Re: certificate update for old Macs

[Robert Schwalbe]

On Jan 3, 2022, at 12:20, Riccardo Mottola wrote:


 how to react best for Let's Encrypt expiration?


https://trac.macports.org/wiki/ProblemHotlist#letsencrypt

Re: certificate update for old Macs

[Bill Cole]

On 2022-01-04 at 14:37:18 UTC-0500 (Tue, 4 Jan 2022 11:37:18 -0800)
Michael 
is rumored to have said:

On 2022-01-03, at 4:12 PM, Richard L. Hamilton  
wrote:


The only problem with that or anything similar, is that unless you go 
to quite a lot of work to just download rather than install the PEM 
file, and convert it into something human readable WITHOUT installing 
it, and investigate every certificate in there, you're trusting that 
the site you got it from is not only legit, but is secure and hasn't 
been hacked to alter the file to provide some very bogus certificates 
that could work together with some sort DNS spoofing to get you to 
feed sensitive information (ie bank passwords, etc) via an untrusted 
site that would capture it.


Makes sense. Now, how do you go about turning a certificate into 
something human readable? Serious question, I have *never* seen this 
discussed anywhere.


Get the certificate in PEM format, then:

   openssl x509 -text < cert.pem

See the man page ('man x509') for all the very gory details.

Everyone just says "As long as the roots are good you can trust the 
chain", and that's never made sense to me. The whole "trust what 
strangers say" system seems more like "Find a way for companies to 
make money" than any good security system.


Well, yes: that's what the public CA system is. It is grounded in the 
OSI protocol stack, which is big on hierarchical authority, and no one 
has figured out a better model that scales and allows strangers to 
establish authenticated private data transport. Ultimately it requires 
shared trust anchors of some sort, and the model we've stumbled into has 
the advantage of not being subject to a single authority and encouraging 
the various CAs and bundlers of trust to keep watch on each other.


A mechanism for eliminating the CA-based hierarchical trust layer 
already exists in the DANE (DNS-based Authentication of Named Entities) 
standard that is in broad use for validating email trasnsport. It 
replaces the CA model by binding the trust chain to DNS, making 
certificate trust ultimately dependent on DNSSEC and subject to all of 
its risks.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: certificate update for old Macs

[Henning Hraban Ramm]

Am 04.01.22 um 21:11 schrieb Richard L. Hamilton:
Everyone just says "As long as the roots are good you can trust the 
chain", and that's never made sense to me. The whole "trust what 
strangers say" system seems more like "Find a way for companies to 
make money" than any good security system.


Certificates are similar to passports – if you look at a person’s 
passport you must decide if you trust the issuer. If it’s a known 
country and the passport is valid (and looks legit as far as you can 
guess), you will trust it. If it’s from a country you never heard of, 
you might doubt its validity. If it’s from a separatist organization you 
find trustworthy, you might trust it anyway (similar to the CAcert case).


Hraban



OpenPGP_0x1D6502AA1C9B22FD.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: certificate update for old Macs

[Chris Jones]

In my opinion the best way to keep older hardware secure and useful past the 
point the max macOS version they can run is long since obsolete, is to stop 
using those OSes and install an alternative. There are, e.g. plenty of linux 
distros out there and offer a modern, maintained, OS and run just fine in these 
machines…

