Apple Finally Removes DigiNotar Certs In Safari

Trailrunner7 writes "Apple has finally released a fix for the certificate trust issue caused by the attack on DigiNotar, more than a week after the fraudulent certificates were identified and other browser vendors moved to revoke trust in them. While Microsoft, Mozilla and Google had been communicating with users about the issue and pushing out new versions and updates to eliminate the compromised certificate authorities from their browsers, Apple had been mum about the attack and hadn't given any indication of when it might issue an update for Safari. On Friday the company published a security advisory for Mac OS X users, saying that it was removing DigiNotar's certificates from its trust list."

Apple needs to explain its delay

Apple fanatics would claim MACs are the best computers, but if Apple lets their users go a week without critical security fixes, how can anyone trust a MAC with anything?

Re:Apple needs to explain its delay

[DurendalMac]

Yeah, curse those MAC addresses!

Oh, wait, I'm sorry, you're just another retard that capitalizes the whole word instead of the first letter. It's a proper noun, not an acronym, you dimwit.

Re:Apple needs to explain its delay

In Apple World, something like this is hardly as critical as releasing the new iPhone...

Re:Apple needs to explain its delay

<smug_slashdotter>Apple fanatics would claim MACs are the best computers, but if Apple lets their users go a week without critical security fixes, how can anyone trust a MAC with anything?</smug_slashdotter>

You forgot some tags. I fixed that for you.

Re:Apple needs to explain its delay

[chromas]

It's because they took our Jobs!

Re:Apple needs to explain its delay

<smug_slashdotter>Apple fanatics would claim MACs are the best computers, but if Apple lets their users go a week without critical security fixes, how can anyone trust a MAC with anything?</smug_slashdotter>

<asshurt_apple_apologist_fanboi>You forgot some tags. I fixed that for you.</asshurt_apple_apologist_fanboi>

You too.

Re:Apple needs to explain its delay

Well played sir.

Re:Apple needs to explain its delay

On Slashdot, an "Apple Apologist Fanboi" is anybody who doesn't incessantly whine in a shrill voice about how awful Apple and Steve Jobs are, annoying anyone within a four-mile radius, most of whom don't care one way or the other.

Re:Apple needs to explain its delay

Around here you have to HATE HATE HATE everything in the world with a smug, superior sneer or else you're called a "fanboi"!

Re:Apple needs to explain its delay

[stewbacca]

Actually, no. We claim that Macs are the best computers.

Re:Apple needs to explain its delay

[Qzukk]

It's pretty easy to figure out the logic behind this one, actually. There were known fraudulent google certs, known fraudulent Windows Update certs and known fraudulent mozilla.org certs faked. Were there any apple.com certs?

Re:Apple needs to explain its delay

Yeah, curse those MAC addresses!

Oh, wait, I'm sorry, you're just another retard that capitalizes the whole word instead of the first letter. It's a proper noun, not an acronym, you dimwit.

You really had that much trouble working out that by 'MAC' he meant 'Mac' even after he implied it was a product of Apple and stated it was a computer? You fucking moron, but i suppose when you're that stupid you're too fucking braindead to attack the validity of his post so you'll resort to criticizing his grammar.

Re:Apple needs to explain its delay

[DurendalMac]

Cool samefag, bro.

Yeah Mac's just work

[Reverand+Dave]

Except of course when they don't. When you create a culture of careless idiots by making them think they are invulnerable to any threats this is the only way to handle them. If they just came out and said "Yeah we got screwed too" they might have some credibility, but instead they have to act like something like this doesn't actually affect them and quietly sweep the dirt under the rug. On the other hand of that is the legion of careless users that are made even more careless because they have been given the false belief that they are impervious to any kind of cyber threat. If they just said "Yeah all that 'most secure' stuff we've been telling you is utter nonsense" then they might lose a moron or two to the competition.

Re:Yeah Mac's just work

[Kenja]

Did you know that "Macs" and "Safari" are not the same things? Just asking, cause you seem confused.

Re:Yeah Mac's just work

[node+3]

Except of course when they don't. When you create a culture of careless idiots by making them think they are invulnerable to any threats this is the only way to handle them.

Care to explain how this is a case of Macs not "just working"? Or how may "careless idiots" were adversely affected by this?

This looks like simple mindless anti-Apple trolling.

If they just came out and said "Yeah we got screwed too" they might have some credibility, but instead they have to act like something like this doesn't actually affect them and quietly sweep the dirt under the rug.

"Got screwed"? How, exactly? This is exactly how the system is supposed to work.

On the other hand of that is the legion of careless users that are made even more careless because they have been given the false belief that they are impervious to any kind of cyber threat. If they just said "Yeah all that 'most secure' stuff we've been telling you is utter nonsense" then they might lose a moron or two to the competition.

So, where are all the infected Macs? And where are all these people who say Macs are "impervious to any kind of cyber threat"? Straw men don't count, I'm talking about actual human beings.

The problem with you anti-Apple trolls is that you rail against an imagined Mac user being screwed over by an imagined Apple, neither of which *actually* exist. Apple isn't evil, Mac users aren't idiots. There are millions of highly intelligent, technologically adept people who use and prefer Macs. What's so difficult to understand about this? Just because a smart person likes a system you don't like, that's not an affront to you. There are smart people who happily use Macs, Windows, Linux...

Why so insecure?

Re:Yeah Mac's just work

Why so insecure?

Hey, he's running Windows to begin with... /hides

Re:Yeah Mac's just work

[Skuld-Chan]

While he is a troll, having worked in support (at a University in Oregon) with Apple users they do often say the following repeatedly:

"Mac's don't get viruses"
"My Mac is secure"

Why do they do this? Its what the employees at the Apple store say (seriously - ask any sales person about viruses, root certs or exploits - the answer always is "nope - we don't get those")! None of them have any idea what a trusted root certificate authority is, or why being compromised is such a big problem.

Re:Yeah Mac's just work

[MimeticLie]

"Got screwed"? How, exactly? This is exactly how the system is supposed to work.

