<div id="popup_box_thanks" style="display:none" onClick="close_popup_thanks('popup_box_thanks', 'ts')"><br>Thanks for submitting your tip! All submissions are moderated by an editor before appearing online. We've reset the form so you can enter another tip. Or you can close the tip submission box. <div class="x_close" id="thanks_upper_right"><a href="javascript:void(0)" onmousedown="close_popup_thanks('popup_box_thanks', 'ts'); return true;">Close</a></div></div>
<div class="tbf_row"><div class="tbf_wide_extra_top not_bold">Please submit only technical tips that will help other TidBITS readers better use their Macs, iPhones, and related software and hardware. All product announcements should be sent to <a href="mailto:releases@tidbits.com">releases@tidbits.com</a>.</div></div>
<div class="tbf_left">URL</div><div class="tbf_right"><input type="text" value="" name="tip_link_url" tabindex="3"><span class="tip_description"><br>Enter the URL to a Web page that supports your tip.</span></div>
</div>
<div class="spacer"></div>
<div class="tbf_row">
<div class="tbf_left">Linked text</div><div class="tbf_right"><input type="text" value="" name="tip_link_label" tabindex="4"><span class="tip_description"><br>Enter the name of the page linked above.</span></div>
<div class="tbf_wide"><input type="submit" value="Preview Your Tip" name="preview_tip" onClick="fill_preview('tipbits_enclosure_preview', 'ts', this.form); return false;" tabindex="7"> <input type="submit" value="Send Us Your Tip!" name="submit_this_tip" onClick="handle_tip_submission('ts', '', this.form, 'tip'); return false;" tabindex="8"></div>
</div>
<div class="spacer"></div>
<div class="tbf_row">
<div class="tbf_wide"><span class="fine_print">When you submit a tip, you give us permission to use it. Read <a href="javascript:void(0)" onClick="generic_show_hide('tip_terms')">our terms</a> for more details. All submissions are reviewed before publication.</span></div>
<div class="tbf_wide"><span class="fine_print">Our terms: By submitting a tip, you agree to assign TidBITS Publishing Inc., a non-exclusive, worldwide, perpetual license to reproduce, publish, and distribute your tip in connection with the TidBITS Web site and associated products in any media. You agree that you created the content you submitted, and that you have the right to assign us this license. You give us permission to use your name, but your email address won't be publicly displayed or shared. We review all submissions before publication, and reserve the right to select which submissions we feel are appropriate for our readers and to edit those we publish.</span></div>
<div id="comment_thanks" style="display:none" onClick="close_popup_thanks('comment_thanks', 'comm')"><br>Thanks for submitting a comment! Please check your email for a link that, when clicked, will verify that you're a real person and cause your comment to appear immediately. <div class="x_close" id="comment_upper_right"><a href="javascript:void(0)" onmousedown="close_popup_thanks('comment_thanks', 'comm'); return true;">Close</a></div></div>
<div class="tbf_wide"><span class="fine_print">Our terms: We reserve the right to edit or delete any comment, so please post thoughtfully. We use your email address <i>only</i> to send you a one-time verification message confirming that you posted this comment. We also store your address to allow you to verify using other Web browsers in the future. For more info, see our <a href="http://db.tidbits.com/privacy.html">privacy policy</a>.</span></div>
<li><a href="/feeds/tidbits.rss" title="Subscribe via RSS" class="gettb">RSS <img src="/images/feed-icon-12x12.gif" width="12" height="12" border="0" class="nav_img" alt="Subscribe via RSS"></a></li>
<li><a href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=276986548" title="Subscribe to the podcast" class="gettb">Podcast <img src="/images/feed-icon-12x12_podcast.gif" width="12" height="12" border="0" class="nav_img" alt="Subscribe to the postcast"></a></li>
<li><a href="http://www.twitter.com/TidBITS" title="Get Article Updates via Twitter" class="gettb">Twitter <img src="/images/feed_icon_12x12_twitter.png" width="12" height="12" border="0" class="nav_img" alt="Get Article Updates via Twitter"></a></li>
<li><a href="http://www.facebook.com/pages/TidBITS/195314925519" title="Go to the TidBITS Page at Facebook" class="gettb">Facebook <img src="/images/feed_icon_12x12_facebook.gif" width="12" height="12" border="0" class="nav_img" alt="Go to the TidBITS Page at Facebook"></a></li>
