Slashdot Mirror
Apple Criticized For Not Blocking Stolen Certs
CWmike writes "A security researcher is criticizing Apple for lagging with its response to the DigiNotar certificate fiasco. He is urging the company to quickly update Mac OS X to protect users. 'We're looking at some very serious issues [about trust on the Web] and it doesn't help matters when Apple is dragging its feet,' said Paul Henry, a security and forensics analyst with Lumension. Unlike Microsoft, which updated Windows on Tuesday to block all SSL certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same. Meanwhile, even Mac OS X users who want to go DIY are stymied, reports Bob McMillan, because the OS can't properly revoke dodgy digital certificates."
At the request of the Dutch government, Microsoft is delaying the update in the Netherlands (home of DigiNotar) until next week, to avoid confusion (and to buy the government more time to roll out new certs).
I feel much safer now, knowing our government has the power to stop Microsoft from rolling out security updates in a country.
These certs are blocked on all Apple equipment and always have been. Anyone getting the certificate accepted is obviously holding it wrong.
Somewhere deep in Silicon Valley, a programmer is looking at a comment something like this:
/*******
FIXME: WTF Hack here. CRLs require authentication of being revoked, but we never bothered to check the callback of the revoke. Maybe if we bothered to have a revoke infrastructure? For now, we'll just not bother fixing this until 10.1 or 10.2.
******/
return true;
I have no problem with your religion until you decide it's reason to deprive others of the truth.
The biggest issue that has come to light here imho is that it's nigh impossible to revoke an issued certificate. When a certificate is out, and it's signed by a trusted CA, there is basically no way to revoke it. Revoking involves updating browsers, or even complete operating systems (like Windows or OS-X). Just because one CA made a small mistake, got hacked for whatever reason, and the whole world has to update their software.
Errors will be made. Certificates will be issued erroneously by a CA, or through hacking. Certificates will be lost/stolen. But for some reason there is no proper way in the whole system to fix that kind of errors. If we let it be, it's just a matter of time before the whole system crumbles and nothing can be trusted any more.
Any thoughts on this? Any ideas on how this could be fixed?
They lack in security and fixing exploits, and yet, they like to brag about somehow being "more secure" than Windows.
Oh, and Microsoft I believe already released a patch... yesterday? Tuesday?
Because Comodo proactively detected the problem, put a stop to it, and had an appropriate audit log showing how large the problem was and what certs were wrongly issued.
Evin DigiNotar acknowledges that removal of their root key is the only way to contain their leak.
OTOH, I chose to disable Comodo's keys in my browser.
because Comodo's announced the problem and revoked the bad certificates within minutes of them being created. Whereas DigiNotar did nothing for a month.
CAs are all about trust, sure Comodo showed they have some problems but also that they do the right thing when shit happens. DigiNotar showed they are completely untrustworthy - security breaches happen the ignoring them bit is unforgivable for an entity whose role is solely about trust.
Reading the 'pedia, it seems like DigiNotar's been careless for a while. Only 9 certificates were issued with Comodo, and it was handled very very quickly. It also doesn't seem like Comodo was actually compromised - Wikipedia says "a user account with an affiliate registration authority had been compromised"
By comparison, nobody's quite sure just how many DigiNotar certs were issued, or over how long a period of time. DigiNotar themselves have said they can't ensure that all fraudulent certs will be revoked.
If that wasn't enough, the fact that Comodo is a much, much larger CA is also important. Like it or not, the fallout from distrusting DigiNotar is much less than the fallout for kicking off Comodo would be.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
The thing is, I am wondering whether they will even bother to fix it for people still running Leopard. Apple historically has released non-security bugfixes for 10.n, security patches only for 10.(n-1), and basically jack shit for all osver
While ordinarily just a dick move, due to the intel transition this means that there is a large user base out there(namely the ones that still run PPC macs) that basically will never get any new security patches for their systems and they are stuck with either pitching their hardware or taking the risk that they will not be a victim.
Apple really needs to make these EOL policies not only clear, but announce them significantly ahead of time so that people who decide to migrate have plenty of time to do so.
Monstar L
Same here. Snow Leopard user. Can confirm it. Stupid OS. I hope this will forever silence the 'if you think that firefox is a proper Mac application GTFO' trolls. This time, it's *better* to use Firefox.
Religion is what happens when nature strikes and groupthink goes wrong.
Folks,
I have detailed info and tools on my website at
http://ps-enable.com/articles/diginotar-revoke-trust
The short story is that it is possible to protect yourself, but it requires deleting the DigiNotar root cert(s), then revoking trust on the two roots plus four intermediates.
--Paul
What about iOS, Android, WebOS, OperaMini, OperaMobile, etc etc etc. Do they all need to be updated?
reports Bob McMillan, because the OS can't properly revoke dodgy digital certificates."
Really? Cause I just set the trust to 'Never' in Keychain Access and it works just fine.
If you don't know how to do something, you shouldn't talk out your ass.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
What a shocker!
What do I know, I'm just an idiot, right?