No, Google, Mozilla, and even Microsoft showed how the system is supposed to work. Apple sat on its hands for nearly two weeks, while its users were still exposed to possible rogue certificates because apparently Apple didn't think removing the CA's root certificate from the user's Keychain should also remove its EV certs.

Re:Yeah Mac's just work

[node+3]

While he is a troll, having worked in support (at a University in Oregon) with Apple users they do often say the following repeatedly:

"Mac's don't get viruses"
"My Mac is secure"

Both are true. Neither mean (what the OP said), "they are invulnerable to any threats" or "they are impervious to any kind of cyber threat".

Re:Yeah Mac's just work

[Firehed]

To be fair, this affects everything that uses the system certificates - anything from cURL to Chrome. Safari is included in that list. Almost every other desktop app is also affected - so something like a desktop RSS reader that pulls from Google Reader was equally vulnerable. Firefox (and maybe others) manage their own CA certs so they weren't directly affected, but had this been patched earlier it might have been that Firefox was the application that is still vulnerable.

Still, don't feed the trolls.

Re:Yeah Mac's just work

You might want to fact check yourself. The news was released on Monday. MS patched on Tuesday. Apple on Friday. Unless I'm mis-counting, that's not quite a week (4 days to be exact).

World fails to notice.

Film at 11...

Re:Yeah Mac's just work

[AshtangiMan]

Perhaps for the same reason that windows users think that because they have an anti virus program installed that they are immune to all malware. I should say some windows users. People are people and computer security is sufficiently complex that the majority don't really care to put in the brainpower required to understand it. So they end up repeating marketing bs. I happily use all of Mac, windows and Linux. And I feel that each of them sucks in their own special ways.

Re:Yeah Mac's just work

WTH? no 10.5 support?. Leopard came out in 2007, latest version is around 2 years old. In the mean time, a 10-year old OS gets the update. It can't be *that* hard to update 10.5 machines, they just *don't want* to. I mean people who bought dual and quad-core G5s are still probably using them, heck I'm still using a single G5. Planned obsolescence at its finest

Re:Yeah Mac's just work

[MimeticLie]

Yeah, the news came out on Monday. Last Monday. It's been a week and four days.

Re:Yeah Mac's just work

[stewbacca]

Apple sales people are not allowed to position statements like "we don't get those". There are carefully crafted positioning statements around everything in the Apple economy. Like it or not, it brings a consistency to the brand. I think the Apple retail market has been pretty successful--because the salesforce doesn't go around making rogue statements like you posit.

Granted, most people IN THE WORLD don't know what a root cert authority is, let alone the salesforce at an Apple store.

Re:Yeah Mac's just work

[smash]

Please provide link to single system hacked by this issue. Cheers.

Re:Yeah Mac's just work

[BitZtream]

And for any reasonable person, the first statement is true.

Mac's don't get viruses.

Its not that they are immune, we all know thats not the case, its that they aren't targeted.

However, none of that changes the fact that from a practical perspective, Mac's don't get viruses.

I could defend the second one too, if you stop being so technical and think like users not techies. Users use words like 'secure' to mean a completely different thing than techies.

Having worked in desktop support for any length of time at all, you'd already know that if you had a clue considering the biggest problem in tech support is generally what the user says is not what you think it is, but you clearly aren't bright enough to figure that part out so I doubt you'll get any more of my explanation anyway.

Re:Yeah Mac's just work

"Mac's don't get viruses" "My Mac is secure"

Both are true.

False, by that moronic statement you can also conclude the same is true of Windows.

Re:Yeah Mac's just work

[node+3]

"Mac's don't get viruses"
"My Mac is secure"

Both are true.

False, by that moronic statement you can also conclude the same is true of Windows.

No, you can't. Antivirus software is a must for PCs, unless you are particularly diligent (and even then, it's still a very good idea to at least manually scan occasionally). Antivirus software is *NOT* necessary on a Mac, even if you are especially careless.

Neither claim implies the absolute. No one is saying that no Mac ever gets infected, nor is anyone saying that every PC gets infected. Why do nerds seem to have such a hard time seeing the world in anything other than binary?

Pointless Apple-bashing

[DoctorNathaniel]

So, it took them 1 week to come out with an update to patch their browser? That doesn't seem an egregious delay to me. I haven't yet patched any of my other browsers yet. I'd be surprised if most users patch within the week of bugfix releases anyway.

And if I understand it, this "security hole" is basically that you won't get bad-certificate warnings if you visit certain fraudulent sites... which isn't likely to happen unless you're clicking links in phishing emails.

This hyperbole about apple being slow seems like hot air to me.

Re:Pointless Apple-bashing

[h4rr4r]

How hard is it to patch a browser?
apt-get update, apt-get upgrade, done. You can cron that shit.

Re:Pointless Apple-bashing

[CharlyFoxtrot]

Also the summary praises Google for their quick reaction but Android is still vulnerable, as is iOS BTW. You'd think that'd rate a mention at least.

Re:Pointless Apple-bashing

[HTH+NE1]

Shouldn't the iOS version of Safari need a patch too?

Re:Pointless Apple-bashing

I don't think that you understand. Read about MITM attacks.

Re:Pointless Apple-bashing

[h4rr4r]

I mean for the user, not for the company. For a big company even removing one line from a config file could take weeks and still be believable as being ASAP.

Re:Pointless Apple-bashing

No. Apple was completely silent on the subject for a week while everyone else was talking about it within their respective communities.

Now that there's a browser patch available, they have information for the iMasses

Re:Pointless Apple-bashing

[DontBlameCanada]

This is actually a valid Apple-bash. The invalid certs were issued as signed root CAs, which means the holder of then could create a SSL cert for Bank Of America that appears completely valid with no errors from the browser and no errors when you check the chain of trust. Its essentially a T-2000 doppelganger that you can't detect until it changes its hand into a marlinspike and stabs you. The only folks likely to detect it, without the certificate revocation, are the same security certificate chain savvy techies who found it to begin with.

Apple's responsibility is to immediately update the CA cert trust store on the browser to protect its users from getting caught. If a trust store update is going to take a while (it shouldn't) they need to issue a general advisory so that at least some of their userbase will be made aware. They didn't publish anything until now, when they have a patch. That is not acceptable.

