Apple Criticized For Not Blocking Stolen Certs

CWmike writes "A security researcher is criticizing Apple for lagging with its response to the DigiNotar certificate fiasco. He is urging the company to quickly update Mac OS X to protect users. 'We're looking at some very serious issues [about trust on the Web] and it doesn't help matters when Apple is dragging its feet,' said Paul Henry, a security and forensics analyst with Lumension. Unlike Microsoft, which updated Windows on Tuesday to block all SSL certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same. Meanwhile, even Mac OS X users who want to go DIY are stymied, reports Bob McMillan, because the OS can't properly revoke dodgy digital certificates."

Not just Apple...

[Amarantine]

At the request of the Dutch government, Microsoft is delaying the update in the Netherlands (home of DigiNotar) until next week, to avoid confusion (and to buy the government more time to roll out new certs).

I feel much safer now, knowing our government has the power to stop Microsoft from rolling out security updates in a country.

Re:Not just Apple...

[mwvdlee]

Yup. Much better to just shut down the government for a few days than to not overreact to an already fixed security issue.

Re:Not just Apple...

[Golthar]

At the request of the Dutch government, Microsoft is delaying the update in the Netherlands (home of DigiNotar) until next week, to avoid confusion (and to buy the government more time to roll out new certs).

I feel much safer now, knowing our government has the power to stop Microsoft from rolling out security updates in a country.

I'm in the Netherlands and I got the patch just fine.
Must be because I use the English version of Windows

Re:Not just Apple...

[sjames]

Apparently it;'s NOT a fixed security issue if you use IE in the Netherlands. It WOULD be fixed if the certificate were removed.

Re:Not just Apple...

[Zeikzeil]

Even on some computers that run Dutch versions of WIndows the patch got installed apparently. MS called it an error. I call it not honoring an agreement. Not that I think this agreement was a good idea to begin with.

Re:Not just Apple...

[Eskarel]

That's because it's not using IE, it's using the windows HTML libraries which are incidentally IE like, they're always there so they are what developers program against.

Re:Not just Apple...

[jonwil]

One would hope that any and all private keys for the DigiNotar root certificates have been regenerated and replaced and are NEVER going to be used to generate certificates again.

Re:Not just Apple...

Not really. The Dutch government asked Microsoft the same thing that it asked Mozilla: not to block the Staat Der Nederlanden Root (yet), of which DigiNotar was one of the partners. The Fox-IT audit did not find any evidence of fraudulent certificates under this root, so there no clear and present danger for these certificates.

That said, the root certificate will be invalidated anyway. The government is only asking for more time to do so. We're talking about renewing some 10,000 certificates btw, and granting these certificates is not a turnkey operation.

Re:Not just Apple...

[Tomato42]

The only thing that might prevent this, is hoping the revocation list of diginotar is complete

> implying browsers actually check CRL or OCSP responses

HA HA, good one. Only Opera checks OCSP and won't show you that the site is "secure" when it can't contact the OCSP server. Firefox can be defeated by putting "3" in the OCSP response (come on, we're talking about full scale MITM, adding OCSP to atack, which also uses HTTP is trivial). IE even when gets a OCSP failure or can't connect to OCSP at all will still show green bar...
If you're using regular certificates Firefox and IE don't even check for OCSP...

Re:Not just Apple...

[dingen]

The Fox-IT audit did not find any evidence of fraudulent certificates under this root, so there no clear and present danger for these certificates.

That is old information. The Dutch government only asked Mozilla to not block their root while the Fox-IT audit was still in progress. But by the time it was finished, it could not be proven the Staat Der Nederlanden CA was clean, so they then gave up on DigiNotar entirely and gave Mozilla the OK to block everything.

Re:Not just Apple...

[im3w1l]

Why couldn't they just whitelist the most critical, known-legit, certs instead?

Re:Not just Apple...

[nitehawk214]

That Microsoft was looking out for customer's interests rather than governments? I would think this should be applauded.

Re:Not just Apple...

[Zeikzeil]

Don't get me wrong, I agree. the one time MS acts quickly someone asks them to hold. I think MS should not have agreed to it. That's why I said the agreement wasn't a good idea to begin with. The Dutch government should hurry to get new certificates in place, not ask MS to put the patch on hold.

Re:Not just Apple...

