A Security Weakness When Signing without a Timestamp

Similar Messages

• Security problem when signed applet dynamically load plugins

  Hi!
  I have one problem : "security problem when signed applet dynamically load plugins"
  This is the scenario:
  the main program [app.jar]
  . contain applet and shared library (interface & implement of common class)
  . it is signed and run normally on browser
  . it can draw image loaded from other URL [ex] http://bp1.blogger.com/image.jpg
  . the image loader is in the shared library
  . dynamically load amazon.jar through URLClassLoader and reflection
  the plugin [amazon.jar]
  . search amazon product [ex] Harry Potter book
  . draw image on applet
  . use image loader from shared library, BUT CANNOT LOAD IMAGE
  The question: "Why it cannot load image, because the image loader is in the shared library which has been signed and working?" I tried to sign the amazon.jar too, but it did not work.
  Your reply would be very helpful. Thank you.
  Sovann

  hello. i have create a signed applet for A.jar. A.jar include two package B and C. the main applet class is within B.
  B need some classes in C to run the applet. but i got the error that class in package c are not found.
  what shall i do?

• A fix for the Mozilla Firefox SSL Certificate Validation Security Weakness vulnerability? This appears to be an issue with not revalidating certificates when loading HTTPS pages from cache.

  We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
  Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cache

  cookies.squite answer is Today at 5:15 PM .
  New profile, same problem.
  We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
  Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
  (3) different virus scanners, no hard core problems.
  Suspect how I have something in Windows setup that no one else is using?

• HT3702 Why does it say invalid security code when I'm prompted to sign in?

  Why does it say invalid security code when I'm prompted to sign in. I have intered my security code from my credit card several times. It will not allow me to use the app store, even for free purchases.

  Is the address on your iTunes account exactly the same (format and spacing etc) as on your credit card bill : http://support.apple.com/kb/TS1646 ? If it is then you could try what it says at the bottom of that page :
  If the issue persists, contact your credit card company and verify that they and any company they use to process credit card authorizations have the correct information on file.
  And/or try contacting iTunes support : http://www.apple.com/support/itunes/contact/ - click on Express Lane, then iTunes > iTunes Store

• HT5312 not getting the option to reset security questions when we sign into security questions

  we are not getting the option to resent security quesions when we are attempting to answer the questions.  We have a back up email saved but why are we not getting this option on the security question page?

  The reset link will only show if you have a rescue email address, which is not the same thing as an alternate/secondary email address. If you don't have a rescue email address (you won't be able to add one until you can answer 2 of your questions) then you will need to contact iTunes Support / Apple to get the questions reset.
  Contacting Apple about account security : http://support.apple.com/kb/HT5699

• Increase in file size worse in XI Pro when signing.

  Hello there,
  We started using AcrobatPro X for making, securing and signing PDF files of our test reports. The validity of these reports is not limited in time.
  So we include this revocation information at time of signing. We use our Belgian eID-cards and place 2 signatures.
  Recently I've noticed that when I use XI Pro (Win7, 64-bit) to sign the PDF (it does not matter is the file is made in X Pro or XI Pro) the size increased to 10MB.
  When I sign the same file with X Pro (Vista, 32-bit) the file size only increases to 2MB ! (Here the revocation info was also included.)
  (I am still looking into whether we need the LTV (or if OCSP can be used), so I did a test on XI Pro where I did not include revocation information, with the result: 4MB.)
  The 10Mb file size is a problem for us as our test reports must be able to be send by e-mail.
  How can the increase in file size (when signing with including the revocation information) between X and XI be explained?
  How can this issue be resolved?