Re:Pointless Apple-bashing

[v1]

So, it took them 1 week to come out with an update to patch their browser?

They didn't patch their browser. That's not the way to fix the problem. The certificates Safari trusts are in the system keychain. Security Update 2011-005 addresses the problem.

Certificate Trust Policy

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.

So (1) it pulls DigiNotar from the chain of trust, and (2) sends all browsers (and email apps, and anything else that cares to validate certs) accurate information for EV certificates that chain off an untrusted root. Patching the browser shouldn't be necessary and wouldn't address the actual problem, although considering it took Apple an unusually long time to get this update out the door, I can see why some other browser vendors hardcoded out DigiNotar.

But for Apple this wasn't merely a matter of pulling a cert, they also had to fix a bug. Rushing a security bug fix out the door without testing it is arguably a worse security respopnse than taking a few days longer to test before pushing. (it's not like it took months like a few other big names I could toss in the ring to ignite a flame war)

Re:Pointless Apple-bashing

[node+3]

Your reply is completely non sequitur. So obviously so that you must know that's the case, so I wonder, why exactly did you make that completely irrelevant reply?

To answer your question, with a more apt example, you patch the browser by clicking "Continue" in the window that comes up on its own (automatically configured to run via a mechanism similar to, but superior to, cron), then click on "Restart" (if necessary).

So, yeah, it's pretty simple. Much simpler than your non-relevant example. However, I'm still not sure what that's got to do with the post you replied to.

Re:Pointless Apple-bashing

Also the summary praises Google for their quick reaction but Android is still vulnerable, as is iOS BTW. You'd think that'd rate a mention at least,

Re:Pointless Apple-bashing

[CharlyFoxtrot]

Is there an echo in here ?

Re:Pointless Apple-bashing

And if I understand it, this "security hole" is basically that you won't get bad-certificate warnings if you visit certain fraudulent sites

No. The security hole is that someone obtained an unknown number of certificates for high profile sites. This was caught in the wild, where Iran was actively performing a man-in-the-middle attack on users inside Iran for Google.

Removing a security certificate is incredibly trivial. This is NOT a technical delay, but a completely administrative one.

Re:Pointless Apple-bashing

[CharlyFoxtrot]

That's a pain because they have to make a whole new system image. These things should go a lot more smoothly for iDevices after the release of iOS 5 this fall which will support over the air delta updates.

Re:Pointless Apple-bashing

[E+IS+mC(Square)]

>> "Restart" (if necessary)
"If necessary"? way to downplay it. It IS necessary, but not on windows or Linux. Deal with it, they are facts.

Re:Pointless Apple-bashing

[Tharsman]

As much as I love Apple products I got to admit, this tiny week delay may be more significant than apple fans would like to think.

Early today I got my first ever virus infection (in my Windows machine) while running Safari. Not sure if its related, but I'm guessing it is. For the first time I got to give a tip of the hat to Microsoft, Security Essentials caught the virus infection immediately and got rid of it. Good thing it was a well known trojan and not a new unknown virus... then again if that was the case I may already have been infected...

Re:Pointless Apple-bashing

[node+3]

>> "Restart" (if necessary)

"If necessary"? way to downplay it. It IS necessary, but not on windows or Linux. Deal with it, they are facts.

Sometimes it is, sometimes it isn't (just like sometimes it is and sometimes it isn't on Windows and Linux).

Demonstrating your ignorance of Macs, as usual, I see...

Re:Pointless Apple-bashing

[Tharsman]

Depends on the browser.

Chrome, you wont ever know. It will patch itself regardless of you wanting it to or not (hate that, reason it's the only browser I dont have on my windows machine.)

With Firefox, many users run old versions still due to old add-ons and refuse to update.

Internet Explorer... 6.... do I have to explain that? :P

With Safari, in the mac, at least with my default configuration, it does not check for updates very often. I am not sure for the PC... i think they offer an updater for PC as a separate app but hate it so much I disabled it, forcing me to look up updates manually.

So the "best" browser if you want things up to date may be Chrome, but sorry, me no likely my computer doing things without my explicit authorization.

Not sure about any issues with Opera.

Re:Pointless Apple-bashing

[Culture20]

How hard is it to patch safari on a Mac?
softwareupdate -ia && [conditional reboot], done. You can cron that shit.

There, fixed GP for you.

Re:Pointless Apple-bashing

99% of the computer using population isn't using Linux and therefore that update process is practically irrelevant. At some point you're going to have to accept that Linux on the desktop is dead, and KDE 4, Gnome 3 and Unity have killed any small chance it might have had. For the average user, desktop Linux is so far behind Windows 7 and OS X that it really isn't worth discussing anymore.

Sure, it can make a reasonable desktop for developers or lowly system administrators like you, but for everyone else it's pure and utter crap.

P.S. Only a retard would put apt-get update and apt-get upgrade in cron.

Re:Pointless Apple-bashing

[BZ]

> (2) sends all browsers (and email apps

Only the ones that use the OS certificate store as their trust store.

For browsers, that happens to be "Safari", out of the commonly-used ones. Firefox uses its own certificate store, as do Chrome and Opera, and don't rely on the one in the OS itself.

Re:Pointless Apple-bashing

[Skuld-Chan]

Ironically Microsoft beat Apple on fixing this. Also oddly enough since Windows uses a OS wide certificate store after they did update the certificates IE 6 actually isn't vulnerable to this anymore.

Internet Explorer... 6.... do I have to explain that? :P

Re:Pointless Apple-bashing

[Tharsman]

Is Safari for windows subject to those OS wide certificate stores?

I suffered my first ever virus infection today in my windows machine and I think this may be part of how it got in. Windows Security Essentials caught it fast though.

