Apple Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores

Trailrunner7 writes When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether. Apple on Wednesday released major security upgrades for both of its operating systems, and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remains in the trusted stores for iOS and OS X. The company has not made any public statements on the incident or the continued inclusion of CNNIC's certificates in the trusted stores.

Apples?

[freeze128]

How many Apples are there?

Re:Apples?

[taiwanjohn]

It only takes one bad "Apples" to spoil the whole headline.

Re:Apples?

[ArcadeMan]

Well, there's Applejack, Apple Bloom, Big McIntosh, and Granny Smith.

Re:Apples?

Well, there is that record company started by The Beatles, but I'd doubt they're cooperating with mail interception by the Chinese government.

Re:Apples?

Well there's Apple Corps, the music company founded by the Beatles, there's Apple Watch in Switzerland, causing problems for the Cupertino-based Apple the headline is referring to, umpteen varieties of the fruit, and more...

Re:Apples?

The Informative mod is making this even funnier.

Re:Apples?

HEATHEN! You forgot the Fuji!!!

Re: Apples?

Pagan, you neglected the Honeycrisp.

Re: Apples?

Big McIntosh kinking Apple Tart's Golden Delicious Honeycrisp.

There's a shock...

[fuzzyfuzzyfungus]

Hey, they weren't spying on our SSLed services today, so we still totally trust them! Also, have you seen how lucrative the Chinese market could be?

Re:There's a shock...

[Noah+Haders]

It's probably a condition in apples contract with the CN govt that they have to ruin all Apple devices for security.

Re:There's a shock...

[fuzzyfuzzyfungus]

I believe you mean 'enable all Apple devices for socially harmonious lawful remote management'.

Re:There's a shock...

[Ward,+Darrin]

the chinese market is very lucrative. i steal lots of their data and sell it on the black market. i guess i'm evil, but i don't care.

Re:There's a shock...

http://www.netresec.com/?page=Blog&month=2014-10&post=Chinese-MITM-Attack-on-iCloud

Re:There's a shock...

[NotDrWho]

Also, have you seen how lucrative the Chinese market could be?

I hear it's almost as large as the manufacturing plants where they make all of Apple's devices and computers.

Re:There's a shock...

It's probably a condition in apples contract with the CN govt that they have to ruin all Apple devices for security.

What do you expect? China (CN) is in Apple, specifically as a cyanogenic glycoside in the seeds.

So watch out for Apple! Some parts are poisonous.

Re:There's a shock...

[mitcheli]

It somehow doesn't surprise me that Apple is still hosting the exploited CA cert. They released patches to a number of openssl (which OSX does use) that supposedly fix the high level vulnerabilities of late (Security Update 2015-3?) But at the same time, the version that's running is 1.0.1g ... and there have been several high level vulnerabilities such as the down channel exportable encryption bug that still haven't been addressed. Thinking Apple needs to step up their game!

Chinese market

Apple is worried that doing the right thing will make them loose market share in China.

Re:Chinese market

[NotDrWho]

I doubt any Apple execs know what the phrase "doing the right thing" even means.

Re:Chinese market

[sabbede]

Considering how unhappy China was with Google for dropping the CA, you might be right.

Are non-China users safe?

Given that CNNIC is a Chinese CA, does that mean that users that are not in China and not visits Chinese web sites safe?

Re:Are non-China users safe?

[AmiMoJo]

CNNIC was found to have provided fake certs for popular sites, seemingly to aid with spying. So the answer is yes, this does affect people outside of China.

Re:Are non-China users safe?

No. Any root CA (or anyone holding an intermediate CA cert with a trust chain back to a root) can sign a certificate for any domain at all.

That's right; the Belgian Government can sign for www.yoursite.com and the person who holds the key for that CSR can MITM anyone who visits www.yoursite.com with no certificate warnings raised.

Re:Are non-China users safe?

[fustakrakich]

This confirms the absolute uselessness of this whole 'certificate' thing, except for tracking purposes of course.

Re: Are non-China users safe?

Don't forget the profits!

Re:Are non-China users safe?

[bill_mcgonigle]

This confirms the absolute uselessness of this whole 'certificate' thing, except for tracking purposes of course.

