Apple Criticized For Not Blocking Stolen Certs

Posted by samzenpus on Thursday September 8, 2011 @06:39PM from the I-am-disappoint dept.

CWmike writes "A security researcher is criticizing Apple for lagging with its response to the DigiNotar certificate fiasco. He is urging the company to quickly update Mac OS X to protect users. 'We're looking at some very serious issues [about trust on the Web] and it doesn't help matters when Apple is dragging its feet,' said Paul Henry, a security and forensics analyst with Lumension. Unlike Microsoft, which updated Windows on Tuesday to block all SSL certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same. Meanwhile, even Mac OS X users who want to go DIY are stymied, reports Bob McMillan, because the OS can't properly revoke dodgy digital certificates."

1 of 154 comments (clear)

Min score:

Reason:

Sort:

Re:Idiots, certs are easy to disable in OSX by Anonymous Coward · 2011-09-08 23:53 · Score: 5, Informative

FTFA:

Ryan Sleevi, a software developer who has contributed to Google's Chrome project, noticed the issue too. After poking around the Mac OS X source code, though, he uncovered the cause.
Users can revoke a certificate using Keychain, but if they happen to visit a site that uses the more-secure Extended Validation Certificates, the Mac will accept the EV certificate even if it's been issued by a certificate authority marked as untrusted in Keychain.