At the time i was browsing with Safari but not sure if the issue was due to an unpatched windows Safari or just my personal procrastination on installing windows updates :P

(BTW add that to the list of "how hard it can be", I know im not the only person I know that rarely shuts down his windows machine and hates restarting it for any reason, resulting in security patch procrastination)

Re:Pointless Apple-bashing

[UnknowingFool]

The problem isn't that there isn't a mechanism to revoke certs in OS X. It exists in KeyChain. The problem was that the implementation was flawed as it could be overriden. So when it was pointed out to Apple, they fixed it in a week's time. Would you rather Apple quickly release a patch that didn't work?

Re:Pointless Apple-bashing

Read this - http://apple.slashdot.org/comments.pl?sid=2421156&cid=37356792
Now go and fuck your self.

Re:Pointless Apple-bashing

[Aighearach]

I haven't yet patched any of my other browsers yet

And if I understand it, this "security hole" is basically that you won't get bad-certificate warnings if you visit certain fraudulent sites.

You might want to check a site like slashdot, maybe there is an article on the problem? Could be something else than what you guessed without checking.

Re:Pointless Apple-bashing

[node+3]

Do you know what the word "sometimes" means?

Re:Pointless Apple-bashing

[MrJones]

A whole week? Thats just insane! Anyway, stop the Apple bashing. I miss CmdrTaco editorial ...

Re:Pointless Apple-bashing

[Americano]

Safari on Windows uses the Windows store, and so as soon as you've applied the MSFT patch, Safari on Windows is no longer vulnerable.

Stop procrastinating on installing windows updates.

Re:Pointless Apple-bashing

[Firehed]

Of course, updating the trusted CA cert list shouldn't require a full system upgrade either. They have a kill switch for rogue apps; there should be a similar infrastructure in place for certificate revocation (is there? I don't know - doesn't sound like it. But there should be)

Re:Pointless Apple-bashing

I am an Iranian refugee. The last week I have been spammed to death with fake Facebook friend requests from the Iranian government. Do you have any clue what they are trying to do? It doesn't seem to an egregious delay to you, huh? You ignorant twat! And all that to protect your corporate love puppy from some criticism. The depths people can sink...

Re:Pointless Apple-bashing

But this is not sometimes. If you apply Apple's fix, you HAVE TO restart the system. Period.
Learn to read, asshole.

Re:Pointless Apple-bashing

[icebraining]

Firefox is not that clear cut, there are security updates for older versions, AFAIK. At least 3.5 got many updates even after 3.6 was released.

Re:Pointless Apple-bashing

Stop procrastinating on installing windows updates.

Stop procrastinating on installing *nix.

Re:Pointless Apple-bashing

[CapuchinSeven]

No, Chrome was still exposed.

Re:Pointless Apple-bashing

[CapuchinSeven]

Dude If it's THAT much of a problem for you use Firefox on your Mac. Jessh.

Re:Pointless Apple-bashing

that is the most stupid reasoning i ever heard: auto-update is the future and the only way to go except if you are a researcher in a test-lab
if they push a buggy update it will be corrected immediately or shortly afterwards
if people would not have the option to stop updates themselves the web would be much safer ...
it's just being macho

Re:Pointless Apple-bashing

[CyberDragon777]

The current supported versions are 3.6.22 and 6.0.2

Re:Pointless Apple-bashing

Phishing isn't the only possibility. This could easily have been done by any number of oppressive governments. They stage a MITM for Gmail or something, find a political activist, and torture/kill them. IMHO, I think this possibility is entirely more likely, as the list of known fake certificates is stuff like CIA.gov, skype.com, torproject.org, facebook.com, and addons.mozilla.org rather than amazon.com, ebay.com, usbank.com, and other juicy phishing targets.

Re:Pointless Apple-bashing

[BZ]

Chrome was exposed because it had this CA in its set of trusted certs, no?

Once they shipped an update to their own cert store, they were not exposed any more, independent of what Apple did with the OS-default cert store.

Re:Pointless Apple-bashing

[yuhong]

The same is true of IE on Windows too BTW, which uses the system SChannel and thus the system cert store.

Re:Pointless Apple-bashing

[gstrickler]

Browser prefetching?

Re:Pointless Apple-bashing

Microsoft patched a few days after the announcement, who else could you be referring to?

Re:Pointless Apple-bashing

[moortak]

An inability to quickly remove bad certs is a foreseeable problem on their end. Whether the mistake occurred this week due to sloth, or a few years ago due to poor planning, they were the one major player unable to handle a necessary security task.

Re:Pointless Apple-bashing

And if I understand it, this "security hole" is basically that you won't get bad-certificate warnings if you visit certain fraudulent sites... which isn't likely to happen unless you're clicking links in phishing emails.

Guesswork is nice, but if you had done some reading you would have found out that current understanding of this says that more than 300000 unique originating IPs may have been fooled with a MITM attack using the gmail certificates. All signs point to Iranian government or another powerful organization in Iran as almost all of those IPs are in Iran and the massive scale means it probaby wasn't a lone hacker.

"hyperbole" indeed.

Re:Pointless Apple-bashing

Until next week -- or is it two weeks out? -- when 7.0 will be released!

Re:Pointless Apple-bashing

"So, it took them 1 week to come out with an update to patch their browser? That doesn't seem an egregious delay to me"

Once you've joined the religion they can do no wrong.

Re:Pointless Apple-bashing

[UnknowingFool]

they were the one major player unable to handle a necessary security task.

I don't know "unable" means in your world, but it my world, it means "not able to be done." Were they slower than others? Yes. Were they the last one? No. Depending on who you consider "a major player", they weren't the last. If you deal with servers, Redhat and Ubuntu also patched the same day. MS only patched 3 days before Apple.

• Ubuntu: September 9, 2011
• Apple OS X: September 9, 2011
• Redhat: September 9, 2011
• FreeBSD: September 6, 2011
• MS: September 6, 2011
• Google Chrome: September 5, 2011
• OpenBSD: August 31, 2011
• Mozilla: August 31, 2011
• Debian: August 31, 2011
• Android: no date
• iOS: no date
• WP7: no date
• BBM: no date

Re:Pointless Apple-bashing

Chrome on MacOS X actually does use the OS certificate store.