  I have several questions:
  1. What is the size of the original (before the first signature) file?
  2. Do you sign with Acrobat X and Acrobat XI at the same time (you may get different CRLs with different lengths at different times)?
  3. What is the PDF size after the first signature using Acrobat X?
  4. What is the PDF size after the first signature using Acrobat XI?
  5 and 6: the same as 3 and 4 but after the second signature?
  It does not make sense to me that with Acrobat X you get 2 signatures with LTV and the total PDF size is just 2MB and with Acrobat XI you get 2 signatures without LTV and the total PDF size is 4MB. This doesn't make sense. Are you sure you're signing the same PDFs with the same credentials at about the same time in both cases? Or did you mean that PDF size increases by 2MB in the Acrobat X case and by 4MB/10MB in Acrobat XI case? I'd prefer to have the total PDF sizes not the increases.
  Another test you can do is this. Turn off "include revocation information at time of signing" on Acrobat preferences, sign your sample PDF with the same 2 signatures, then right-click on each signature and select "Add Verification Information" command for each signature (this is a new way to add LTV available in Acrobat/Reader 9.1 and later). Then save this PDF and check (and report back to this forum) the PDF size. You cannot use this LTV method if you expect that some users will open this PDF with Acrobat/Reader versions prior to 9.1. Those versions will not use this LTV type.

• [kinda urgent] Is that possible signing without digital ID?

  Hello!
  I want to ask two questions. Those things might similar to each other, which may concerning signing without Digital ID.
  First one is that we want to get sign right away right on the place(maybe without Digital ID). Probably a pad or something, such the device we use when taking bills with credit card, would be connected to the computer. Is that possible or at least sounds probable? and if it is, please let me know how.
  Not only that, I wanna ask u one more thing. It is using pdf file with table pc, such as I-PAD. hmm.. giving an example, let's say I read a dynamic forms with I-pad, and I want to sign without Digital ID thing, specifically 'on the pad'. is that possible? like the former one, if it is, please tell me how to do it.
  The former one is more important and the fact whether possible or not is the first priority.
  In case the information is not specific enough, just comment about that, I am gonna add more detail.
  kinda in a hurry, Please help me.
  Any comment would be appreciated!!
  virtuodo123

  The PDF format supports many types of "Electronic" signatures, including signatures created using a signature pad.  Acrobat and Reader (with a reader extended form) have the ability to sign PDF documents using Digital IDs (x509 digital certificates) out of the box.  Other types of signatures are supported using third party plugins.
  For more info, check out http://www.adobe.com/security/partners/index.html
  Regards
  Steve

• HT204266 How come my credit card says invalid security code when I put my code in at the App Store?

  How come my credit card says invalid security code when I put my code in at the App Store? I have a bunch of free apps when I had my ipad 1 now I have 2 and my credit card will not be read as authentic Watson ever I tried my girls card nothing do I need to have money on it for a free download? I even bought a couple of games but why with so many free ones? Please help me I'm slow so walkit through with me thnx also my ipad 2 is brand new out da box and I accidentally updated to 6.0 without finding out first about it so some pointers to it would help ...which I think that it has something to do with it.

  Is the address on your iTunes account exactly the same (format and spacing etc) as on your credit card bill : http://support.apple.com/kb/TS1646 ? If it is then you could try what it says at the bottom of that page :
  If the issue persists, contact your credit card company and verify that they and any company they use to process credit card authorisations have the correct information on file.
  And/or try contacting iTunes support : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page
  For iOS I would expect an updated version of the manual to appear here at some point : http://support.apple.com/manuals/ipad/
  In the meantime there is this : http://www.apple.com/ios/whats-new/

• Am being prompted to enter security questions when making a purchase on my new IPad.  I don't believe I have ever setup security questions on my apple id.  How to I create new security questions?

  I am being prompted to enter security questions when making a purchase on my new IPad.  I don't believe I have ever setup security questions on my apple id.  I have tried logging into my apple id and have chosen the security and priviacy settings to set up security questions.  However I am prompted to enter answers to security questions and am told they don't match.  How to I create new security questions or reset them? 