It's not useless, but it's only half of the equation.

The cert says, "we trust that this site belongs to this entity". That's one-way.

What needs to happen is that sites need to publish in their DNS(SEC) that they trust the same CA(s). That completes the mutual agreement on trust, which is currently missing. There are a few competing RFC's on the best way to lay this out, but what CNNIC shows is that we need to stop bickering and deploy this yesterday, accepting that "good enough" may not be perfect but it's *way* better than nothing. 'Better' is what version 2 is for.

May we engineers save us from ourselves.

Re:Are non-China users safe?

[IamTheRealMike]

Plain DNS is useless, a MITM could fake the results.

DNSSEC just replaces a competitive market of certificate authorities with a different, less competitive system of new CA's called registrars. It's hardly a positive.

A lot of people hear "some company I never heard of can sign for my site" and immediately conclude the whole system is broken. But that's ridiculous. Why should people be locked into one or two CAs based on where they are in the world? I live in Switzerland. There is a local CA called SwissSign. Like everything Switzerland their EV certificates are more than double the price of what DigiCert charges (based in Utah). So I go to a foreign CA and get my cheaper certs. That's called globalisation.

Likewise, if someone in America wants to pay a Belgian CA for a certificate for whatever reason, why shouldn't they?

Re:Are non-China users safe?

[dotancohen]

No. Any root CA (or anyone holding an intermediate CA cert with a trust chain back to a root) can sign a certificate for any domain at all.

Even worse, there is no way to know which certs you need and which you can get rid of. This question has remained open on Super User without a good answer for over half a year:
http://superuser.com/questions...

Re:Are non-China users safe?

[chihowa]

DNSSEC doesn't tie you to a registrar any more than registering a domain already did. DNSSEC also solves a good chunk of the MITM that can occur with the normal CA system. DNS is a vital part of the internet. The fact that it is so easily spoofed and altered is the root of many security problems.

The argument against DNSSEC is that there is still a root authority, at IANA, that can be corrupted. Which is solvable with DLV (DNSSEC Look-aside Validation) and alternative trust anchors. Even without that, stating the CA (or specific key) you use in DNS only makes the system stronger. At the very least, that's one more party to corrupt and non-targeted attacks would be broadcast across the internet.

Re:Are non-China users safe?

Even worse, there is no way to know which certs you need and which you can get rid of. This question has remained open on Super User without a good answer for over half a year:
http://superuser.com/questions...

There is a way: start disabling them until stuff starts breaking. Browsers make this maddeningly hard, by failing to load the page but not mentioning the specifics of what failed, but it can be done.

I've disabled all certificates and only enable certificates when sites break. This will be very region-specific, but after two years I'm up to ten root certs enabled. Of course, I don't trust those ten certificate authorities, but there are ten that I need to do my internet business. Reduced attack surface area and all. CNNIC is not one of the enabled certificates!

Re:Are non-China users safe?

"This confirms the absolute uselessness of this whole 'certificate' thing"

I agree, this is the critical take away. Anything so opaque is meant by design to deceive.

It's best to assume that everything on the internet in it's current form is vulnerable.

Re:Are non-China users safe?

[dotancohen]

Thanks. I've tried that in Firefox, but there is no way to disable a cert and then reenable it: the option is called Disable/Delete and it does the latter: Delete. There does not seem to be a way to disable certs until they are needed. What region are you in, and which certs do you have enabled. I would like to know just as a starting point. Thank you!

Re:Are non-China users safe?

I don't know what certificates he settled on, but if you aren't doing a whole lot of international browsing, you can safely disable any foreign CAs (especially foreign government CAs or anything you can't read). In Firefox, you can get the country of origin by viewing the certificate and looking at Issuer, under the Details tab. "C = " will list the country code. Most of the big CAs are in the US, but there are a few big ones that aren't: Comodo, StartCom, Thawte, AddTrust.

In Firefox, you can disable without deleting, by clicking "Edit Trust...". Even if you delete a root CA, it will show back up on restart with all of its trust disabled. You can't delete them permanently from the UI.

Re:Are non-China users safe?