Re:Pointless Apple-bashing

[AmiMoJo]

And if I understand it, this "security hole" is basically that you won't get bad-certificate warnings if you visit certain fraudulent sites... which isn't likely to happen unless you're clicking links in phishing emails.

Or you live in Iran, or North Korea, or China... And maybe the UK and US too if you are paranoid. Many governments would like to be able to read their citizen's email, or see how much they have in that Swiss bank account.

Re:Pointless Apple-bashing

[node+3]

Except I didn't write "this time", I wrote "sometimes".

Maybe you should take that last sentence of yours to heart before you post next time.

Re:Pointless Apple-bashing

[BitZtream]

I suffered my first ever virus infection today in my windows machine and I think this may be part of how it got in.

You got it because you're stupid. I can say this because you clearly have absolutely NO IDEA what a root certificate does, or you'd know why the statement was fucking stupid in the first place.

All this cert issue will do is allow someone who isn't say ... google, to pretend to be google ... over ssl ...

Which means in order for it to actually work, they'd also have to compromise your DNS, or someone up the food chain, so your ISPs DNS.

And they would have to have infected a site YOU VISIT via SSL, and of course you would have had to download some virus over SSL. Now considering never in my life have I even thought about the fact that I was downloading something over/not over SSL, I'm pretty sure no one would bother doing a MITM attack just to get you to download a virus to your windows machine ... Again, there are easier ways.

You do not need to be posting on slashdot, its WAY over your head, even in the shallow end of the pool.

At this point, there are 9 or 10 million easier ways to infect your computer with a virus

Re:Pointless Apple-bashing

[BitZtream]

Stop being a twit and thinking some UNIX variant is somehow magically different and doesn't need updates and security fixes. idiot.

Re:Pointless Apple-bashing

[BitZtream]

Chrome only uses its own store on Linux where there isn't a system wide store, and you have to patch each app individually. On any sane OS it uses the one provided by the OS like a good little application should.

Re:Pointless Apple-bashing

[BitZtream]

You got a virus because you downloaded something from somewhere you shouldn't have.

Unless you downloaded something from a SSL site, also had your DNS and your upstream DNS compromised to direct you to a fake SSL download site, and then actually downloaded something via SSL with a stolen cert ... then well theres no way this had anything to do with it.

You got a virus because you did something stupid, not because someone else did.

You got a virus for the same reason every windows user gets a virus, STOP CLICKING ON RANDOM LINKS FROM EMAIL ADDRESSES YOU'VE NEVER SEEN. THERE IS NO PACKAGE WAITING ON YOUR FROM DHL OR REPORT FOR YOU TO REVIEW IN ORDER TO GET YOUR MILLIONS.

Re:Pointless Apple-bashing

[BZ]

That _used_ to be the case, but they were planning to change it last I heard. Maybe they haven't done that yet, though.

Re:Pointless Apple-bashing

Furthermore, Apple's OS update process for both iOS and OS X guarantees that a higher percentage of customers actually get the update.

Mandatory restart?

[Lord+Grey]

I just applied the fix and now I have to restart my Mac. What the hell? Is my MacBook masquerading as a Windows machine all of the sudden?

It just works. After a slight delay.

Re:Mandatory restart?

While I did not have to reboot anything on my Ubuntu, Win XP or Win 7. Restart browser and you are done. People don't shout when things just work. On the other hand...

Re:Mandatory restart?

[tangent]

Updates to Safari always require an OS X restart, for the same reason IE updates on Windows do: the "browser" is really just a UI wrapper around a core system component.

Unlike Windows, OS X allows you to replace in-use files without restarting, so you may be able to get away with restarting only the affected apps, rather than the entire system, but I don't think I'd take that risk.

Re:Mandatory restart?

[Em+Adespoton]

This fix didn't touch Safari... it fixed a bug regarding revocation in the system keychain, and then revoked the key. Since the entire OS hangs on the keychain, making a change to fix a bug in the revocation code requires a restart (all Apple authentication goes through this system, so leaving an authenticated process running while patching would be a bad idea).

Seems to me Apple could easily set up another option for updates though, even though it wouldn't have worked for this instance -- kill and restart the windowing system only. This would work for Safari patches or anything else that modifies core userland components.

Re:Mandatory restart?

Um. It didn't change any revocation code either (I'm assuming you mean the OSX APIs for checking for certificate validity).

All the patch did, on Lion, was drop three updated files into /System/Library/Keychains:

-rw-r--r-- 1 user staff 5353 Sep 6 16:35 EVRoots.plist
-rw-r--r-- 1 user staff 395312 Sep 6 16:35 SystemRootCertificates.keychain
-rw-r--r-- 1 user staff 86380 Sep 6 16:35 SystemTrustSettings.plist

Re:Mandatory restart?

[guruevi]

Run softwareupdate -i -a from the command line. You won't ever need to restart although sometimes, if you do that, the applications you updated might not start (eg. iTunes and Safari).

Restart is necessary so it can reload the correct kernel extensions and clear out the applications that have it in-use. It's not super important in most cases but even if you unload/reload the kext files you could make the system unstable or make it panic. I usually don't restart the system especially the server systems for the simple application updates and even sometimes keep my clients alive (because someone's logged in or forgot to log out) - until the user complains that a component won't start or work.

Re:Mandatory restart?

[SteeldrivingJon]

With Lion's window reopening, I find restarts to be *much* less painful.

That said, when Software Update tells you to restart, you can usually Force-Quit it and continue working.

Re:Mandatory restart?

[Elbart]

Funny enough the bugfix/cert-revocation for Windows (Vista and later) didn't require a restart.

Re:Mandatory restart?

[BitZtream]

Lion's window reopening is great ... right up till you start an app with an old document in it ... that the person looking over your shoulder sees ... and its about the day they are getting fired.

That was turned off as soon as I could find a way.

when Software Update tells you to restart, you can usually Force-Quit it and continue working.

You do realize that all it does before that is essentially downloads the items, runs the updates on things that don't need restarting, and preps the ones that require restarts ... if you kill software update when it says a restart is needed then you aren't actually installing updates that require a restart.

Re:Mandatory restart?