  You need to ask Apple to reset your security questions; ways of contacting them include phoning AppleCare and asking for the Account Security team, clicking here and picking a method for your country, and filling out and submitting this form.
  They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
  (104011)

• Was not informed of new policy when signing up for service and charged for services I did not knowingly agree to.

  I’m writing to contest a $29.99 monthly charge, which is contracted for 24 months amounting to $720 in total. The charge is for a data plan which I did not knowingly agree to, and verizon is unwilling to remove from the account even though the phone on the line does NOT use data.
  The backstory of the issue:
  On September 19, 2014 I waited in line at an Apple store to purchase a new iPhone on launch day.  I opened a new basic line of service for $9.99 a month on my account so I could purchase a discounted phone from Verizon. When purchasing the phone, the representative explained that he was going to have to put a basic data package on the line for $15 a month, but that it would be removed once I transferred the phone to an existing line on the account.  After the purchase was complete, we transferred the phone to an exisitng line, and the represented confirmed that the data package would not be charged to my account and therefore I would only have to pay $9.99 a month for the basic line of service for two years. A couple weeks pass and I receive my bill, I notice that the data plan is still listed on my account and has also increased to $29.99 a month!  I call Verizon to see what is going on, they tell me that they have just implemented a new policy that states if I purchased a smart phone on a basic account and then transfer the phone to a differnt line that I will have to pay $29.99 a month for data even if the new phone that is currently on the line does not use data! I told them I was not informed of this, and was actually told the complete opposite when signing up for service.  They refuse to remove the data package, and will not let me cancel the account without charging  me $350.  The representative on the phone said that the representative in the store was a sales person and most likely did not have the training to inform them of the new policy change, and that they could not honor what he told me.
  I should be able to rely on and trust what a Verizon wireless representative is telling me, I was not aware of the new policy and did not knowingly agree to this policy. And in that case, I would like to point out that I have been a loyal Verizon customer for over 15 years humbly request that you clear this $29.99 monthly charge from my account as a gesture of good faith.
  I have spent over 7 hours on the phone with verizon trying to get this resolved to no avail. I have also filed a complaint with the attorney generals office, and plan to persue this until it is fully resolved.

  Customer Agreement | Verizon Wireless
  This agreement and the documents it incorporates form the entire agreement between us. You can't rely on any other documents, or on what's said by any Sales or Customer Service Representatives, and you have no other rights regarding Service or this agreement.
  They gotcha! And that policy change was listed here and other places on the net.
  Its either pay that or the early termination fees.
  Verizon will not grant you a mistake forgiveness clause.
  If they do it for you they would have to do it for everyone.
  Good Luck

• Recieving error when signing a document

  When signing a document, users are receiving >>Timestamp signature property generation error: Unsupported transport protocol
  Time Stamp Server is configued as Server URL:  IP Address of Time Server
  Any ideas on how to resolve this error?

  Hi,
  The problem is probably the URL for the timestamp server is an SSL address (i.e. https://) and the certificate that the OS needs to validate the SSL connection is not available. One thing to try is to copy the address for the timestamp server and paste it into a browser. This may give you the option of installing the SSL certificate.
  Steve

• What do i need to do when signing out of sync?

  thank you for the very clear and easy to follow articles on installing and using sync weave add-on for my main pc and other pcs or mobile items i use....i am less clear as to what to do when signing out of sync weave, and how to cover my history etc....i couldn't find an appropriate article for this and would appreciate guidance as to the steps i need to take every time i want to sign out of a pc/etc and therefore maintain my privacy and security...an article to match the existing ones for installing weave would be fantastic...thanks!!