<li><a href="javascript:void(0)" title="Sections" class="tabhead" onClick="return showhide('articleslist')">Sections <span id="articleslist_triangle"><img src="/images/nav_triangle_open.gif" width="9" height="9" border="0" class="navtriangle" id="articleslist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" onClick="return showhide('stafflist')" title="Staff" class="tabhead">Staff <span id="stafflist_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="stafflist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" title="Issues" class="tabhead" onClick="return showhide('issuelist')">Weekly Issues <span id="issuelist_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="issuelist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" onClick="return showhide('abouttidbits')" title="About TidBITS" class="tabhead">About TidBITS <span id="abouttidbits_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="abouttidbits_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<div class="center_top">Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling <a href="http://www.takecontrolbooks.com/?pt=TB-TAGLINE" style="color:yellow">Take Control</a> ebooks.</div>
<!-- begin centercolumn -->
<div id="centercolumn">
<!-- begin rightcolumn_container -->
<div id="rightcolumn_container">
<!-- begin rightcolumn -->
<!-- rightcolumn is embedded within centercolumn so featured text wraps around it -->
</div><!-- end tearoffbox_wide_container for watchlist items -->
<!-- begin tearoff box wide -->
<div class="tearoffbox_wide_container">
<div class="tearoffbox_wide_tips">
<div class="tip_display">
<div class="tips_sponsor_logo">
</div>
<h6>View Smart Folder Criteria</h6>
<p><p>Smart Folders, folders that contain the results of a Finder search, typically display without the original search criteria listed. However, you can see the search criteria by selecting Show Search Criteria from the window's Action menu (the gear icon). Additionally, any edits to a smart folder's criteria will automatically be listed the next time you open the folder.</p></p>
<div class="tbf_wide_80" id="hc_rc_6174">To help us avoid automated posts and misuse of our site, please enter the words below.</div><div class="x_close_row" id="hc_upper_right2_6174"><a href="javascript:void(0)" onmousedown="HidePopupContent('hc_6174', 'hc', '6174'); return true;">Close</a></div>
<div class="featured_meta"><div class="meta_article">01 Mar 2004 | <a href="/article/7563?print_version=1">Print <span class="shift_up"><img src="/images/printer_icon.gif" alt="Printer-Friendly Version of This Article" border="0" width="9" height="10"></span></a></div></div>
<div id="article_box_6174"><P>Computer safety firm SecurityFocus has discovered a highly specific but important flaw in Apple's use of encrypted connections for AppleShare, as well as flaws in the way passwords are managed and encryption keys are confirmed. For certain users, these flaws may require that they bypass some of Apple's built-in security and encryption options in favor of more robust or less convenient methods. Apple has not yet responded to the report.</P><P><<A HREF="http://www.securityfocus.com/archive/1/355548/2004-02-25/2004-03-02/0">http://www.securityfocus.com/archive/1/355548/ 2004-02-25/2004-03-02/0</A>></P><P><STRONG>AppleShare via SSH</STRONG> -- When you connect to an AppleShare server (running Personal File Sharing or a Mac OS X Server) you can choose to connect via SSH (Secure Shell), which encrypts the password, all file transfers, and other data between your machine and the AppleShare server. This connection requires that Remote Login has been enabled on the AppleShare server.</P><P>The SSH option, first supported correctly in Mac OS X 10.3.2, creates an encrypted link between a Mac initiating an AppleShare file server connection and a Mac server running Mac OS X 10.3 or Mac OS X Server 10.3. The AppleShare client on the initiating Mac connects via the Remote Login service, which is Apple's name for SSH. To enable or disable Remote Login, open the Sharing preference pane and click the Services tab.</P><P>The SSH option for AppleShare is only available when connecting to an AppleShare volume. Using Connect to Server in the Finder, select a volume or enter a host name or other address. When you click Connect, the login window offers an Options button. Click Options and check the Allow Secure Connections using SSH option. You can set this option as a default. (To learn more about AppleShare file sharing under Panther, you can consult my book, "Take Control of Sharing Files in Panther.")