Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
So because there are endless bad people who want to get your login details, it's not Apple's fault? Isn't the opposite true? Are you sure I'm the one on drugs?

There are very simple ways of defeating phishing, banks do an effective job of it why can't Apple?

----------



It's half assed because it's trivial to defeat. You can't delegate responsibility, even if you are "EV-certified."

----------



It works. It's simple. People understand it. Some tiny icon and the technical information it reveals is incomprehensible to most people.

As I said, half-assed. Apple was supposed to be "easy" yet they want people to understand how SSL certificates work?

Oh wise one. Please enlighten us how to defeat their trivial security.
 
  • Like
Reactions: Lerxt
Really? I didnt know they were using pass codes. I still haven't set up 2 factor yet for iCloud. I set it up for my google account and I find it a pain to use.

If my phone is lost or stolen, I can quickly and easily deactivate the device from being trusted.

Only one recovery key can be active at a time. It's fairly easy to reset (that is if you've already spoofed the 2 factor, you can do so to log in to someone's AppleID and manage it) but again, email alerts are sent.
 
If my phone is lost or stolen, I can quickly and easily deactivate the device from being trusted.

Only one recovery key can be active at a time. It's fairly easy to reset (that is if you've already spoofed the 2 factor, you can do so to log in to someone's AppleID and manage it) but again, email alerts are sent.

Wouldn't it be cool if we could use touch id for 2 factor? Although then they'd have to have access to your fingerprint and you'd be sending it over the internet.

----------

Oh wise one. Please enlighten us how to defeat their trivial security.

Its simple.

1. Go to their website
2. Use massive supercomputer to bring down their site through denial of service attacks.
3. Access password and security code
4. Login

You just don't understand how easy it is :D
 
So because there are endless bad people who want to get your login details, it's not Apple's fault? Isn't the opposite true? Are you sure I'm the one on drugs?

There are very simple ways of defeating phishing, banks do an effective job of it why can't Apple?

----------



It's half assed because it's trivial to defeat. You can't delegate responsibility, even if you are "EV-certified."

----------



It works. It's simple. People understand it. Some tiny icon and the technical information it reveals is incomprehensible to most people.

As I said, half-assed. Apple was supposed to be "easy" yet they want people to understand how SSL certificates work?

This is only a issue on the Qihoo or whatever that browser is named, this is not Apple's fault at all , this is a "man in the middle attack" and well yeah.. it's actually really easy to see the green box/SSL certificate if your logging onto something private and something that needs to be secure, like your iCloud account, this isn't a issue on really any browser besides that Chinese browser which I think is called Qihoo or something.
 
I love how half-assed Apple security is.

----------



So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?

I don't think you quite understand how this works - China flows all traffic through its servers...if a user does not use an encrypted connection with a trusted certificate then the Great Firewall will be able to grab that users credentials. It is a giant phishing scam being orchestrated by the Chinese government.

They can do this with every service in existence. The only way to stop it is to have the browser display a warning that the certificate is invalid, which it does. If the user ignores that then there is nothing they can do.

The same thing is happening to Microsoft Live account logins, and could be applied to any service because they control all the traffic. The only way to truly circumvent it would be if the user set up a VPN outside the country to connect through.

And as for your boring old bank being secure...do you not remember Chase bank getting millions of accounts stolen? Or maybe something more recent would be more applicable. Nothing on the internet is completely secure, groups with enough motive will be able to get their way into any account.
 
I love how half-assed Apple security is.

----------



So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?


Either trolling or someone who is completely uninformed.

Take a look at something called a man in the middle attack. And then people clicking on something saying that says the certificate is invalid. (Or they are using the Chinese browser that ignores those warnings - Qihoo if reports are correct).
 
So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?

I closed HSBC because their idea of security is:

Please enter the 2nd, 8th, 10th characters of your second password. **** that.
 
i love how half-assed apple security is.

----------



so apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not apple's fault?

its not apples fault!
 
If you go to a website using a secure connection (https) and the website doesn't provide a correct certificate, Safari will warn you not to proceed. However, you _can_ proceed.

I think it is time for all the browser makers to change this to a system where an incorrect certificate means you can't get to the site. And if your favourite bank or website can't get its act together and provide a correct certificate, then they are dead as far as your browser is concerned.

At least Apple could do this for Apple's sites, or for sites like Facebook, Amazon etc.
 
As I said, half-assed. Apple was supposed to be "easy" yet they want people to understand how SSL certificates work?

How does this picture thing help? You're giving the fake site your username and password, which they can forward to the real site. Anything the real site would show you, they can show you, assuming you don't have 2FA enabled.
 
This is the problem with a country like China where people are constantly being lied to by the government

I don't think people in China trust their state media all that much...

I think it is time for all the browser makers to change this to a system where an incorrect certificate means you can't get to the site. And if your favourite bank or website can't get its act together and provide a correct certificate, then they are dead as far as your browser is concerned.

The problem is that this screws over web developers.
 
I love how half-assed Apple security is.

----------



So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?

Reading is not your strong suit is it?
 
Not sure if this obviously data stealing is better or worse than the NSA "secret" scheme.
 
If you go to a website using a secure connection (https) and the website doesn't provide a correct certificate, Safari will warn you not to proceed. However, you _can_ proceed.

I think it is time for all the browser makers to change this to a system where an incorrect certificate means you can't get to the site. And if your favourite bank or website can't get its act together and provide a correct certificate, then they are dead as far as your browser is concerned.

At least Apple could do this for Apple's sites, or for sites like Facebook, Amazon etc.

The best solution is to throw away the CA system entirely. The Chinese government is a valid certificate authority trusted by Firefox and most other browsers by default, so there's basically nothing stopping them from MITM attacks. You could remove them from your trusted CA list, but that might break a lot of sites that Chinese people need. Worse, non-government CAs can be coerced to provide interception certificates, which would be the same problem on a much bigger scale.

A distributed system like the Perspectives or Convergence methods would be much better. In that scenario, we don't care about the CA; we only care if the cert our browser is presented with is different from everyone else's.
 
Wouldn't it be cool if we could use touch id for 2 factor? Although then they'd have to have access to your fingerprint and you'd be sending it over the internet.

As it is stored on your device all that needs to happen is for your trusted device to authenticate that there is a valid fingerprint being used so there's no need for any actual fingerprint data to be transmitted over the Internet.

According to Apple, Touch ID doesn't store any images of your fingerprint. It stores only a mathematical representation of your fingerprint. It isn't possible for your actual fingerprint image to be reverse-engineered from this mathematical representation.
 
i'm wondering how much of these AppleID's are in-secure..

True,,,, its also time for iPhone to be made in USA then :)

A country like china goes after the biggest fish .... Apple.

Personally, Apple got the bait...
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.