[S.O.B.]

Unfortunately Slashdot is populated by equal numbers of each extreme so no matter what you say there will be someone waiting to obnoxiously inform you of your error.

Re:Not just Apple...

[Toonol]

Better than the opposite. I trust governments more than corporations. Governments are (still) elected and accountable before their citizens

And that sums up the difference between your political ideology and mine in a succinct little package. I trust corporations more than governments; corporations aren't allowed to jail and kill you.

Re:Not just Apple...

[amicusNYCL]

I feel much safer now, knowing our government has the power to stop Microsoft from rolling out security updates in a country.

I doubt they have "the power" so much as common courtesy. I bet the exchange went something like this:

Microsoft: "We're going to push out an update to block DigiNotar certificates soon."
The Dutch: "Hey Microsoft, most of our government infrastructure uses those certs. Our IT staff is pretty backed up right now. Can you delay the release a week for the Dutch version?"
Microsoft: "Sure."

Microsoft could have refused, if they wanted to be dicks about it, and the Dutch gov probably could have threatened some sort of legal action, if they also wanted to be dicks about it, but I bet this is more of a non-story about two organizations working together than whatever Orwellian scenario you have in mind.

Re:Not just Apple...

[fast+turtle]

What I don't understand is why in hell the browser simply doesn't ask before trusting any cert encountered? Sure it might be like the damn cookie question (allow/deny) 40-50 times for a single website but wouldn't this at least be a practical check as the only ones that need to be trusted by default are the Root certs.

In my case, I've set all certs to untrusted status and enabled those few exceptions to policy that I actually encounter as there are very few websites where I actually see SSL certs in use. Right now I'm looking at a total of 20 actually needed and having no problems with web access.

Re:Not just Apple...

[daem0n1x]

corporations aren't allowed to jail and kill you.

So naive. What about Blackwater?

Anyway, my government is not allowed to kill anyone. Yours is, because most of your people support it.

Re:Not just Apple...

[St.Creed]

Oh good idea! I'm going to do that right now.

Re:Not just Apple...

[milkmage]

these guys just got blackballed by Mozilla and Google. IE is next. They're not issuing anything ever again - for all intents and purposes they cease to be a CA - MS/GOOG/MOZ will never trust them again.

FUD

These certs are blocked on all Apple equipment and always have been. Anyone getting the certificate accepted is obviously holding it wrong.

Re:FUD

[oobayly]

Why anonymous? I very nearly had coffee on my monitor because of that.

Reality

[mcrbids]

Somewhere deep in Silicon Valley, a programmer is looking at a comment something like this:

/*******
FIXME: WTF Hack here. CRLs require authentication of being revoked, but we never bothered to check the callback of the revoke. Maybe if we bothered to have a revoke infrastructure? For now, we'll just not bother fixing this until 10.1 or 10.2.
******/
return true;

Re:Reality

[alannon]

If you read the article, you would learn that this isn't the case. It's pretty clearly a bug (not a missing revocation infrastructure) since the problem only occurs on Extended Validation certs. Otherwise, the revocation works as it should.

Re:Reality

[HiThere]

You sound like you know what you're talking about. But what's an "Extended Validation cert."? To me it sounded like a browser problem, but I'm NOT informed in that area.

Re:Reality

[alannon]

An Extended Validation certificate is one that includes information indicating that a specific legal entity (person, corporation) has been confirmed as being the owner of the certificate, rather than just in control of a particular domain. In modern browsers that understand this extended information, you will often see the name of the corporation next to the 'lock' icon.

Re:Reality

[HiThere]

You mean this story is about Apple deciding that you can't decide that you don't trust someone who you can identify?

That's grotesque! I frequently decide that someone in particular (rather than someone I can't identify) is untrustworthy.

Certificate revocation

[wvmarle]

The biggest issue that has come to light here imho is that it's nigh impossible to revoke an issued certificate. When a certificate is out, and it's signed by a trusted CA, there is basically no way to revoke it. Revoking involves updating browsers, or even complete operating systems (like Windows or OS-X). Just because one CA made a small mistake, got hacked for whatever reason, and the whole world has to update their software.

Errors will be made. Certificates will be issued erroneously by a CA, or through hacking. Certificates will be lost/stolen. But for some reason there is no proper way in the whole system to fix that kind of errors. If we let it be, it's just a matter of time before the whole system crumbles and nothing can be trusted any more.

