Apple Security


I want to make sure we can do what we want on these machines. We need the ability to experiment. We used to be able to experiment a lot more. But in the world of day-to-day trade-offs between security and innovation, we’re out of balance. We talk a lot about what we need to do to keep things secure, but nowhere near enough about what we need to do to keep things fertile.

Dan Bricklin in an interview with Bob Lewis

Browsers Interaction Interface macOS Pro Bono Portfolio Security


I use the Password Assistant in Keychain Access (/Applications/Utilities) to generate passwords for new accounts. The Assistant is pretty handy, but currently not integrated with any browsers, meaning I have to open Keychain Access, create a new Password Item (File > New Password Item), then click on the key to open the Assistant. I might then have to bounce back and forth between my browser and Keychain Access to find a password that complies with the (frequently unexpressed) password rules of the site.

Password Assistant integrated in browser

The Assistant would only appear when two password input fields are detected. What to do when a site doesn’t require confirmation? Maybe check the Keychain for existing accounts at the domain and show the key icon only if none is found?

Interaction Interface macOS Security

Certifiably Insane

I have an IMAP account courtesy of my brother, who created a self-signed SSL certificate to allow encrypted connections to the server.

Mail's IMAP SSL certificate verification warning

Given that it is not really a failure to connect (Mail has to connect to the server to get the certificate in the first place), the IMAP certificate dialog text should be similar to the SMTP certificate verification warning dialog.

Mail's SMTP SSL certificate verification warning

Obviously, I trust these certificates and don’t care that a CA hasn’t given them their stamp of approval. My first thought: look in the Details section for a way to add a certificate to the trusted list. Nope — just certificate metadata.

There are two ways to end the irritation of the incoming (IMAP) warning dialog:

  1. Via Mail
    1. Click the Show Certificate button on the warning dialog that appears when first connecting to the mail server.
    2. Drag-and-drop the certificate icon to your desktop. I’m a drag-and-drop fanatic and did not think to try it here.
    3. Double-click the .cer file to launch Keychain Access.
    4. Add the certificate to the X509Anchors keychain.
    5. Enter an administrator login & password.
  2. Via Safari
    1. Connect to the IMAP server’s port (usually 993) in Safari.
    2. Click the Show Certificate button
    3. Tick the Always trust these certificates box.
    4. Enter your password so the SSL cert can be added to the X509Anchors keychain.

I’ve used the first method to add the SMTP certificate to the X509 keychain and set the trust level to Always, but I still get a warning dialog before sending the first message of a Mail use session. Any suggestions?

Two rather opaque methods to work around an irritation that can be addressed just by adding the check box that appears on the warning dialog in Safari to those in Mail.

Another possibility would be something similar to the Thunderbird dialog (which was obviously sloppily carried over from Sea Monkey or Firefox).

Browsers Interface Security

Secure Site Bezel

Web browsers might benefit from a padlock icon bezel (like the Eject and Volume bezels which appear when using those keys) with text along the lines of “Secure Site” being displayed when they connect to an SSL encrypted site.

The lock icons that have been used since the early Netscape days work, but they are rather small and differ in window location from browser to browser:

  • Safari: upper right corner
  • OmniWeb: laid atop the URL arrow icon in the address field
  • Mozilla: lower right corner
  • Firebird, iCab: lower left corner

A bezel would allow users to maintain their focus on the actual page content area without having to glance at the lock icon to be reassured that the connection is indeed encrypted. Actual testing may reveal it to be needless hand-holding…

Because it would only be visible for a second or two, the bezel would supplement the continually displayed lock/key icon and should probably only be displayed once per top level domain.