> On 4 Jan 2022, at 8:12 pm, Richard L. Hamilton  wrote:
> 
> 
> 
>> On Jan 4, 2022, at 14:37, Michael  wrote:
>> 
>> 
>>> On 2022-01-03, at 4:12 PM, Richard L. Hamilton  wrote:
>>> 
>>> The only problem with that or anything similar, is that unless you go to 
>>> quite a lot of work to just download rather than install the PEM file, and 
>>> convert it into something human readable WITHOUT installing it, and 
>>> investigate every certificate in there, you're trusting that the site you 
>>> got it from is not only legit, but is secure and hasn't been hacked to 
>>> alter the file to provide some very bogus certificates that could work 
>>> together with some sort DNS spoofing to get you to feed sensitive 
>>> information (ie bank passwords, etc) via an untrusted site that would 
>>> capture it.
>> 
>> Makes sense. Now, how do you go about turning a certificate into something 
>> human readable? Serious question, I have *never* seen this discussed 
>> anywhere.
> 
> 
> The file that the script downloads is a whole bunch of PEM files concatenated 
> together. The script shows splitting that into separate files at the start 
> lines. Once that's done,
> 
> for file in *.pem
> do
>openssl -x509 -in $file -text >$file.txt 
> done
> 
> will convert them to something you can look at. But that's the easy part. 
> Looking at them and making sense of them and investigating each of the 169 
> will take you a day or two, which is why I'm not going to say much more about 
> it. Probably IF one used a more trusted set of root certificates for 
> comparison, one could decide which were definitely ok and which needed 
> further investigation, but automating all that would NOT BE FUN.
> 
> Arguably the best solution is to get ahold of the certificates bundled in the 
> latest OS version and use those, but no doubt that's often easier said than 
> done, although you can (given enough space) download the update image on your 
> old hardware that cannot run it, and (given enough knowledge) dig those 
> certificates out of the update image and get them into a form that you can 
> then import into your old system.
> 
> Realistically a lot could be fixed by just using keychain access to look for 
> expired root certificates, and then look through one of those stashes for 
> their replacements. Again manually, unless you want to do some very creative 
> automating. I'm not volunteering to kill days or more doing that!
> 
>> Everyone just says "As long as the roots are good you can trust the chain", 
>> and that's never made sense to me. The whole "trust what strangers say" 
>> system seems more like "Find a way for companies to make money" than any 
>> good security system.
>> 
> 
> Everything has to start somewhere. Usually that's with an OS or browser 
> vendor that decides which root certificates to bundle. (Do you REALLY want 
> one planetary certificate at the tip-top provided by the UN, with all 
> subordinate certificate issuers (government OR commercial) rooted to that? 
> It'd be possible, but it's probably better trusting a bunch of different 
> folks than trusting one with absolute power to break everything.) -Site or 
> personal certificates chain back to the issuer's certificate. There are FREE 
> CERTIFICATE ISSUERS, but they have their own problems, chiefly no budget, so 
> jumping all the auditing hoops (or even keeping their infrastructure 
> reliable) needed to get OS and browser vendors to included them can be a 
> problem for them. And old OSs and the older browser versions supported on 
> them for browsers other than the one that comes with the OS, are not 
> supported forever because nobody is getting paid to do that, so they don't 
> get updates for expired certificates, new certificate issuers, etc.
> 
> Programmers and such gotta eat too, have a roof over their heads, etc. Some 
> even have little kiddies to feed, which is hardly greed, not that there's any 
> shortage of actual greed.
> 
> Probably that site with the bunch to download is fine, but I don't have 
> access to a list of baddies, so I'm at best ambivalent about trusting it 
> without more digging first than I'm likely to do. At most, I'd do it to make 
> stuff that didn't matter work on an old system, but never run anything that 
> could lose me $$ or compromise accounts on there - so I'd have root 
> certificates but NOT iCloud keychain access enabled nor any account 
> passwords, personal certificates, etc on it.
> 
> 

Re: certificate update for old Macs

[Richard L. Hamilton]

> On Jan 4, 2022, at 14:37, Michael  wrote:
> 
> 
> On 2022-01-03, at 4:12 PM, Richard L. Hamilton  wrote:
> 
>> The only problem with that or anything similar, is that unless you go to 
>> quite a lot of work to just download rather than install the PEM file, and 
>> convert it into something human readable WITHOUT installing it, and 
>> investigate every certificate in there, you're trusting that the site you 
>> got it from is not only legit, but is secure and hasn't been hacked to alter 
>> the file to provide some very bogus certificates that could work together 
>> with some sort DNS spoofing to get you to feed sensitive information (ie 
>> bank passwords, etc) via an untrusted site that would capture it.
> 
> Makes sense. Now, how do you go about turning a certificate into something 
> human readable? Serious question, I have *never* seen this discussed anywhere.