Any thoughts on this? Any ideas on how this could be fixed?

Re:Certificate revocation

[Beryllium+Sphere(tm)]

The major browsers support OCSP. The technology exists, whatever the practical problems are in using it.

Re:Certificate revocation

[slimjim8094]

Certificates can be revoked by putting them on the certificate revocation list. The OCSP protocol is analogous. Here, try it yourself: http://validation.diginotar.nl/ - get an OCSP client (IE7+, FF3+, Chrome, etc do it automatically) and try to authenticate any of the fraudulent certificates.

Somebody getting a hold of the private keys for the CA itself is a bigger problem - keys can be signed by the attacker faster than they can be revoked. I haven't heard that that's the case - just that fraudulent certs were made, presumably through the same semi-automated process that everybody else uses.

I don't know if there's a way to revoke a CA cert (that is, *all* certificates signed by a certificate). But that doesn't seem to be required here, so the standard revocation procedure works.

Re:Certificate revocation

[whiteboy86]

> Any ideas on how this could be fixed?

Take a walk to the trusty stonewalled bank not a 'firewalled' phony bank, don't buy a Mac, another FOSS victory btw..

Re:Certificate revocation

FF allows disabling certifiers and it runs on OSX and Windows:
    Preferences | Advanced | Encryption, View Certificates, scroll down to DigiNotar Root Certificate, press Edit and uncheck.

It's a manual update, but no new browser or OS update. And it's supposed to be updated automatically-- I might have disabled it in About:Config

Re:Certificate revocation

[pankkake]

Welcome to the Diginotar OCSP Service. To use this service, please use compatibel client software. Thanks.

Why did we ever trust these guys?

Re:Certificate revocation

[wvmarle]

Certificates can be revoked by putting them on the certificate revocation list. The OCSP protocol is analogous. Here, try it yourself: http://validation.diginotar.nl/ - get an OCSP client (IE7+, FF3+, Chrome, etc do it automatically) and try to authenticate any of the fraudulent certificates.

OK sounds cool. I can't be bothered to try it out myself, I'll take your word for it. But if there's such a revocation system, why do we still need browser or even OS updates to deal with this issue??

Re:Certificate revocation

[tjohns]

From what I understand, the Diginotor CRL isn't to be trusted at this point. Logs were deleted as part of the hack, and they're not completely sure which fraudulent certificates were issued.

Their OCSP servers were modified to consider all certificates as revoked, except for those on a whitelist. This is the opposite of how OCSP usually works, and the correct approach in this situation. However, CRLs can only be used as a blacklist.

Source: http://isc.sans.edu/diary.html?storyid=11512

Re:Certificate revocation

[Haedrian]

Same here. I'm on Firefox 7.0. I'll see if there's a difference with aurora.

Re:Certificate revocation

[cyrano.mac]

Why don't you just delete diginotar and comodo certs yourself? I mean, it's a trust relationship. If you, the user, no longer trust a notar, just delete it's certificate and find out which of your SSL connections no longer works or defaults to an unsecured connection. You can find and delete certificates in the prefs of some browsers. On OSX, it's the Keychain Util, of course.

Re:Certificate revocation

[somersault]

I can't be bothered to try it out myself, I'll take your word for it

if there's such a revocation system, why do we still need browser or even OS updates to deal with this issue??

Probably because people are too trusting, and never bother to test that OCSP works..

Re:Certificate revocation

[wvmarle]

I can't be bothered to try it out myself, I'll take your word for it

if there's such a revocation system, why do we still need browser or even OS updates to deal with this issue??

Probably because people are too trusting, and never bother to test that OCSP works..

Do you check the Linux kernel for back doors? Or any other software that you use, like Firefox? I don't. Because I trust the community at large. Not a single vendor. I know there are people that make it their business to make sure there are no back doors in the kernel, or in Firefox, and that SSH has no bugs, and that SSL certificates are secure, and that CAs issue only valid certificates. The whole Diginotar issue came to light not thanks to Diginotar, but thanks to the community at large: security experts that realised something is wrong. I'm not such an expert, I know some of the red flags, but for the rest I'm just a user, like most other people out there, and basically have no choice but to put my trust in those businesses while keeping an eye on media outlets like /. to report on serious issues.