[BitZtream]

Windows needed a cert removed. There was no bug, just bad data.

OS X had bad data AND a bug. They fixed both. The bug needed a restart as it was a system wide facility.

Certs are broken.

[Speare]

Diginotar was just the beginning of the reports, but truth is, CAs have been broken for a long time and SSL sessions that depend on CA certs are useless. A couple weeks ago, there was a handy how-to page to show how you can go into Mac OS X's keychain to reject Diginotar... one CA entry down, but several hundred others. If you think the NSA, Mossad, MI6, and fifty other countries haven't slipped MitM SSL boxes on various trunks hoping to score a session depending on these CAs, you're deluded.

Re:Certs are broken.

Actually that fix didnt work, it merely gave the illusion that it did. I saw a follow-up post explaining how another level of trust (the part that gives you the little green status in your url bar) was overriding the keychain rejection.

Its totally borked in OSX ....

Re:Certs are broken.

The handy how to was a waste of time, - it merely gave the illusion that you'd changed something.

And the link : http://www.computerworld.com/s/article/9219669/Mac_OS_X_can_t_properly_revoke_dodgy_digital_certificates

Re:Certs are broken.

[Stormtrooper42]

Thank you.
I finally understood why everyone says SSL is broken.

Re:Certs are broken.

[ljw1004]

I may be deluded, but I certainly don't believe that Algeria, Romania or Peru have done that (to pick a few of the 50th largest countries ranked by GDP). I think their intelligence departments just aren't that well financed or modernized.

Re:Certs are broken.

[Fryth]

Uh, then I'm deluded... that's a little extreme, to say the least, and verges on conspiracy theory if you ask me. There are security flaws of all kinds lurking in all different systems, but political entities know better than to get their hands dirty with that.

Re:Certs are broken.

[steelfood]

The problem with SSL has always been that there's a single point of failure. If you compromise the CA, you ultimately compromise SSL itself until trust for that particular CA gets revoked.

In the short term, browsers should remember the last CA of each site. If it changes, throw up a warning page. That's a good stop-gap measure for MITM (instead of the stupid warning page for self-signed certs). In the long term, there needs to be some combination of distributed (P2P) certificate validation, and multiply signed certificates. There's no 100% guarantee, but this way, the pool can't be poisoned, nor would compromising one particular CA compromise the certificates signed by that CA.

In fact, it's pretty difficult to compromise a multiply-signed certificate where one of the signatures is the entity itself. At that point, there'd be no difference between compromising that kind of certificate and compromising the company servers or intranet outright.

Re:Certs are broken.

The problem with self-signed certs is that they don't do anything against MITM attacks. Once you establish the connection, you're guaranteed that you're talking to the same server for the duration of the session, but you have no guarantee that your SSL session isn't hooked up to the MITM.

Of course, that problem goes away if you're getting the self-signed cert through a side channel, but the world doesn't work that way.

Re:Certs are broken.

[Lennie]

I've always had and still have "mixed feelings" about this.

There are 2 types of MitM attacks on SSL:
- force a normal CA to create a certificate for a nation for a certain website on request, maybe even create a subCA so they can sign anything they like
- a lot of nations have governmental organisations that have their own CA

If they use the last one, the one you probably meant, is detectable by a user (if properly instructed). gmail.com should obviously not be signed with a cert from CCNIC. If you really are a person which has something to hide from the government, you hopefully take the time to check (a few clicks).

I wouldn't be surprised if the US can force a CA to give them a subCA (with a name which doesn't stand out), is a lot harder to check.

The devices to handle the MitM attacks, which generate certs on the fly, already exist. There is even sslsniff for which the source code is available.

Re:Certs are broken.

[Qzukk]

There are 2 types of MitM attacks on SSL:

You forgot #3:
- ship your customers an installation CD which helpfully updates your certificate store with ISP-provided CA certs. AT&T did this at one time, I declined to install the cert despite the warning from the installer that if I didn't click OK on the popup I would not be able to configure the modem/router (configured it just fine, thanks).

Of course, this is a much riskier version since if they actually attempted to use that CA, everyone who rejected the install would be immediately aware of it.

Proof

[Synerg1y]

Apple only cares about the sale of the product, not support, that's why so many of their products fail 2-3 years off shelf life conveniently after warranty. I bet their security team is grossly underfunded too.

ex. http://mark-knowles.hubpages.com/hub/Apple-MacBook-Air or just google apple product longevity,

Re:Proof

[leenks]

That post is full of crap. So, the battery goes after 2 years. You either replace the part yourself (which involves opening the case up) or you take it back to Apple and have it replaced by them. You certainly do not have to trash the laptop. He then goes on to say buy the Macbook Pro - which suffers from exactly the same issues...

Details on replacing the battery. http://www.apple.com/support/macbookair/service/battery/ - details on replacing the battery.

And while I'm not an Apple "fanboi", I have owned a number of Apple products and none of them have died, even when well past their expected 3-4 year lifetime (anyone expecting modern consumer electronics to last longer than that is living on borrowed time or in denial about build quality and the world of commercial exploitation that we live in).

Re:Proof

[node+3]

Apple only cares about the sale of the product, not support

Sales of their products are affected by support.

that's why so many of their products fail 2-3 years off shelf life conveniently after warranty.

Then, why do so many *MORE* of their products *NOT* fail 2-3 years after warranty? You imply some sort of "planned failure" to get people to buy new products, but Apple (like most quality brands) take a different tact, and instead come out with new and improved products to entice new sales. And Apple, specifically, is having no problem whatsoever getting people to buy their new products.

That wouldn't happen if they kept failing on people.

And, what does this have to do with the story in question anyway?

Re:Proof

[JonySuede]

I repair my stuff, it is a nice hobby, you feel as good as a maker but you work way less because, most of the time, it is the simple things that breaks. I only had to replace an IC once in my life and it was in 2010, the faulty component was a DAC in a receiver from 1995. 75% of what I have repaired was broken due to an old capacitor that had leaked or new capacitor that had bulged*1 and when I replace something like a capacitor, I always over-spec the voltage and the Tmax. Depending on it's usage in the design I might double the Farad too. The rest were easy to test components like a voltage regulator or a diode.