[dotancohen]

I don't know what certificates he settled on, but if you aren't doing a whole lot of international browsing, you can safely disable any foreign CAs (especially foreign government CAs or anything you can't read). In Firefox, you can get the country of origin by viewing the certificate and looking at Issuer, under the Details tab. "C = " will list the country code. Most of the big CAs are in the US, but there are a few big ones that aren't: Comodo, StartCom, Thawte, AddTrust.

In Firefox, you can disable without deleting, by clicking "Edit Trust...". Even if you delete a root CA, it will show back up on restart with all of its trust disabled. You can't delete them permanently from the UI.

Thanks. I did notice that a deleted CA returned on restart, but I didn't notice that it still had all of its trust disabled.

Fix the headline

[rbanzai]

For fuck's sake is it really that hard to at least proofread the headline? "Apples Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores"

Apple is exposed to China operations

[Sandbox-Six-Actual]

Remember that unlike Google, Apple has deep manufacturing and retail ties into the Chinese market, which is seen as a key strategic part of cost management and future market/revenue expansion.

Even though CNNIC is very cozy with the Chinese MSS and the variety of PLA workforces associated with externally focused compromise, it is an organ of the Chinese government, which works differently from many others. If you were to offend the quasi-governmental agencies that deal IPs and such things in the US, you might not get "favorable" treatment, but the US FTC and others aren't exactly likely to swoop in and close you down either.

China has shown with Google and Twitter and others that if you aren't willing to play ball with their government, they have enough control over everything that they can effectively disadvantage you in the market. They can arbitrarily sieze assets, justice is somewhat malleable, and the Great Firewall means no matter how big you are, entire segments of you traffic base can be reduced because the average person isn't going to work hard to get around the censors.

The last thing Apple needs right now is to create another "front" to wrestle with a government on in such a strategic market. Even if the truth is that CNNIC probably isn't really the most trustworthy "root" in the world. But its also hard to blame them when the Snowden revelations have revealed that certain types of exported hardware devices could be diverted in the shipping process, etc, etc.

Re:Apple is exposed to China operations

[denis-The-menace]

And we have a winner!

Sorry, I have no Mod points for you.

Re:Apple is exposed to China operations

The last thing Apple needs right now is to create another "front" to wrestle with a government on in such a strategic market. Even if the truth is that CNNIC probably isn't really the most trustworthy "root" in the world.

In other words, Apple has sold out its customers, but hey! They want to make money, so who can blame them for this betrayal.

But its also hard to blame them when the Snowden revelations have revealed that certain types of exported hardware devices could be diverted in the shipping process, etc, etc.

So the NSA has behaved badly, and this makes China's misbehavior OK, and Apple's betrayal of its customers, and its assistance of China in undermining network security for all of its users, absolutely OK.

Got it.

Re:Apple is exposed to China operations

[mrchaotica]

Clearly, then, the only choice is for all non-China users to consider Apple to be no longer trusted.

Re:Apple is exposed to China operations

You were trusting Apple before?

Also, Chinese users are most affected since some networks there were man-in-the-middled with the bogus Google certs.

Re:Apple is exposed to China operations

[squiggleslash]

Right on all counts. The question is not really why, it's what can we do about it? Boycotts or fixing our own devices are unlikely to work, given the problem is as much other people being fooled, and the externalities implied by that.

Re:Apple is exposed to China operations

[IamTheRealMike]

Or just use Chrome. It does its own revocation stuff on top of the OS root stores. This only really affects users of Safari and Mail.app.

Re:Apple is exposed to China operations

[ProfessionalCookie]

Or you could just stop trusting that cert. It's pretty easy, there's even a GUI.

Re:Apple is exposed to China operations

[mrchaotica]

I'm not talking about no longer being able to trust Apple for yourself, I'm talking about no longer being able to trust Apple on behalf of everyone else. For example, I used to insist that my mostly-computer-illiterate parents use a Mac, because that would keep them safe. Now it will not. (And no, they're not competent to disable the cert themselves.)

Similarly, it is now flat-out unethical to recommend using an Apple computer to anyone, because it is proven that Apple prioritizes the well-being of Chinese hackers over that of their users.

