Update 2: After a conversation with Seth Bromberger we have some new details. First, the reason you're unable to replicate this issue is that DigiNotar appears to have re-issued certificates. You can see Seth's screencast showing the issue here (you may need to go fullscreen to see the text). Further, DigiNotar appears to have chained their certificates to the Dutch government, we're not sure why.
But there's a larger problem here, and that involves how Keychain and Safari work to try and protect you from unsafe sites -- those signed by bad authorities. Essentially, the way this works in every other browser is that, if you take any certificate in Keychain and say "Never Trust" you will get a warning when visiting a site signed with that CA. In Safari, this doesn't happen. Instead, you must delete the certificate entirely. We're not sure why this is so, but Apple has apparently known about this for a while and done nothing to change what would seem like an obvious method for protecting users.
We're working on this story, stay tuned for a separate post. - Victor
After DigiNotar's servers were hacked last month and began issuing false digital certificates, some Mac users claimed they were finding that despite changing their security settings that sites from DigiNotar were still seen as trusted.
IDG News Service (via Computerworld) cited Seth Bromberger, who said after he
removed revoked DigiNotar certificates from Keychain that he was still able to access material that should have been marked as untrusted. In other words, setting the certificates to "Never Trust" seemingly had no effect from Safari's viewpoint.
However, before panicking about unsafe digital certificates, the folks over at io101.org posted a how-to on getting the DigiNotar certificates off your Mac.
Update 3: According to Mr. Bromberger (who is actually a security specialist) now that DigiNotar has re-issued their certificates, the link Megan has below will not work as intended. As he says,
" this may have worked before DigiNotar reissued their certs, but now, that link WILL give you the warning she mentions regardless of whether you've deleted the certs or not. This will lead unsuspecting users to conclude that they've successfully mitigated the problem, when they haven't.
The reason this happens is because the link in the post gives you a different warning - it's a hostname mismatch as opposed to a "certificate not found/trusted" (or whatever the actual warning is). Only if you click "View certificate" will you see the difference."
First, test to see if your browser has DigiNotar SSL access by clicking this link. If there are no DigiNotar certificates on your Mac, you will get the following:
However, if you don't get a warning, then do the following:
- Open Keychain Access
- Search for DigiNotar
- Delete the certificate entirely or double-click to bring up options and change the trust setting to "Never Trust"
- Restart Safari
- Check the above link again to see if the certificate was blocked.
So, what about Bromberger's concerns? I replicated the steps above by first deleting the DigiNotar certificate entirely, then distrusting it. Both times, I received warnings from Safari that I was accessing an insecure site.
However, the key here is to restart Safari once the certificate changes are made. When I made the fixes without restarting Safari, I was still granted access to the site.
If you're able to replicate Bromberger's issues, we're interested in hearing from you in the comments.
Update: Rachel's provided a couple other test links for the certificate, which io101 did as well. Thanks, Rachel!