The file that the script downloads is a whole bunch of PEM files concatenated 
together. The script shows splitting that into separate files at the start 
lines. Once that's done,

for file in *.pem
do
openssl -x509 -in $file -text >$file.txt 
done

will convert them to something you can look at. But that's the easy part. 
Looking at them and making sense of them and investigating each of the 169 will 
take you a day or two, which is why I'm not going to say much more about it. 
Probably IF one used a more trusted set of root certificates for comparison, 
one could decide which were definitely ok and which needed further 
investigation, but automating all that would NOT BE FUN.

Arguably the best solution is to get ahold of the certificates bundled in the 
latest OS version and use those, but no doubt that's often easier said than 
done, although you can (given enough space) download the update image on your 
old hardware that cannot run it, and (given enough knowledge) dig those 
certificates out of the update image and get them into a form that you can then 
import into your old system.

Realistically a lot could be fixed by just using keychain access to look for 
expired root certificates, and then look through one of those stashes for their 
replacements. Again manually, unless you want to do some very creative 
automating. I'm not volunteering to kill days or more doing that!

> Everyone just says "As long as the roots are good you can trust the chain", 
> and that's never made sense to me. The whole "trust what strangers say" 
> system seems more like "Find a way for companies to make money" than any good 
> security system.
> 

Everything has to start somewhere. Usually that's with an OS or browser vendor 
that decides which root certificates to bundle. (Do you REALLY want one 
planetary certificate at the tip-top provided by the UN, with all subordinate 
certificate issuers (government OR commercial) rooted to that? It'd be 
possible, but it's probably better trusting a bunch of different folks than 
trusting one with absolute power to break everything.) -Site or personal 
certificates chain back to the issuer's certificate. There are FREE CERTIFICATE 
ISSUERS, but they have their own problems, chiefly no budget, so jumping all 
the auditing hoops (or even keeping their infrastructure reliable) needed to 
get OS and browser vendors to included them can be a problem for them. And old 
OSs and the older browser versions supported on them for browsers other than 
the one that comes with the OS, are not supported forever because nobody is 
getting paid to do that, so they don't get updates for expired certificates, 
new certificate issuers, etc.

Programmers and such gotta eat too, have a roof over their heads, etc. Some 
even have little kiddies to feed, which is hardly greed, not that there's any 
shortage of actual greed.

Probably that site with the bunch to download is fine, but I don't have access 
to a list of baddies, so I'm at best ambivalent about trusting it without more 
digging first than I'm likely to do. At most, I'd do it to make stuff that 
didn't matter work on an old system, but never run anything that could lose me 
$$ or compromise accounts on there - so I'd have root certificates but NOT 
iCloud keychain access enabled nor any account passwords, personal 
certificates, etc on it.

Re: certificate update for old Macs

[John Chivian]

Digital certificates are built from layers of encryption based on a trusted 
authority.  Trust in the authority is assumed, implied, and required.  

From the human standpoint, you trust that the industry accepted certificate 
authority organization has done all the required due diligence to verify and 
validate certificate requests as legitimate, and you trust that authority to 
hold its base cryptographic key data secure as part of their company crown 
jewels.  It’s not cheap for a reason, a lot of work and resources can be 
involved.  An additional layer of verification is assumed, and an additional 
layer of encryption is added, with each link in the certificate chain.

It is in a very real sense a simple form of blockchain in which previous blocks 
cannot be forged.  Until quantum computers render the modern forms of 
encryption-based-trust obsolete (still some years away) it’s as good as you can 
get assuming robust cyphers and deep bit-depths.


> On Jan 4, 2022, at 13:37, Michael  wrote:
> 
> 
> On 2022-01-03, at 4:12 PM, Richard L. Hamilton  wrote:
> 
>> The only problem with that or anything similar, is that unless you go to 
>> quite a lot of work to just download rather than install the PEM file, and 
>> convert it into something human readable WITHOUT installing it, and 
>> investigate every certificate in there, you're trusting that the site you 
>> got it from is not only legit, but is secure and hasn't been hacked to alter 
>> the file to provide some very bogus certificates that could work together 
>> with some sort DNS spoofing to get you to feed sensitive information (ie 
>> bank passwords, etc) via an untrusted site that would capture it.
> 
> Makes sense. Now, how do you go about turning a certificate into something 
> human readable? Serious question, I have *never* seen this discussed anywhere.
> 
> Everyone just says "As long as the roots are good you can trust the chain", 
> and that's never made sense to me. The whole "trust what strangers say" 
> system seems more like "Find a way for companies to make money" than any good 
> security system.
> 