And besides you're completely ignoring my actual question. There is apparently a revocation system in place - and yet we're still struggling with software updates. Ergo, automatic revocation system is broken and useless. And that was my point really.

Re:Certificate revocation

[wvmarle]

I just get an update from Ubuntu that blacklists Diginotar. So that part is done.

Yet you're also one of those people that doesn't get the point. This kind of blacklisting should be done automatically, in real time, without needing to update software on a client computer. Now other comments mention that there is some automated system, yet the fact that these updates get so much attention and are presented as "the solution" tells me that that system is broken.

Re:Certificate revocation

[somersault]

Yes, but the joke was that the revocation system is in place, yet even someone who's asking about it can't be bothered to test it out and see if it works. Bugs won't get fixed if they're not noticed and reported.

Re:Certificate revocation

[magamiako1]

http://digitaloffense.net/tools/debian-openssl/

Just saying...

Re:Certificate revocation

[wvmarle]

It is so obviously broken and utterly useless (if not: why would anyone need to install a software update to fix it?) that I really can't be bothered to manually try it out. It's useless. It doesn't do what it's supposed to do. Great that you can manually check a certificate there, but I've got better things to do with my time than manually checking all those certificates that I encounter.

Re:Certificate revocation

[hey!]

My thought is that it's probably impossible to patch the architecture of the certificate system in such a way that it:

a) reliably rejects revoked certificates

b) is transparent to users, performing quickly on valid certificates and never or very seldom rejecting them.

c) covers all the use cases the certificate system is supposed cover

d) doesn't require the user to understand the the certificate system and make sound judgments about when it can safely be bypassed.

Covering the substantial majority of users in nearly all use cases it what makes this hard. If you could trust users to make sound decisions in unusual or borderline cases, a lot of things in technology would be a lot easier. But even if you take a screw-the-users-who-are-ignorant attitude, the damage that they can do isn't confined to *themselves*.

So the short answer is: sometimes whacking a problem with the Big Ugly Hammer is the closest thing to an elegant solution you're ever going to find.

Re:Certificate revocation

[v1]

It is so obviously broken and utterly useless

if they happen to visit a site that uses the more-secure Extended Validation Certificates, the Mac will accept the EV certificate even if it's been issued by a certificate authority marked as untrusted in Keychain.

It's troubling that such a basic component of Internet security could have such an obvious flaw on the Mac, several security experts said Wednesday.

It's entertaining to watch the armchair quarterbacks at it, even the ones calling themselves "security experts". This isn't an "obvious" issue, root CAs aren't getting EV certs revoked all the time - it's incredibly rare. (when's the last time you can remember a root CA getting untrusted? I can count them on one hand) How can anyone consider a bug in an extremely rarely visited fork of code to be "obvious"? They're just making a lot of noise to get some attention. And sucker some readers. And you fell for it.

But I do agre that Apple needs to get their can in gear and issue a security update that removes the CAs from the system keychain, and fix the Do Not Trust status of EV certs. At least some of that may have already happened, I'm looking at my system and roots keychains and both of them show notar as untrusted. Interesting that the article didn't provide even one single link to test... can anyone provide a link? Talk about obvious things being overlooked, they need to do an Obvious Check on their own articles methinks!

Re:Certificate revocation

[BZ]

CRLs and OCSP only work if you can reach the server they're hosted on.

You could have systems fail hard on failure to reach such servers, but that gives the SSL parts of the internet single points of DoS failure, not to mention that some CAs run pretty flaky servers to start with.

It's Safari not the OS

The problem lies with Safari not with OSX. Use a different browser. This is not an OS problem. I do wish Apple would get their finger out and fix it though.

Re:It's Safari not the OS

[BitZtream]

No, it's an OS problem.

The only problem is ignorant users. The OS does a fine job of revoking certs, if you know how to use the OS.

You just revoke them in Keychain Access and they are revoked system wide. Open it, find your cert, mark it as never trusted. Takes about 8 seconds, I timed it.

Anyone who thinks certificates can't be revoked in OSX is an idiot.

Re:It's Safari not the OS

[UnknowingFool]

On OSX Safari, of course, and I think FF, Opera, and Chrome, do not use their own root certificate list like on windows. They use the OS level keychain service for their encryption needs, whether it be form data or certificates.

