Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Criticized For Not Blocking Stolen Certs

Posted by samzenpus on from the I-am-disappoint dept.

CWmike writes "A security researcher is criticizing Apple for lagging with its response to the DigiNotar certificate fiasco. He is urging the company to quickly update Mac OS X to protect users. 'We're looking at some very serious issues [about trust on the Web] and it doesn't help matters when Apple is dragging its feet,' said Paul Henry, a security and forensics analyst with Lumension. Unlike Microsoft, which updated Windows on Tuesday to block all SSL certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same. Meanwhile, even Mac OS X users who want to go DIY are stymied, reports Bob McMillan, because the OS can't properly revoke dodgy digital certificates."

5 of 154 comments (clear)

  1. Reality by mcrbids · · Score: 5, Funny

    Somewhere deep in Silicon Valley, a programmer is looking at a comment something like this:

    /*******
    FIXME: WTF Hack here. CRLs require authentication of being revoked, but we never bothered to check the callback of the revoke. Maybe if we bothered to have a revoke infrastructure? For now, we'll just not bother fixing this until 10.1 or 10.2.
    ******/
    return true;

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  2. Re:Not just Apple... by Golthar · · Score: 4, Informative

    At the request of the Dutch government, Microsoft is delaying the update in the Netherlands (home of DigiNotar) until next week, to avoid confusion (and to buy the government more time to roll out new certs).

    I feel much safer now, knowing our government has the power to stop Microsoft from rolling out security updates in a country.

    I'm in the Netherlands and I got the patch just fine.
    Must be because I use the English version of Windows

  3. Certificate revocation by wvmarle · · Score: 5, Interesting

    The biggest issue that has come to light here imho is that it's nigh impossible to revoke an issued certificate. When a certificate is out, and it's signed by a trusted CA, there is basically no way to revoke it. Revoking involves updating browsers, or even complete operating systems (like Windows or OS-X). Just because one CA made a small mistake, got hacked for whatever reason, and the whole world has to update their software.

    Errors will be made. Certificates will be issued erroneously by a CA, or through hacking. Certificates will be lost/stolen. But for some reason there is no proper way in the whole system to fix that kind of errors. If we let it be, it's just a matter of time before the whole system crumbles and nothing can be trusted any more.

    Any thoughts on this? Any ideas on how this could be fixed?

  4. Re:Not just Apple... by Tomato42 · · Score: 4, Informative

    The only thing that might prevent this, is hoping the revocation list of diginotar is complete

    > implying browsers actually check CRL or OCSP responses

    HA HA, good one. Only Opera checks OCSP and won't show you that the site is "secure" when it can't contact the OCSP server. Firefox can be defeated by putting "3" in the OCSP response (come on, we're talking about full scale MITM, adding OCSP to atack, which also uses HTTP is trivial). IE even when gets a OCSP failure or can't connect to OCSP at all will still show green bar...
    If you're using regular certificates Firefox and IE don't even check for OCSP...

  5. Re:Idiots, certs are easy to disable in OSX by Anonymous Coward · · Score: 5, Informative

    FTFA:

    Ryan Sleevi, a software developer who has contributed to Google's Chrome project, noticed the issue too. After poking around the Mac OS X source code, though, he uncovered the cause.

    Users can revoke a certificate using Keychain, but if they happen to visit a site that uses the more-secure Extended Validation Certificates, the Mac will accept the EV certificate even if it's been issued by a certificate authority marked as untrusted in Keychain.