Follow the money

[JoeyRox]

China's vociferous response to Google removing CNNIC's root certificate authority is the reason Apple is not taking action. Apple is a very principled company until those principles start costing them money.

Re:Follow the money

And, it only takes 3 clicks in Keychain Access to revoke trust in the key. The cost for users is pretty low, if users knew enough to make a difference.

Re:Follow the money

[fustakrakich]

Google also, if they had more business in China, the CNNIC's root certificate authority would remain. Nobody gets that big on 'principle'.

Re:Follow the money

[DarkOx]

Pretty much what I said a week ago and got modded into oblivion for it. Google already has/had an somewhat antagonistic relationship with parts of the Chinese government and they don't get the revenue from there they get elsewhere and are unlikely to do so in the near future.

Which is the problems with the CA system, To Big to Fail CAs now exist. What if this was Verisign/GeoTrust/Thawte etc caught doing something like this. Think any of the major browser or OS vendors would even consider revocation of there roots? I don't.

So there is no real remedy for misbehavior now.

Re:Follow the money

[fustakrakich]

The entire CA system is a fraud, snake oil, provides a false sense of security, etc, driven and manipulated by big money.

You are right. There is no remedy, aside from user awareness. In the meantime my 'remedy' is to image a clean system for restoration purposes. As far as the spying aspect is concerned, there's little that can be done while we are hooked up to the company wire. With the internet there can be no trust. It just can't happen

can I remove it myself?

Anyone know if I can remove the CA myself?

Re:can I remove it myself?

[nullchar]

Yes, you should remove the CNNIC CA cert (and many others) if you have admin/root over the devices you control. If not, choose a browser that maintains it's own CAs.

Re:can I remove it myself?

Yes

"Unusually harsh"

TFA calls it "an unusually severe punishment by both Google and Mozilla." Presumably there are many, many people relying on perfectly valid CNNIC certificates and typically the actions of one rogue intermediate CA doesn't require burning things to the ground (of course if it happens again, then you can no longer call it a mistake). TFA also notes in the very last line Microsoft didn't pull CNNIC either, but the headline and 99% of the article makes no mention of that.

Re:"Unusually harsh"

The CA infrastructure is based on trust. This trust is broken for/by the particular CA. The currect CA implementations in browser is a an all or nothing implementation, keeping it makes all SSL connection suspected.

BTW All CAs should be removed and replaces with something else as soon as DNSSEC is going places (eg DANE: http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)

Re:"Unusually harsh"

[Cajun+Hell]

The fact that they use the word "punishment" shows lack of understanding about what happened and is happening.

If you lie to me and get caught, and then I punch you in the nose, that's a punishment. But if you lie to me and get caught, and then after that I don't believe you whenever you tell me things, that's not punishment.

If Google and Mozilla are being "harsh" then the only ways one can honestly describe it, is that they have a "harsh opinion" or a "harsh estimate" of CNNIC's trustworthiness.

It's amusing to think that maybe some day this way of speaking will infect other areas. "That's sure a harsh calculation" or "this is a severe regex match" or "what a brutally spiteful and vindictive tree traversal."

Apple is not providing security updates in general

My Grandmother (she is 85) has an Intel based Core Duo Macbook and Apple has stopped providing security updates. Each time I visit her, I try and update the machine, and the only update available is a huge update for iTunes. Thanks Apple!

When we bought the machine (new) I thought the macbook would be more usable for her than a Linux laptop. While it has been a good machine, being orphaned on security updates is bad form by Apple.

Spending over a thousand bucks on a new Mac isn't going to happen.

Google politicking?

If u read the article, it seems like Google is politicking the issues, given that it is not CNNIC but an intermediary that is at fault. For once, Microsoft seems to have done the right thing.

Re:Google politicking?

[Coren22]

Except, the way SSL works, you have to remove the CA until the CA revokes the Intermediate CA's authority, or people are open to MITM attacks. Google did absolutely the correct thing, and MS and Apple are failing at security. There is no other right thing here. Once the intermediate is blocked, then you can say Google is in the wrong if they don't reinstate the CA's cert.

...and here I was, about to buy an Apple laptop...

