Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Finally Removes DigiNotar Certs In Safari

Posted by Soulskill on from the better-late-than-never dept.

Trailrunner7 writes "Apple has finally released a fix for the certificate trust issue caused by the attack on DigiNotar, more than a week after the fraudulent certificates were identified and other browser vendors moved to revoke trust in them. While Microsoft, Mozilla and Google had been communicating with users about the issue and pushing out new versions and updates to eliminate the compromised certificate authorities from their browsers, Apple had been mum about the attack and hadn't given any indication of when it might issue an update for Safari. On Friday the company published a security advisory for Mac OS X users, saying that it was removing DigiNotar's certificates from its trust list."

23 of 149 comments (clear)

  1. Re:Apple needs to explain its delay by DurendalMac · · Score: 2

    Yeah, curse those MAC addresses!

    Oh, wait, I'm sorry, you're just another retard that capitalizes the whole word instead of the first letter. It's a proper noun, not an acronym, you dimwit.

  2. Pointless Apple-bashing by DoctorNathaniel · · Score: 5, Insightful

    So, it took them 1 week to come out with an update to patch their browser? That doesn't seem an egregious delay to me. I haven't yet patched any of my other browsers yet. I'd be surprised if most users patch within the week of bugfix releases anyway.

    And if I understand it, this "security hole" is basically that you won't get bad-certificate warnings if you visit certain fraudulent sites... which isn't likely to happen unless you're clicking links in phishing emails.

    This hyperbole about apple being slow seems like hot air to me.

    1. Re:Pointless Apple-bashing by CharlyFoxtrot · · Score: 5, Informative

      Also the summary praises Google for their quick reaction but Android is still vulnerable, as is iOS BTW. You'd think that'd rate a mention at least.

      --
      If all else fails, immortality can always be assured by spectacular error.
    2. Re:Pointless Apple-bashing by v1 · · Score: 5, Informative

      So, it took them 1 week to come out with an update to patch their browser?

      They didn't patch their browser. That's not the way to fix the problem. The certificates Safari trusts are in the system keychain. Security Update 2011-005 addresses the problem.

      Certificate Trust Policy

      Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1

      Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

      Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.

      So (1) it pulls DigiNotar from the chain of trust, and (2) sends all browsers (and email apps, and anything else that cares to validate certs) accurate information for EV certificates that chain off an untrusted root. Patching the browser shouldn't be necessary and wouldn't address the actual problem, although considering it took Apple an unusually long time to get this update out the door, I can see why some other browser vendors hardcoded out DigiNotar.

      But for Apple this wasn't merely a matter of pulling a cert, they also had to fix a bug. Rushing a security bug fix out the door without testing it is arguably a worse security respopnse than taking a few days longer to test before pushing. (it's not like it took months like a few other big names I could toss in the ring to ignite a flame war)

      --
      I work for the Department of Redundancy Department.
    3. Re:Pointless Apple-bashing by node+3 · · Score: 3, Informative

      >> "Restart" (if necessary)

      "If necessary"? way to downplay it. It IS necessary, but not on windows or Linux. Deal with it, they are facts.

      Sometimes it is, sometimes it isn't (just like sometimes it is and sometimes it isn't on Windows and Linux).

      Demonstrating your ignorance of Macs, as usual, I see...

    4. Re:Pointless Apple-bashing by UnknowingFool · · Score: 4, Insightful

      The problem isn't that there isn't a mechanism to revoke certs in OS X. It exists in KeyChain. The problem was that the implementation was flawed as it could be overriden. So when it was pointed out to Apple, they fixed it in a week's time. Would you rather Apple quickly release a patch that didn't work?

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    5. Re:Pointless Apple-bashing by Firehed · · Score: 3, Interesting

      Of course, updating the trusted CA cert list shouldn't require a full system upgrade either. They have a kill switch for rogue apps; there should be a similar infrastructure in place for certificate revocation (is there? I don't know - doesn't sound like it. But there should be)

      --
      How are sites slashdotted when nobody reads TFAs?
    6. Re:Pointless Apple-bashing by icebraining · · Score: 2

      Firefox is not that clear cut, there are security updates for older versions, AFAIK. At least 3.5 got many updates even after 3.6 was released.