Re: certificate update for old Macs

[Michael]

On 2022-01-03, at 4:12 PM, Richard L. Hamilton  wrote:

> The only problem with that or anything similar, is that unless you go to 
> quite a lot of work to just download rather than install the PEM file, and 
> convert it into something human readable WITHOUT installing it, and 
> investigate every certificate in there, you're trusting that the site you got 
> it from is not only legit, but is secure and hasn't been hacked to alter the 
> file to provide some very bogus certificates that could work together with 
> some sort DNS spoofing to get you to feed sensitive information (ie bank 
> passwords, etc) via an untrusted site that would capture it.

Makes sense. Now, how do you go about turning a certificate into something 
human readable? Serious question, I have *never* seen this discussed anywhere.

Everyone just says "As long as the roots are good you can trust the chain", and 
that's never made sense to me. The whole "trust what strangers say" system 
seems more like "Find a way for companies to make money" than any good security 
system.

Re: certificate update for old Macs

[Ryan Schmidt]

On Jan 3, 2022, at 12:20, Riccardo Mottola wrote:

> how to react best for Let's Encrypt expiration?

https://trac.macports.org/wiki/ProblemHotlist#letsencrypt

Re: certificate update for old Macs

[Richard L. Hamilton]

The only problem with that or anything similar, is that unless you go to quite 
a lot of work to just download rather than install the PEM file, and convert it 
into something human readable WITHOUT installing it, and investigate every 
certificate in there, you're trusting that the site you got it from is not only 
legit, but is secure and hasn't been hacked to alter the file to provide some 
very bogus certificates that could work together with some sort DNS spoofing to 
get you to feed sensitive information (ie bank passwords, etc) via an untrusted 
site that would capture it.

> On Jan 3, 2022, at 13:30, m9411  wrote:
> 
> Have been testing this with good results on 10.4 ... 10.11 :
> 
> http://logi.wiki/index.php/Update_Certificates_in_Older_macOS 
> 
> 
> Rgds,
> /Bjarne.
> 
> -- 
> 
>> 3 jan. 2022 kl. 19:20 skrev Riccardo Mottola via macports-users 
>> > >:
>> 
>> Hi,
>> 
>> how to react best for Let's Encrypt expiration?
>> 
>> I have read here some suggestions, is there a recommended, proven way?
>> 
>> I have MacOS 10.5, 10.6, 10.7 but nothing newer, so I suppose the route of 
>> "getting it from a newer macOS" is no way for me (if something doesn't share 
>> it with me).
>> 
>> Other proven ways?
>> 
>> 
>> Thank you,
>> 
>> Riccardo
> 

-- 
eMail:  mailto:rlha...@smart.net

Re: certificate update for old Macs

[m9411]

Have been testing this with good results on 10.4 ... 10.11 :

http://logi.wiki/index.php/Update_Certificates_in_Older_macOS 


Rgds,
/Bjarne.

-- 

> 3 jan. 2022 kl. 19:20 skrev Riccardo Mottola via macports-users 
> :
> 
> Hi,
> 
> how to react best for Let's Encrypt expiration?
> 
> I have read here some suggestions, is there a recommended, proven way?
> 
> I have MacOS 10.5, 10.6, 10.7 but nothing newer, so I suppose the route of 
> "getting it from a newer macOS" is no way for me (if something doesn't share 
> it with me).
> 
> Other proven ways?
> 
> 
> Thank you,
> 
> Riccardo

certificate update for old Macs

[Riccardo Mottola via macports-users]

Hi,

how to react best for Let's Encrypt expiration?

I have read here some suggestions, is there a recommended, proven way?

I have MacOS 10.5, 10.6, 10.7 but nothing newer, so I suppose the route 
of "getting it from a newer macOS" is no way for me (if something 
doesn't share it with me).


Other proven ways?


Thank you,

Riccardo