</P><P><<A HREF="http://www.tidbits.com/takecontrol/panther/sharing.html">http://www.tidbits.com/takecontrol/panther/ sharing.html</A>></P><P><STRONG>Four Thousand Holes in Blackburn AppleShare</STRONG> -- The primary flaw in AppleShare's use of SSH is simple: if a secure connection via SSH cannot be made to the AppleShare server, the connection is still made without the encrypted tunnel - and without warning. This means that if you were expecting to send your password and file transfers through an encrypted connection, you would be sending this information in the clear without knowing it.</P><P>The SecurityFocus item was written by Chris Adams, a developer at the Salk Institute who also noted a number of serious problems with Apple's approach to encrypting passwords in AppleShare as well. Some of these flaws require a cryptographer's understanding, but that shouldn't understate the concerns of academic institutions and others who rely on AppleShare for encrypted passwords or encrypted connections.</P><P>In most SSH systems, an SSH client is prompted on its first connection to an SSH server to confirm the server's identity. This is performed through fingerprinting: the client software shows a short sequence of numbers that uniquely prove the server's identity. An astute user checks that fingerprint against one provided for them by a server's operator or server software "out of band": by phone, graphically on the server's screen, by fax, or some other method that's not over the same connection. At the very least, if the fingerprint ever changes, the user is alerted that the server might have had its identity spoofed.</P><P>Adams points out that Apple uses a lax method of SSH key exchanges for AppleShare sessions that avoids this complexity, but also makes it possible for a man-in-the-middle attack, so called because a network attacker could install server software on the network that would masquerade as the AppleShare server a user wanted to connect to. Because the user doesn't confirm the identity of the server at the fingerprint level - and Apple doesn't provide a facility for this in AppleShare - the man in the middle can act like the server to the client and the client to the server, effectively harvesting user names, passwords in the clear, and other data, while transparently relaying information between AppleShare clients and the real server to hide its own existence.</P><P>Adams suggests that Apple provide warnings when an SSH connection is not available to allow a user to opt out of accidentally creating an insecure connection. He also suggests that Apple provide a graphical interface for SSH messages that would allow a user to accept and associate encryption keys with known AppleShare servers. This would prevent a man in the middle from successfully fooling an AppleShare client into thinking that it was the server itself.</P><P>Apple could follow PGP Corporation's lead in allowing server encryption key fingerprinting while avoiding the complexity of working with hexadecimal digits (the way such keys appear). PGP's software for encrypting messages and virtual disks lets you confirm another user's PGP key by assigning unique words to each hexadecimal number from 0 to 255. My fingerprint for my PGP key, for instance, starts "soybean drunken stormy uncut Oakland," very much like Beat poetry.</P><P><<A HREF="http://www.pgp.com/">http://www.pgp.com/</A>></P><P>Until Apple chooses a new approach for making its SSH connections actually secure, those of you who use it need to consider three options: make strong efforts to ensure your network's integrity, switch to virtual private network (VPN) software (well handled in Mac OS X 10.3 and Server 10.3), or create individual SSH tunnels. None of these solutions is ideal, since they take more effort than just checking a box in the current system.</P><!-- AppleShare Encryption Security Flaw Discovered Glenn Fleishman --></div>
<!-- end article text -->
<!-- PayBITS -->
<p> </p><div class="sponsorbox">
<div class="sponsortext"><A HREF="http://www.usefulfruit.com/tb"><IMG SRC="http://db.tidbits.com/images/badges/pear-note-icon50x50.png" ALT="" HEIGHT="50" WIDTH="50" BORDER="0" ALIGN="left"></A>Pear Note 2: More complete, understandable notes on your Mac.<br />Typed notes are blended with recorded audio, video, and slides<br />to create notes that make more sense when you need them most.<br />Learn more at <<a href="http://www.usefulfruit.com/tb">http://www.usefulfruit.com/tb</a>>!</div>