No FF has its own list. However it only has "Delete or Distrust . . " as one option not two.

Re:It's Safari not the OS

[nabsltd]

No FF has its own list. However it only has "Delete or Distrust . . " as one option not two.

It's actually two options that work differently depending on the type of certificate.

If the cert was built-in to Firefox, then "Delete or Distrust..." removes all the trusts for the cert but does not delete it. This means that the cert can't be used to validate anything, but it also means that you don't have to re-install Firefox to get back a built-in cert that was accidentally deleted.

If the cert was not built-in, then "Delete or Distrust..." deletes the cert. Since you obviously imported it once, you should be able to do so again if you delete by mistake.

For both types of certs, "Edit Trust..." will allow you finer control over the types of trust (and is what you use to restore a "distrusted" built-in cert).

Double standards?

[trifish]

Comodo hasn't had just one, but two such breaches in the past few years (use the Slashdot search to find the stories).

How come their certificates are still trusted and included with all browsers and operating systems whereas Diginotar's certificates were obliterated from all browser and almost all operating systems immediately?

Is it because DigiNotar is only a regional Dutch CA? Talk about disgusting double standards then.

Re:Double standards?

[Elbart]

Comodo immediately disclosed the breach and made it known to all affected parties. DigiNotar sat on it and kept quiet for months.

Re:Double standards?

[sjames]

Because Comodo proactively detected the problem, put a stop to it, and had an appropriate audit log showing how large the problem was and what certs were wrongly issued.

Evin DigiNotar acknowledges that removal of their root key is the only way to contain their leak.

OTOH, I chose to disable Comodo's keys in my browser.

Re:Double standards?

[nedlohs]

because Comodo's announced the problem and revoked the bad certificates within minutes of them being created. Whereas DigiNotar did nothing for a month.

CAs are all about trust, sure Comodo showed they have some problems but also that they do the right thing when shit happens. DigiNotar showed they are completely untrustworthy - security breaches happen the ignoring them bit is unforgivable for an entity whose role is solely about trust.

Re:Double standards?

[slimjim8094]

Reading the 'pedia, it seems like DigiNotar's been careless for a while. Only 9 certificates were issued with Comodo, and it was handled very very quickly. It also doesn't seem like Comodo was actually compromised - Wikipedia says "a user account with an affiliate registration authority had been compromised"

By comparison, nobody's quite sure just how many DigiNotar certs were issued, or over how long a period of time. DigiNotar themselves have said they can't ensure that all fraudulent certs will be revoked.

If that wasn't enough, the fact that Comodo is a much, much larger CA is also important. Like it or not, the fallout from distrusting DigiNotar is much less than the fallout for kicking off Comodo would be.

Re:Double standards?

[trifish]

I don't care they reacted quickly. It has happened TWICE to Comodo.

It's about trust. I don't trust amateurs who can't even learn from their own mistakes.

I've distrusted Comodo's certificate like I did with DigiNotar and the Chinese CA.

The reason not to remove Comodo can't be that they're bigger than DigiNotar. Double standards are absolutely unacceptable in this field.

Re:Double standards?

[cyrano.mac]

Comodo also lied about it. They painted a sophisticated attack from Iran. Now we know that the "hacker" was a Turkish script kiddy who's still bragging about it... That's the scary part: the intruder wasn't even any good. He's just an absolute beginner who follows "How To?" hacking vids on YouTube. And what happened to the lying Comodo CEO? Right, he's chosen as CEO of the year by RSA's InfoSecurity's 2011 Global Excellence Awards ... If you want to know how bad the problem is, how little is being done by the CA's and a possible, available solution if you use Firefox, have a look at Moxy Marlinspike's vids on YouTube...

Re:Double standards?

[RogerWilco]

DigiNotar didn't tell anyone, when they found out. Given that the CA system is built on trust, it means they have lost everyone's trust.

Next to that, they don't seem to have a good audit trail, so can't tell what is and isn't affected.

Everyone knows computer security can't be 100%. The central issue is trust. DigiNotar is no longer trusted, Comodo is because of the different way they handled things when a breach occurred.

Re:Double standards?