  Are you trying to install the DB on Linux from your Windows Box? if so, you need to have an XWindows client on your client. You have to SSH or Telnet into the box, set your DISPLAY variable. In fact, it is all in your documentation for the DB install. We still don't understand what you are exactly asking.
  Do you have direct access to your Linux machine? If so, and it has a graphical GUI, then you can find install guides for most flavors of Linux at dizwell.com. His are most excellent and show examples, but do not go over the XWindows problem. You would have to resolve that first.
  A free XWindows environment for Windows is Cygwin.
  Once the DB is running on Linux then all you do is create a TNS entry on it on your client and it connects. It is the same as setting up a connection to connect to Oracle on a Windows box.

• Ques;How  do you secure imail when used being used in iweb. People can mess

  How do you secure imail when used being used in iweb? People can mess w/my settings in iweb imail window.

  What is iMail?
  And what is an iWeb iMail window?
  iWeb is part of iLife 06 which is an application used to create websites hosted on .Mac.
  Are you referring to Apple's Mail application and webmail access using a browser such as Safari to access your .Mac account?
  Which people can mess with what settings? You shouldn't allow anyone else to access your Mac when logged in to your account and home folder/directory. OS X was designed for multiple users of the same Mac with each regular user having their own computer login account (with or without admin privileges) and associated home folder/directory to store and access their data and settings for their login account only.

• I can't remember the answers to my secret questions when signing into itunes

  I Cannot remember my answers to the secret questions when signing into iTunes to purchase. How do I fix this?

  Hey Moo1972,
  Thanks for the question. If you are having issues with the security questions associated with your Apple ID, follow these steps:
  If you forgot the answers to your Apple ID security questions
  http://support.apple.com/kb/HT6170
  Reset your security questions
  1. Go to My Apple ID (appleid.apple.com).
  2. Select “Manage your Apple ID” and sign in.
  3. Select “Password and Security” on the left side of the page.
  4. If you have only one security question, you can change the question and answer now.
  5. If you have more than one security question:
            - Select “Send reset security info email to [your rescue email address].” If you don't see this link or don't have access to your rescue address, contact Apple Support as described in the next section.
            - Your rescue address will receive a reset email from Apple. Follow its instructions to reset your security questions and set up new questions and answers. Didn't receive the email?
  After resetting your security questions, consider turning on two-step verification. With two-step verification, you don't need security questions to secure your account or verify your identity.
  If you can't reset your security questions
  Contact Apple Support in either of these circumstances:
            - You don't see the link to send a reset email, which means you don't have a rescue address.
            - You see the link to send a reset email, but you don't have access to email at the rescue address.
  A temporary support PIN isn't usually required, but Apple may ask you to generate a PIN if your identity needs to be verified.
  Thanks,
  Matt M.

• Default security context for signed applets using WinXP+IE8

  What is the default security context for signed applets from the internet zone using Java 6 and WinXP+IE8 combination? My guess is that all file and socket access available for the user's Windows account is provided to the applet as well. Is this correct and if so, is there a way to limit these access privileges for signed applets from the internet zone?
  This information is surprisingly difficult to find given how security concious people now are using the internet.

  AntonBoer wrote:
  Thank you for your swift reply.
  Unfortunately your answer reflects to my worst fears. Frankly I find this security model naiive. Anyone with euros can get their applet signed so that is no security control at all.The same naive security model applies to just about anything signed and downloaded; not just to Java Applets.
  >
  Working for a corporate IT how I am supposed to allow Java installations on any of our computers with internet access? That automatically means I am providing them as platforms to whoever wishes to run Java code on them (given that the user of course visits the web site). I would have expected Sun to put more effort into this but it appers nothig have changed in this regard for 10 years.I don't see this as a Sun problem; it is indicative of what I consider to be a general security weakness for all computer systems. For example, for Windows, Vista just added more user involvement in the trust process but it still allows programs to run pretty much unconstrained if the user agrees to them running.
  For some time I have advocated a more fine grained approach. I would like to see ALL programs run in a sandbox that a user can specify what and what cannot be done by each individual program. Unfortunately, this would annoy the hell out of most users so it has little chance of every of ever being accepted. The average user just wants a run-and-forget-about-security model.