*1:
There are 2 frequent problems with the modern electrolytic capacitor.

1-There was a bad batch of branded clone from china and those damm components are still around.
2- Stupid capacitors location by stupid (or malicious) engineering. ex: Samsung LCD TV power supplies engineers had the brilliant idea to place 2 caps rated for 85C very near a heat-sink hot enough that it can evaporate water on contact. They could have been located further from the heat-source as they had a lot of empty space on that PCB. And I said malicious engineering as the caps break usually the year after the warranty is over.

Re:Proof

[Synerg1y]

Taking a week to get a critical patch done is the point with it's competitors exceeding them by a mile, as there are almost no AV vendors for Macs, Apple is responsible.

Going back to discussion though about why it takes apple a week to do things: Apple is great on presentation, however when i pay 3k for something I don't expect it to go out in 2-3 years, Maybe the airbook was a bad example, all laptops have replaceable batteries lo, on that note I didn't bother reading the article too closely, replicating the google search brings up dozens morel, let's look at the other product lines, ipods and iphones, battery dies, the service > the value of the device after that time period. This is clearly a f'in trap, thanks for being blinded by the presentation to see it, how hard would it to be to make a battery replaceable in an iphone as in oh say an android, its not so apple's design is deliberate?

You striving to be creative apple users sure are blind... apple != value.

On that note I still like my touch rofl if only for its faster than standard interface and beautiful screen, but I know I will be buying a permanent doc for it to become a radio in 3 years because the battery life will probably be under 30 minutes.

Re:Proof

Important yes. Critical? Not really. Even if they managed to cut a cert for a big site, they still have to then entice the user to go to such a site and also trick their DNS via man in the middle into thinking it's actually on Google.com or whatever they've issues.

Serious, yes. Critical? Not so much.

Re:Proof

[stewbacca]

Laughable. Apple likes to make money, and selling support is one way to do that. Providing good support has gone a long way to build a loyal fan base and repeat customers as well.

AppleCare is one of the few computer company tech support divisions that actually makes money. Selling extended support after 1 year (not 2-3 years like you stated) is a money maker. Doing so also means having to support devices that are no longer sold. If you bought extended warranty for your xserve in January, you get support for 3 years after the last one was sold. Seems fair to me. Other companies lose money with support because they try to appease the random slashdot nerd still running his Pentium IV + Voodoo II card + Soundblaster card.

And if Apple didn't care about support, they'd offshore it to India, yet their support is headquartered in Austin, where they take the calls. Surely Austin is more expensive than Bangalore? So why do it there? Oh yeah, Apple doesn't care about support, so they'd rather use the better-yet-more-expensive Austin base of operations....riiiiight.

You don't get to be #1 in consumer satisfaction with customer support ratings for every year JD Powers has tracked it by not caring about support.

Re:Proof

[stewbacca]

AV software on a Mac...hahah, funny.

The reason it took them a week is because they are in the middle of their second update (10.7.2) of a new OS release. Is Windows in the middle of a service pack for Win7? Did Win 7 come out less than 6 weeks ago? Does Microsoft have thousands of developers NOT working on OS X.7.2 right now?

sdasass sad

http://www.onlinenewspapersz.com/2011/08/colombia-daily-online-newspapers.html

Managing Support

[Gyorg_Lavode]

Apple's fundamental problem is that they don't know how to MANAGE security. They don't know how to communicate. They don't know how to be up-front and honest about what they're doing. They don't know how to set clear expectations. Microsoft learned this a long time ago. (Incidentally, Linus won a pwnie for his silent patching a few years back I think.)

Re:Managing Support

[stewbacca]

Yes, Microsoft is indeed upfront about setting clear expectations. That's why everyone on the planet knows ctrl+alt+delete.

And the mobile browsers?

When will we get the updates on our mobile phones so those who uses mobile banking will be protected too?

Re:And the mobile browsers?

www.mozilla.org/mobile/

What about Safari for Windows and Leopard?

[techvet]

1. What about Safari for Windows? 2. So...Leopard was released less than four years ago, after Windows Vista came out in 2006, yet Apple can't be bothered to patch it?

Re:What about Safari for Windows and Leopard?

[Rosyna]

It's got nothing to do with Safari.

Re:What about Safari for Windows and Leopard?

[antifoidulus]

Yup, the omission of a Leopard update is a giant "fuck you" to all PowerPC users out there.

Re:What about Safari for Windows and Leopard?

[gstrickler]

Yes, but the releases of Snow Leopard and especially Lion have already demonstrated the bug FU to PPC owners AND developers. So this is nothing new.

Ubuntu too

Right now this moment, Update Manager is telling me this:

Changes for the versions:
20090814
20090814ubuntu0.10.04.1

Version 20090814ubuntu0.10.04.1:

    * SECURITY UPDATE: Blacklist "DigiNotar Root CA" due to fraudulent
        certificate issuance (LP: #837557)
        - update mozilla/blacklist.txt

This wasn't in yesterday's updates. This Ubuntu box is my daily machine, not something that's turned on every once in a while. Updates are set to check Daily.

Apple behind in security per usual

[gubers33]

Apple has consistently been slow to fix security issues like this in the past so it is no surprise they were last to address the issue,

Re:Apple behind in security per usual

This is because they have procedures regarding releasing software that involve testing the shit before it goes out to the web.

Would you prefer they just wing it?

Re:Apple behind in security per usual

[gubers33]

What testing is needed to take down compromised certs?

Meanwhile, back in the bat cave...

[thestudio_bob]

In other news, Microsoft posts security bulletins 4 days early, scrambles to fix mistake.... oh, sorry I didn't realizes /. was in "bash apple" mode again.

Re:Meanwhile, back in the bat cave...

[jclarke]

your point?

Microsoft is exceeding their patch target dates, while Apple is trailing the pack with shoddy patches only for its current-gen non-PPC machines?

Re:Meanwhile, back in the bat cave...

[93+Escort+Wagon]

your point?