[FreeUser]

We are talking apple users here, not Linux users. All three Apple users who know these steps have probably already done so. The other several hundred million are fucked, and Apple has now publicly taken a stance that they plan to hang those millions out to dry.

Ironically, I was going to buy an apple laptop for sheer convenience (and to run more recent versions of scrivener), but now I most certainly won't. Time to research good Linux laptop alternatives instead (ideally with high-end graphics capabilities that support blender's cycles module ... wonder how well Optimus is supported these days). Oh well, it will probably be cheaper anyway. Maybe I can treat myself a 4k monitor with the money saved.

Apple doesn't want to piss off the Chinese

[surfdaddy]

They could have done the right thing here. Our entire vapourous internet security depends upon the root CA system. I'm glad Google and Mozilla have taken a hard stand.

fanbois?

[koan]

OSX is now officially the most insecure, if for no other reason than the H1B fuck ups.

It's not too late!

[FreeUser]

My Grandmother (she is 85) has an Intel based Core Duo Macbook and Apple has stopped providing security updates [...] When we bought the machine (new) I thought the macbook would be more usable for her than a Linux laptop. While it has been a good machine, being orphaned on security updates is bad form by Apple.

It's not too late:

http://www.odi.ch/prog/macbook...
http://www.codingepiphany.com/...

Re:It's not too late!

Yeah, uh, my parents, who are great-grandparents, have been using Linux for the last 7+ years. No issues whatsoever. I mean they mostly just use a web browser and view/copy pictures. Linux is fine for this and much less security hassle.

Re:...and here I was, about to buy an Apple laptop

The Dell XPS 13 was released today.

If Apple's recent stream of security failures has not convinced you to switch to Linux or BSD, you are basically hopeless.

Re:Apple is not providing security updates in gene

Intel Core Duo Macbooks were ONLY sold in early 2006 - late 2006, they went to Core 2 Duo.

If she has a Core 2 Duo Macbook, then she can upgrade to Lion, which had security updates at least through end of 2014.

Your dear auld gramma has a 9 year old computer, and should probably think about buying something new. She's had 9 years to save up since she bought that "new" macbook.

So.

[Sir_Real]

How do I remove this CA from my macbook?

Re:So.

[Somebody+Is+Using+My]

Or from Windows, for that matter.

(At least Firefox makes it easy to remove. Unfortunately, it comes right back with the next update)

Re:So.

[Culture20]

How do I remove this CA from my macbook?

You can remove the Macbook from California, but you can never remove the California from the Macbook.

Removing the CNNIC ROOT on OSX

sudo security find-certificate -a -Z -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain | grep SHA-1
sudo security delete-certificate -t -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F /System/Library/Keychains/SystemRootCertificates.keychain

Re:Removing the CNNIC ROOT on OSX

[vanyel]

They apparently *really* don't want me to get rid of it:

+ grep SHA-1
+ security find-certificate -a -Z -c 'CNNIC ROOT' /System/Library/Keychains/SystemRootCertificates.keychain
SHA-1 hash: 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F
+ security delete-certificate -t -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F /System/Library/Keychains/SystemRootCertificates.keychain
security: SecTrustSettingsRemoveTrustSettings (user): No Trust Settings were found.
+ security delete-certificate -t -c 'CNNIC ROOT' /System/Library/Keychains/SystemRootCertificates.keychain
x: line 5: 92884 Segmentation fault security delete-certificate -t -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain

Re:Removing the CNNIC ROOT on OSX

China builds the Apple computers.
They own them from the start.
They only lease them to Apple
Apple subleases them to you.

Lease, leash -- one letter difference.

All this electronic stuff is basically ankle bracelets to track everything you do and keep you in line.

Re:Removing the CNNIC ROOT on OSX

That worked for me, no error message.

Looking in Keychain following the better instructions later in the thread, no evidence of CNNIC at all. Guess it was deleted as intended.

The "China ..." one was still there so I mistrusted that one.

Re:Removing the CNNIC ROOT on OSX

[Whiney+Mac+Fanboy]

sudo security find-certificate -a -Z -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain | grep SHA-1
sudo security delete-certificate -t -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F /System/Library/Keychains/SystemRootCertificates.keychain

Until Apple work out a way of avoiding the command line like this, they won't be ready for the masses.