      --
      Dilbert RSS feed
    7. Re:Pointless Apple-bashing by CapuchinSeven · · Score: 2

      Dude If it's THAT much of a problem for you use Firefox on your Mac. Jessh.

    8. Re:Pointless Apple-bashing by UnknowingFool · · Score: 2

      they were the one major player unable to handle a necessary security task.

      I don't know "unable" means in your world, but it my world, it means "not able to be done." Were they slower than others? Yes. Were they the last one? No. Depending on who you consider "a major player", they weren't the last. If you deal with servers, Redhat and Ubuntu also patched the same day. MS only patched 3 days before Apple.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    9. Re:Pointless Apple-bashing by BitZtream · · Score: 3, Informative

      You got a virus because you downloaded something from somewhere you shouldn't have.

      Unless you downloaded something from a SSL site, also had your DNS and your upstream DNS compromised to direct you to a fake SSL download site, and then actually downloaded something via SSL with a stolen cert ... then well theres no way this had anything to do with it.

      You got a virus because you did something stupid, not because someone else did.

      You got a virus for the same reason every windows user gets a virus, STOP CLICKING ON RANDOM LINKS FROM EMAIL ADDRESSES YOU'VE NEVER SEEN. THERE IS NO PACKAGE WAITING ON YOUR FROM DHL OR REPORT FOR YOU TO REVIEW IN ORDER TO GET YOUR MILLIONS.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  3. Mandatory restart? by Lord+Grey · · Score: 2, Funny

    I just applied the fix and now I have to restart my Mac. What the hell? Is my MacBook masquerading as a Windows machine all of the sudden?

    It just works. After a slight delay.

    --
    // Beyond Here Lie Dragons
  4. Certs are broken. by Speare · · Score: 4, Insightful

    Diginotar was just the beginning of the reports, but truth is, CAs have been broken for a long time and SSL sessions that depend on CA certs are useless. A couple weeks ago, there was a handy how-to page to show how you can go into Mac OS X's keychain to reject Diginotar... one CA entry down, but several hundred others. If you think the NSA, Mossad, MI6, and fifty other countries haven't slipped MitM SSL boxes on various trunks hoping to score a session depending on these CAs, you're deluded.

    --
    [ .sig file not found ]
    1. Re:Certs are broken. by steelfood · · Score: 2

      The problem with SSL has always been that there's a single point of failure. If you compromise the CA, you ultimately compromise SSL itself until trust for that particular CA gets revoked.

      In the short term, browsers should remember the last CA of each site. If it changes, throw up a warning page. That's a good stop-gap measure for MITM (instead of the stupid warning page for self-signed certs). In the long term, there needs to be some combination of distributed (P2P) certificate validation, and multiply signed certificates. There's no 100% guarantee, but this way, the pool can't be poisoned, nor would compromising one particular CA compromise the certificates signed by that CA.

      In fact, it's pretty difficult to compromise a multiply-signed certificate where one of the signatures is the entity itself. At that point, there'd be no difference between compromising that kind of certificate and compromising the company servers or intranet outright.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  5. Re:Yeah Mac's just work by node+3 · · Score: 3, Insightful

    Except of course when they don't. When you create a culture of careless idiots by making them think they are invulnerable to any threats this is the only way to handle them.

    Care to explain how this is a case of Macs not "just working"? Or how may "careless idiots" were adversely affected by this?

    This looks like simple mindless anti-Apple trolling.

    If they just came out and said "Yeah we got screwed too" they might have some credibility, but instead they have to act like something like this doesn't actually affect them and quietly sweep the dirt under the rug.

    "Got screwed"? How, exactly? This is exactly how the system is supposed to work.

    On the other hand of that is the legion of careless users that are made even more careless because they have been given the false belief that they are impervious to any kind of cyber threat. If they just said "Yeah all that 'most secure' stuff we've been telling you is utter nonsense" then they might lose a moron or two to the competition.

