NOT vulnerable              (OK)
• OpenSSL 1.0.0 branch is NOT vulnerable (OK)
• OpenSSL 0.9.8 branch is NOT vulnerable (OK)
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012.
OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

HOW TO TELL WHAT VERSION OF OPENSSL YOUR MAC HAS:

Terminal_openSSL_version

Open “Terminal” app (from /Applications/Utilities)
and type: openssl
Then when it comes back with: OpenSSL>
you type: version
and it will tell you what version of OpenSSL it is using. Compare that version to the list above of good & bad versions.
You may now “Quit” the Terminal app. We are finished with it.

Some Examples:
Mac OSX 10.9 Mavericks
OpenSSL 0.9.8y 5 Feb 2013             <– OK

Mac OSX 10.8.5 Mountain Lion
OpenSSL 1.0.0c 2 Dec 2010              <– OK

Mac OSX 10.7.5 Lion
OpenSSL 0.9.8r 8 Feb 2011               <– OK

Mac OSX 10.6.8 Snow Leopard:
OpenSSL 0.9.8x 10 May 2012            <– OK

Mac OSX 10.5.8 Leopard
OpenSSL 0.9.7l 28 Sep 2006             <– OK

from Mac OSX 10.4.11 Tiger
OpenSSL 0.9.7l 28 Sep 2006             <– OK

Mac OSX 10.3.9 Panther
OpenSSL 0.9.7l 28 Sep 2006              <– OK

Another victory for Mac!  :-)

This website is hosted at Dreamhost running Linux:
Welcome to fuchsia.dreamhost.com
[fuchsia]$ cat /proc/version
Linux version 3.2.45-grsec-2.9.1-r3+ (root@cerebrum) (gcc version 4.6.3 (Gentoo Hardened 4.6.3 p1.13, pie-0.5.2) ) #63 SMP Fri May 24 02:11:07 UTC 2013
[fuchsia]$ openssl
OpenSSL> version
OpenSSL 0.9.8o 01 Jun 2010               <– OK

WHAT DO WE DO ABOUT IT?

* If you have a bad version of SSL on your machine, fix that first. (Mac users- you guys are OK, no worries here).

* Test important servers before you login to them. See How to Test Servers” below.

* You’re going to need to change your passwords for some servers. But not yet! Wait for a few days maybe a week, until those servers are fixed. Then change your passwords there.

* Set your web browser to notice revoked SSL certificates. (below)

* Log Out of a website when you are finished with it. Don’t just close the window. Log out. There is always a menu or button or something to let you Sign out. Look for it. When you log out, most servers will discard your data from ram memory, so it can’t be retrieved by the Heartbleed bug.

Keep track of all those annoying passwords & related bits of important info. I like 1Password and I use it about a hundred times a day.

 

Certificate Revocation

Even if your computer has a good version of OpenSSL, the server you want to connect to may be vulnerable. A related problem is that many web browsers ship with default settings that do not even check for revoked certificates. Tsk tsk. These are settings we can fix.

Safari users: You may be surprised to find that these settings are not actually in Safari, but in a separate app you’ve probably never used.

Open KeyChain Access. You’ll find it in the /Applications/Utilities folder

Pull down the menu to Preferences.

KeychainAccessMenu

Click the “Certificates” tab, Then hold down the Option key, choose “Require for all certificates” for both of the first 2 items. Leave the 3rd one as it is.  

Update: Don’t do that – it breaks 1Password & will prevent 1Password from launching. It also breaks Parallels.

But it seems OK to select “Require if certificate indicates”. Reboot for this setting to take effect.

KeychainApp_settings_breaks_1Password_MtnLion

KeychainApp_prefs_that_seem_OK_MtnLion

Ok! That’s better! Close the window & Quit Keychain Access. We’re done here.

 

 

FireFoxPrefsMenu

FireFoxCertOCSP

 

HOW TO TEST SERVERS (before you login to them):

To test out how good the security is at your bank, webmail, or other SSL secured website, try this website tester. ssllabs.com/ssltest/
or this more basic one: filippo.io/Heartbleed/

WANT TO KNOW MORE?

Duncan Davidson, an engineer for German software company Wunderlist has written a personal account of what happened in more technical detail.

Bruce Schneier, who does not have a track record for being an alarmist, has declared the Heartbleed bug “catastrophic … On the scale of 1 to 10, this is an 11.”

As usual, XKCD nails the issue in beautiful form. (Image usage terms)

xkcd.com

 

{ 0 comments }

Password strength checker

January 23, 2014

The worst thing about passwords is trying to come up with a new one that is sufficiently complex, yet something you can remember. And how do you know if a password is easily guessed versus being a great password? How long would it take the robo-crackers to figure out your password? You know they are […]

Read the full article →

Cheap iPhone Talk Text & Data plan $30/month from KittyWireless & Page Plus

November 27, 2013

Hey, if you are open to saving money with last year’s phone, and some people will be, check this out. It won’t work for the iPhone 5, but it does work really well for the Verizon iPhone 4S. I mentioned this in a previous post, but I’ve received enough questions that I am going to […]

Read the full article →

How to Disable Sophos AV On-access Scanning

November 5, 2013

Most Mac users have not even seen a virus in many years. But it could happen. I’ve been trying out Sophos AV for Mac (Free) for some time now in both Mac OS X 10.6 Snow Leopard & Mac OS X 10.8 Mtn Lion. It seems to run OK, without causing noticeable problems. One of […]

Read the full article →

I’m contributing to the Technical Documentation of CHIRP

September 7, 2013

I am now a contributing editor of Technical documentation for the CHIRP project. CHIRP is a free, open-source tool for programming your ham radio. It supports a large number of manufacturers and models, as well as provides a way to interface with multiple data sources and formats. With CHIRP you can easily upload or download […]

Read the full article →

Migrate from VirtualBox to Parallels

March 2, 2013

How to Migrate from VirtualBox to Parallels I have a bunch of VirtualBox VMs that work fine under VBox, and I’d like to use them with Parallels Desktop 8 on Macintosh. Sadly, Parallels is not able to import them as-is, and researching this via the Parallels KB has not been effective.  Searching the web I […]

Read the full article →

Twitter Spam – How to Revoke Access from Rouge Apps

January 2, 2013

Did your friends tell you that you sent them Twitter Spam? How could that have happened? Here is how to fix it and regain control of your Twitter account. Change your Twitter password. This the first step. It might be all you need. But often it is not enough because Twitter is not just a little […]

Read the full article →

Cheap Cellphone and Great VoiceMail – Smart deals

December 2, 2012

Ask most people and they can name the 4 cellphone companies that offer cell phone service in your area. ATT, Verizon, T-Mobile & Sprint. But did you know that there are more choices? Some really great deals on the exact same service – only cheaper?!! It’s true! My personal opinion is that Verizon Wireless (VZW) […]

Read the full article →

A Better sig for your email, use a linked graphic as a sig for Apple Mail

June 13, 2012

It is possible to add an attachment as a signature to every outgoing email, but this is not desirable & there is a better way. Why to NOT use an attached graphic as a signature If you always send an attachment with every email then people can’t tell when you are sending a real attachment […]

Read the full article →
Twitter Facebook LinkedIn