Re:...and here I was, about to buy an Apple laptop

[Pliny]

When I was looking at trying to get back into creative writing, I looked at Scrivener. It's a nice app, but I already had online services I liked for notes and research, mainly Evernote and Trello, and it didn't seem to have good options for integrating with them.

Turns out, Emacs does all that stuff. All it costs is your sanity an assload of time to learn.

Also, Optimus is kinda-sorta okay. There's a utility called Bumblebee that handles turning the Nvidia chip on and off, and you basically end up running a second X session on the Nvidia with the output piped into the normal session. It's done by launching any app you want to be on the GPU with a wrapper app like Optirun.

Re:Apple is not providing security updates in gene

Or install Linux/BSD on it. It's not like you can't.

Re:Apple is not providing security updates in gene

My Grandmother (she is 85) has an Intel based Core Duo Macbook and Apple has stopped providing security updates. Each time I visit her, I try and update the machine, and the only update available is a huge update for iTunes. Thanks Apple!

When we bought the machine (new) I thought the macbook would be more usable for her than a Linux laptop. While it has been a good machine, being orphaned on security updates is bad form by Apple.

Spending over a thousand bucks on a new Mac isn't going to happen.

So, the issue with the model of the Macbook you are referring to with a Core Duo (a chip that came out circa 2005) is that it is a 32 bit only CPU and the graphics chipset is too old to support any kind of hardware acceleration that the OS requires..
This model had security updates until mid last year, when the hardware was over 8 years old. Any mac built in 2009 or later (6 years old) can upgrade to Yosemite for free. In fact, there are my iMac produced in 2007 runs Yosemite.
I think that having a 9 year old piece of hardware that still runs well, is pretty good. I think you would be in the same boat with about any laptop that has a Core Duo CPU and Intel GMA945 or GMA950 graphics to run the latest and greatest OSes.

Removing this CA from your macbook

[nicolaiplum]

Open Keychain Access, find the System Roots keychain (left side), look for "China Internet Network Information Centre EV Certificates Root" on the right side, double-click on that. In the window this opens, expand the "Trust" arrow and change "When using this certificate" to "Never Trust".
Do the same for the "CNNIC Root" certificate.

Re:Removing this CA from your macbook

Why does Apple get to decide what certs are trusted or untrusted? They should send out a security notice advising customers about the situation and then let individuals deal with it from there. Also, all certs should be shipped as "untrusted" so that the user can selectively enable what he wants to be trusted.

Re:Removing this CA from your macbook

[chihowa]

Why does Apple get to decide what certs are trusted or untrusted? They should send out a security notice advising customers about the situation and then let individuals deal with it from there. Also, all certs should be shipped as "untrusted" so that the user can selectively enable what he wants to be trusted.

Have you looked at the root CA list in any of the major browsers/OSs? Why are we required to implicitly trust every single one of these entities to sign anything they want? If those lists illustrate how broken the CA system is, I don't know what will.

Re:Removing this CA from your macbook

Thank you! to nicolaiplum

(I had to search for Keychain, and found that it is an app found here APPLICATIONS folder /UTILITIES folder.)

One of the biggest problems that I have following what is being said here on /. is the fact that many submitters assume that all readers understand what is being talked about (or don't care if that is true, especially if they are talking exclusively to a peer audience).

I've been using computers since Tandy machines; I'm a computer (digital) artist, and work across PC and (mostly) Mac platforms. I have a small home network with several computers, and several printers (b/w laser, color laser, desktop inkjet, and a wide-format HP to print my artwork). In my day job I'm a biomedical technician repairing medical equipment, mechanical and electronic/electrical. But I am at a total loss to understand anything beyond extremely basic networking, and such things as CA and such. So even though I am computer literate and technically capable, the breadth of my technical understanding has its limits (as everyone else). I wish to thank any and all technical people who will take the few extra seconds to more clearly explain to me what is easy and second-nature to yourselves.

Re:It's true!

[Coren22]

Are you sure? Have you performed a double blind study to determine that is performs better than placebo, and how much better to determine that it is the best?