[GameboyRMH]

Maybe I've missed some recent news but last I heard, the Comodo hacker was ichsun AKA "skill of 1000 hackers," who is an Iranian and is an at least decently skilled black hat.

Always the same from Apple

They lack in security and fixing exploits, and yet, they like to brag about somehow being "more secure" than Windows.

Oh, and Microsoft I believe already released a patch... yesterday? Tuesday?

Re:Always the same from Apple

[wzinc]

This patch is already out there; what's the point of this article??? http://support.apple.com/kb/DL1447

It gets worse

[antifoidulus]

The thing is, I am wondering whether they will even bother to fix it for people still running Leopard. Apple historically has released non-security bugfixes for 10.n, security patches only for 10.(n-1), and basically jack shit for all osver
While ordinarily just a dick move, due to the intel transition this means that there is a large user base out there(namely the ones that still run PPC macs) that basically will never get any new security patches for their systems and they are stuck with either pitching their hardware or taking the risk that they will not be a victim.

Apple really needs to make these EOL policies not only clear, but announce them significantly ahead of time so that people who decide to migrate have plenty of time to do so.

Re:It gets worse

[Pope]

Except it's not 100% closed.

Re:It gets worse

[perryizgr8]

yeah, its 110% closed. only jobs' express written permission can allow automatic changes to be made to his slaves' computers!

Re:actually

[greentshirt]

also, bbcode fail

Re:security is a 'trusted chain'

[shadesOG]

i agree that its an exploitation of weak vulnerability. comodo may have done it to make a point, but what are the chances that others have doing this for a long while?

Re:Strange, I don't see where M$ is screwing up

[shadesOG]

pass the 'Micro$oft borg' :) I don't proclaim to be a security expert, but MS, google, etc did the right thing to revoke the certs.its still reactive not proactive. I vote if it takes an OS update to mandate secure and trusted communication, YOU ARE DOING IT WRONG. haven't been to iran in a while, but do they have even have a mac store? or get OS updates? something is awry

Yup.

[bytesex]

Same here. Snow Leopard user. Can confirm it. Stupid OS. I hope this will forever silence the 'if you think that firefox is a proper Mac application GTFO' trolls. This time, it's *better* to use Firefox.

Re:Yup.

You should probably learn to read the article before mouthing off, as what you describe is specifically stated as not necessarily working:

Users can revoke a certificate using Keychain, but if they happen to visit a site that uses the more-secure Extended Validation Certificates, the Mac will accept the EV certificate even if it's been issued by a certificate authority marked as untrusted in Keychain.

"When Apple thinks you're looking at an EV Cert, they check things differently," Sleevi said in an interview Wednesday. "They override some of your settings and completely disregard them."

Re:Yup.

[tonywong]

The cert was untrusted for me. I deleted the Diginotar cert and restarted Safari. 10.7, no problems here.

BTW, Apple issued an update today anyhow.

Re:actually

[Haedrian]

And from that fraction most would be fine with an Open Source Alternative.

However apple looks 'cool' and 'fashionable' and most people who I know have macs don't use any of those.

Re:actually

[konohitowa]

... most people who I know have macs don't use any of those.

There you have it... proof positive! I'll need to register your comment with a DOI for further citation. Until then, I think it would be safe to refer to this as "Haedrian's Llaw".

Their own fault

[ecotax]

As a Dutch reader, I can guarantee you that nobody in his right mind here minds the way DigiNotar's fiasco is handled. They deserve this, and worse. If you're basically selling trust, you'd better be trustworthy.
On the Mozilla Security Blog, the the reason why they handled this as they dit is explained very well:
http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/

Hard Info and Tools

[plsuh]

Folks,

I have detailed info and tools on my website at

http://ps-enable.com/articles/diginotar-revoke-trust

The short story is that it is possible to protect yourself, but it requires deleting the DigiNotar root cert(s), then revoking trust on the two roots plus four intermediates.

--Paul

What about iOS, Android, WebOS, OperaMini, OperaMo

[greggman]

What about iOS, Android, WebOS, OperaMini, OperaMobile, etc etc etc. Do they all need to be updated?

Idiots, certs are easy to disable in OSX

[BitZtream]

reports Bob McMillan, because the OS can't properly revoke dodgy digital certificates."

Really? Cause I just set the trust to 'Never' in Keychain Access and it works just fine.