    So, where are all the infected Macs? And where are all these people who say Macs are "impervious to any kind of cyber threat"? Straw men don't count, I'm talking about actual human beings.

    The problem with you anti-Apple trolls is that you rail against an imagined Mac user being screwed over by an imagined Apple, neither of which *actually* exist. Apple isn't evil, Mac users aren't idiots. There are millions of highly intelligent, technologically adept people who use and prefer Macs. What's so difficult to understand about this? Just because a smart person likes a system you don't like, that's not an affront to you. There are smart people who happily use Macs, Windows, Linux...

    Why so insecure?

  6. Re:Apple needs to explain its delay by Anonymous Coward · · Score: 2, Insightful

    On Slashdot, an "Apple Apologist Fanboi" is anybody who doesn't incessantly whine in a shrill voice about how awful Apple and Steve Jobs are, annoying anyone within a four-mile radius, most of whom don't care one way or the other.

  7. Re:Proof by node+3 · · Score: 2

    Apple only cares about the sale of the product, not support

    Sales of their products are affected by support.

    that's why so many of their products fail 2-3 years off shelf life conveniently after warranty.

    Then, why do so many *MORE* of their products *NOT* fail 2-3 years after warranty? You imply some sort of "planned failure" to get people to buy new products, but Apple (like most quality brands) take a different tact, and instead come out with new and improved products to entice new sales. And Apple, specifically, is having no problem whatsoever getting people to buy their new products.

    That wouldn't happen if they kept failing on people.

    And, what does this have to do with the story in question anyway?

  8. What about Safari for Windows and Leopard? by techvet · · Score: 2

    1. What about Safari for Windows? 2. So...Leopard was released less than four years ago, after Windows Vista came out in 2006, yet Apple can't be bothered to patch it?

    1. Re:What about Safari for Windows and Leopard? by gstrickler · · Score: 2

      Yes, but the releases of Snow Leopard and especially Lion have already demonstrated the bug FU to PPC owners AND developers. So this is nothing new.

      --
      make imaginary.friends COUNT=100 VISIBLE=false
  9. Re:Yeah Mac's just work by node+3 · · Score: 3, Insightful

    While he is a troll, having worked in support (at a University in Oregon) with Apple users they do often say the following repeatedly:

    "Mac's don't get viruses"
    "My Mac is secure"

    Both are true. Neither mean (what the OP said), "they are invulnerable to any threats" or "they are impervious to any kind of cyber threat".

  10. Not viable for many users by gstrickler · · Score: 2

    It's only for OS 10.6.8 and 10.7.1. Users of PowerPC Macs can't use any OS after 10.5.8, and many users of Intel based Macs won't update past 10.6.6 because 10.6.7/10.6.8 introduce some significant compatibility issues. It's great that they released a fix, but it's only a fix for 50%-80% of the user base. I guest the rest have to manually remove the Diginotar root cert?

    --
    make imaginary.friends COUNT=100 VISIBLE=false
  11. Re:Yeah Mac's just work by AshtangiMan · · Score: 2

    Perhaps for the same reason that windows users think that because they have an anti virus program installed that they are immune to all malware. I should say some windows users. People are people and computer security is sufficiently complex that the majority don't really care to put in the brainpower required to understand it. So they end up repeating marketing bs. I happily use all of Mac, windows and Linux. And I feel that each of them sucks in their own special ways.

  12. Re:Meanwhile, back in the bat cave... by 93+Escort+Wagon · · Score: 2

    your point?

    Microsoft is exceeding their patch target dates, while Apple is trailing the pack with shoddy patches only for its current-gen non-PPC machines?

    Wrong - you should read the article before making knee-jerk statements. Microsoft accidentally published the security bulletins describing the upcoming patches. Then they scrambled to remove them.

    In other words they posted specific information regarding vulnerabilities that will be patched next Tuesday. Hackers might find that a tad useful, what with a four-day window of opportunity.

    --
    #DeleteChrome