Not for long... new exploit is out

[BenJeremy]

Apple will surely be updating shortly to close the loophole that has people installing PopcornTime on their iPhones...

Link

I'm surprised this isn't bigger news.

Re:...and here I was, about to buy an Apple laptop

[supercrisp]

I'm on the fence as to whether my next laptop will be a Macbook. I'm not up on messing with security certificates. It took me about 10 seconds to get from Anonymous Coward's tip to a blocked CNNIC certificate. I think that it's within the scope of regular users. My cousin just did it, and she runs a modeling agency and was trained in, well, modeling. Macs do have a pretty easy interface. Say what you will, but that allowed me to do my little thing and get back to wasting time on the internet instead of grading papers.

Re:...and here I was, about to buy an Apple laptop

[FreeUser]

If Apple's recent stream of security failures has not convinced you to switch to Linux or BSD, you are basically hopeless.

Oh, I've been running Linux for years and years. I was going to dual-boot an apple laptop with osx+linux, but now I have no interest in having osx any more than I do windows. I'll take a look at the new dell.

Re:...and here I was, about to buy an Apple laptop

[FreeUser]

Nice, thanks for the info. Nvidia would be nice, as I want to run blender. Is there a good comparison site for various laptops with high-end graphics and CPUs you know of? I've been poking around online for a while, but determining what the best supported higher-end laptops are for Linux is far from easy.

remember DigiNotar

Something similar happened to DigiNotar in 2011. They did not have any big brother protecting them, so they went bust in 1 week.
The only thing to do is to go public with the problem and issue new certificates back to the level above the fake cert.

We just had to renew our root CA which ment all customers had to get new certificates installed before the expire date.
This process has been a yearly long process and we bugged all customers by letter,email and probe their public sites until they have changed it.
The process itself is just running one executable containing the script with correct permissions on the server.

Re:...and here I was, about to buy an Apple laptop

[tlhIngan]

All three Apple users who know these steps have probably already done so. The other several hundred million are fucked, and Apple has now publicly taken a stance that they plan to hang those millions out to dry.

Yeah. Because it's SOOO hard to use Firefox, or Chrome, instead of Safari.

That's really how you do it - if it means that much to you, then you can always use browsers that do not use the OS X security store.

Like Chrome and Firefox. They run great on OS X.

Of course, a big problem is that Apple sells a lot of product in China, so CNNIC is pretty much required otherwise no Chinese user will be able to do anything.

I mean, what about Android? Is CNNIC going to be removed from it?

Re:Apple is not providing security updates in gene

[harryjohnston]

Meantime, I can run a supported version of Windows on PCs, even laptops, that are 10+ years old. (If I need to, I mean. Linux would be my first choice for performance reasons.)

But if you're rich enough to buy a Mac in the first place, you should be able to afford to replace it every few years, IMO.

Contract details?

[harryjohnston]

IIRC, when Google announced that they were removing the certificate, they referred to specific terms in CNNIC's contract with them that had been violated. Not sure about Mozilla.

Does CNNIC have similar contracts with Apple and Microsoft? Do they have similar terms? It occurs to me that they might not be as rigorous, because they might have been drafted several years earlier than Google's one - seeing as Chrome is a relative newcomer.

Forcing Apple users to distrust google

[Cafe+Alpha]

... evil as possible. There are fake certs for Google, and Apple refuses to protect their users against them. That's pretty much the internet company version of sending machetes to ISIS.

Microsoft kept the root, but blocked the known

[Cafe+Alpha]

fake certs from them. Did Apple do even that?

I am Chinese and I dont trust CNNIC

I am Chinese and I am happy to see they remove CNNIC certs.If Apple don't do this, I wouldn't buy apple's products any more.

Never trust a chinese.

[moneybabylon]

Never trust a chinese. I should know. I am a chinese myself.

Can I remove them from Safari

[crbowman]

Is there a way for individual users to remove certs from these browsers without waiting for vendors to do so?

Re:Apple is not providing security updates in gene

So if it’s a MacBook not MacBook Pro, and Core Duo not Core Duo 2, you’re complaint is about a machine that last shipped in 2006. Come on. 9 years ago? She was barely 76 when that machine was new.