Microsoft is exceeding their patch target dates, while Apple is trailing the pack with shoddy patches only for its current-gen non-PPC machines?

Wrong - you should read the article before making knee-jerk statements. Microsoft accidentally published the security bulletins describing the upcoming patches. Then they scrambled to remove them.

In other words they posted specific information regarding vulnerabilities that will be patched next Tuesday. Hackers might find that a tad useful, what with a four-day window of opportunity.

Re:Meanwhile, back in the bat cave...

[thestudio_bob]

I was merely pointing out a simple fact that everyone around here seems to be "soooo" focused on bashing Apple as of late, that a very interesting and important security story, based on an operating system that has 90% market share (while Apple only has a tiny 5%-9% as people seem to like to point out), seemed to slipped through unnoticed.

It was an social experiment to see if anyone would comment on it and slip in a dig at Apple at the same time....

...I'll just mark you down as a positive. Thank you for participating.

Re:Meanwhile, back in the bat cave...

The patch from MS has been out for a few days now, I have it on all my machines. Patch Tuesday is for non publically known vulnerabilities and known urgent ones like this are not delayed till patch tuesday.

That's what iSSLFix is for.

[RulerOf]

Android is still vulnerable, as is iOS BTW.

Once again, stock iOS is vulnerable, whereas jailbroken ones can have iSSLFix installed on them. In addition to patching an extremely boneheaded certificate vulnerability and providing cert blacklists for iOS devices that have not received new firmware, the DigiNotar CA was blacklisted via a patch almost a week ago.

Anyone with a jailbroken iOS device that doesn't have the patch should download and install it. You can simply search for it in Cydia.

Re:That's what iSSLFix is for.

[CharlyFoxtrot]

Anyone with a jailbroken iOS device that doesn't have the patch should download and install it. You can simply search for it in Cydia.

Cool, I'll do that.

Re:That's what iSSLFix is for.

[DarkOx]

How good an idea is for people to installing lists of CAs form some site on the internet? Sure they might take DigiNotar out but who did they put in? For SSL to authenticate reliably and securely it has to be managed by the end user carefully, and that requires understanding.

Re:That's what iSSLFix is for.

[BitZtream]

So you trust a bunch of known criminals over legitimate businesses for your security needs ...

You sir aren't real bright, even if it does appear to work out in your favor this time, this is a really stupid idea.

Re:That's what iSSLFix is for.

[RulerOf]

How good an idea is for people to installing lists of CAs form some site on the internet? Sure they might take DigiNotar out but who did they put in? For SSL to authenticate reliably and securely it has to be managed by the end user carefully, and that requires understanding.

It's open source. Granted, I believe what the patch notes are saying, but if you really, really want to, audit the source and compile it yourself :P

Re:That's what iSSLFix is for.

[RulerOf]

So you trust a bunch of known criminals over legitimate businesses for your security needs ...

You sir aren't real bright, even if it does appear to work out in your favor this time, this is a really stupid idea.

I'm going to assume that was a joke.

If it wasn't, I'd like to point out that iSSLFix is free and open source, and I highly doubt that everyone who works on or with jailbroken iOS software, including the owner of Cydia, Jay Freeman, would endorse it in that case.

Not for everyone

[courcoul]

Worth noting that, keeping in line with maximizing a forced adoption of the latest cat, the fix is only available for those using the latest version of Snow Leopard or Lion. At least at this time (5 PM CDT, 9 Sep 2011) the rest of the MacOS universe can go suck an egg...

Just like the case of adopting Lion. If you want to skip a cat and not have to pay for Snow Leopard, tough luck, compadre. Lion ONLY installs on top of Snow Leopard.

Re:Not for everyone

I'm guessing you aren't a Mac user. Lion installs happily on an empty hard drive. It does not require any pre-existing OS to install, and it's trivial to burn the installer to dvd, external drive, external thumb drive, or install it from another Mac. You can purchase from any Mac running Lion, or just order the thumb drive.

As to older versions of the OS, they can always use Chrome which relies on an internal cert list, or for any intel chipset, pay $29 bucks and move to a supported platform.

Re:Not for everyone

[stewbacca]

MacOS hasn't existed since version 9. Yes, I think computers from the early 2000s can go suck an egg, to include my 1999 G4 that still runs, but I don't pretend to use it for daily computing, banking, and maintaining valid certs.

Lion only installs on top of Snow Leopard because it is an upgrade, not a stand alone release. Even the Apple Lion pages use "upgrade" all over the place. The price of $29 reflects that as well. http://www.apple.com/macosx/how-to-buy/

Not viable for many users

[gstrickler]

It's only for OS 10.6.8 and 10.7.1. Users of PowerPC Macs can't use any OS after 10.5.8, and many users of Intel based Macs won't update past 10.6.6 because 10.6.7/10.6.8 introduce some significant compatibility issues. It's great that they released a fix, but it's only a fix for 50%-80% of the user base. I guest the rest have to manually remove the Diginotar root cert?

Re:Not viable for many users

[stewbacca]

and many users of Intel based Macs won't update past 10.6.6 because 10.6.7/10.6.8 introduce some significant compatibility issues.

Like what?

Re:Not viable for many users

[rylin]

10.6.8 broke optical audio out for many, many users.

Re:Not viable for many users

[gstrickler]

You can start here and read all the problems you want to.

Mac OS X 10.5.8?

[antdude]

No updates for this one? :(

Apple has Ostrich Syndrome.

[Sable+Drakon]

This is just typical Apple. To them, security problems don't exist. They're all happily wandering about aimlessly in Steve Jobs' backyard like a bunch of mindless sheep. Content to shrug off anything that may do grievous harm to their esthetically pleasing brushed aluminum paradise. To those Mac users who actually are security minded, you're not included in this. At least you guys have a clue, more of one than the fanboys and everyone in Cupertino.

Re:Apple has Ostrich Syndrome.

[stewbacca]

At least you guys have a clue...

Speaking of clues, here are a couple:

Steve Jobs is no longer in charge.
Apple no longer makes any hardware in "brushed" aluminum.