If you don't know how to do something, you shouldn't talk out your ass.

• Open Keychain Access from Applications/Utilities
• Click on System Roots keychain
• Click on Certificates category to filter down to only certs
• Double click on DigiNortor certificate.
• Expand 'Trust' drop down
• The first option is: 'When using this certificate:' change that option to 'NEVER'
• Close Keychain Access and rest assured knowing the blogger who wrote this article is a fucking douche using slashdot for slashvertising and talking out his ass without a clue

Re:Idiots, certs are easy to disable in OSX

FTFA:

Ryan Sleevi, a software developer who has contributed to Google's Chrome project, noticed the issue too. After poking around the Mac OS X source code, though, he uncovered the cause.

Users can revoke a certificate using Keychain, but if they happen to visit a site that uses the more-secure Extended Validation Certificates, the Mac will accept the EV certificate even if it's been issued by a certificate authority marked as untrusted in Keychain.

Re:Idiots, certs are easy to disable in OSX

[forand]

This works fine as long as you don't visit an EV site. You must delete the cert, and make changes to your system on OS X. This is not an easy fix for most people. Please find more info here

Re:Idiots, certs are easy to disable in OSX

[guruevi]

It's easy to do from command line. I even wrote a package and distributed it to my machines that does the dirty work.

Re:actually

[Haedrian]

Allright, lets both camp outside of apple stores and ask people why they're buying macs.

Alternativly we could look at the sales of those 3 programs, and compare them to the Mac userbase.

Re:Strange, I don't see where M$ is screwing up

[Lieutenant_Dan]

The problem may be that browsers may not check for CRLs by default, or the DigiNotar's CRL cannot be relied on. So for either scenarios, MS/Google/Mozilla sent out system/software updates to just deal with this CA at the core. Not a bad approach.\

Yes, ideally each browser should by default check if a certificate has been revoked. Hopefully this will be reviewed for the future.

Re:Strange, I don't see where M$ is screwing up

[wannabgeek]

I believe you should get your sarcasm detector checked.

Re:What about iOS, Android, WebOS, OperaMini, Oper

[thegarbz]

Android does not currently have a system for adding or removing CAs from the OS. However this particular instance did not affect android as DigitNotar was never a trusted CA as far as I have found to begin with. The Android system has a far smaller trust base than e.g. Firefox (57 CAs vs 96).

Apphole Hypocricy?

Apple has a reputation for its aggressiveness when it comes to its own security, searching the houses of people suspected of finding lost phones and throwing them in jail. But apparently when it comes to the security of their customers, their enthusiasm wanes.

You mean Apple doesn't care about the end user?

[JustAnotherIdiot]

What a shocker!

Mac OS, or Safari?

[jasnw]

Reading TFA, it sounds like the problem is not in the OS, but in the Safari browser. A nuance might be that the problem is in the OS, but only Safari uses the OS for cert authentication and other browsers roll their own authentication. At any rate, I read TFA to say if you're using some other browser than Safari you're OK. Granted, the usual Mac "Joe Sixpack" equivalent is probably running Safari and is left hanging, but is this a correct read of the article?

Re:What about iOS, Android, WebOS, OperaMini, Oper

[sgunhouse]

Opera does not need to be updated. They have always warned you if a certificate is revoked, and if they can't verify that it is not revoked they regard it as unsecured. See http://my.opera.com/securitygroup/blog/2011/08/30/when-certificate-authorities-are-hacked-2

Apple Has Released Certificates Security Update

For Lion & Snow Leopard. http://support.apple.com/kb/HT4920

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.

Perspectives?

[rsborg]

d) doesn't require the user to understand the the certificate system and make sound judgments about when it can safely be bypassed.

Doesn't the perspectives firefox plugin handle this? If that concept were included within the browser framework, it might add a secondary check to the top-down hierarchical (and thus critical-point-of-failure) of trusting CAs alone.

Re:Perspectives?

[hey!]

No it doesn't. It appears to implement a decentralized certificate architecture its authors consider a better than the standard, and in many use cases they're probably right.

It's really a mixed bag with either architecture. Let's take the scenario where a corporate network has serious problems and it carved into separate islands disconnected from each other and the Internet. Both architectures fail, throwing the user back on his judgment, but in different ways.