Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Finally Removes DigiNotar Certs In Safari

Posted by Soulskill on from the better-late-than-never dept.

Trailrunner7 writes "Apple has finally released a fix for the certificate trust issue caused by the attack on DigiNotar, more than a week after the fraudulent certificates were identified and other browser vendors moved to revoke trust in them. While Microsoft, Mozilla and Google had been communicating with users about the issue and pushing out new versions and updates to eliminate the compromised certificate authorities from their browsers, Apple had been mum about the attack and hadn't given any indication of when it might issue an update for Safari. On Friday the company published a security advisory for Mac OS X users, saying that it was removing DigiNotar's certificates from its trust list."

5 of 149 comments (clear)

  1. Pointless Apple-bashing by DoctorNathaniel · · Score: 5, Insightful

    So, it took them 1 week to come out with an update to patch their browser? That doesn't seem an egregious delay to me. I haven't yet patched any of my other browsers yet. I'd be surprised if most users patch within the week of bugfix releases anyway.

    And if I understand it, this "security hole" is basically that you won't get bad-certificate warnings if you visit certain fraudulent sites... which isn't likely to happen unless you're clicking links in phishing emails.

    This hyperbole about apple being slow seems like hot air to me.

    1. Re:Pointless Apple-bashing by CharlyFoxtrot · · Score: 5, Informative

      Also the summary praises Google for their quick reaction but Android is still vulnerable, as is iOS BTW. You'd think that'd rate a mention at least.

      --
      If all else fails, immortality can always be assured by spectacular error.
    2. Re:Pointless Apple-bashing by v1 · · Score: 5, Informative

      So, it took them 1 week to come out with an update to patch their browser?

      They didn't patch their browser. That's not the way to fix the problem. The certificates Safari trusts are in the system keychain. Security Update 2011-005 addresses the problem.

      Certificate Trust Policy

      Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1

      Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

      Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.

      So (1) it pulls DigiNotar from the chain of trust, and (2) sends all browsers (and email apps, and anything else that cares to validate certs) accurate information for EV certificates that chain off an untrusted root. Patching the browser shouldn't be necessary and wouldn't address the actual problem, although considering it took Apple an unusually long time to get this update out the door, I can see why some other browser vendors hardcoded out DigiNotar.

      But for Apple this wasn't merely a matter of pulling a cert, they also had to fix a bug. Rushing a security bug fix out the door without testing it is arguably a worse security respopnse than taking a few days longer to test before pushing. (it's not like it took months like a few other big names I could toss in the ring to ignite a flame war)

      --
      I work for the Department of Redundancy Department.
    3. Re:Pointless Apple-bashing by UnknowingFool · · Score: 4, Insightful

      The problem isn't that there isn't a mechanism to revoke certs in OS X. It exists in KeyChain. The problem was that the implementation was flawed as it could be overriden. So when it was pointed out to Apple, they fixed it in a week's time. Would you rather Apple quickly release a patch that didn't work?

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
  2. Certs are broken. by Speare · · Score: 4, Insightful

    Diginotar was just the beginning of the reports, but truth is, CAs have been broken for a long time and SSL sessions that depend on CA certs are useless. A couple weeks ago, there was a handy how-to page to show how you can go into Mac OS X's keychain to reject Diginotar... one CA entry down, but several hundred others. If you think the NSA, Mossad, MI6, and fifty other countries haven't slipped MitM SSL boxes on various trunks hoping to score a session depending on these CAs, you're deluded.

    --
    [ .sig file not found ]