diginotar
Latest
Daily Update for Sept. 9, 2011
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top Apple stories of the day in three to five minutes, which is perfect for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for listening through iTunes, click here. No Flash? Click here to listen.
Apple security update addresses DigiNotar certificates
Apple has rolled out security update 2011-005 (Lion) and security update 2011-005 (Snow Leopard), which addresses the certificate trust policy regarding DigiNotar certificates. The update removes DigiNotar from the list of trusted root certificates, the list of Extended Validation certificate authorities and configuring the default system trust settings so DigitNotar certificates -- those issued by DigitNotar itself and other authorities -- are not trusted. These downloads are available through Apple's support site and via Software Update.
How to get rid of DigiNotar digital certificates from OS X (Updated)
Update 2: After a conversation with Seth Bromberger we have some new details. First, the reason you're unable to replicate this issue is that DigiNotar appears to have re-issued certificates. You can see Seth's screencast showing the issue here (you may need to go fullscreen to see the text). Further, DigiNotar appears to have chained their certificates to the Dutch government, we're not sure why. But there's a larger problem here, and that involves how Keychain and Safari work to try and protect you from unsafe sites -- those signed by bad authorities. Essentially, the way this works in every other browser is that, if you take any certificate in Keychain and say "Never Trust" you will get a warning when visiting a site signed with that CA. In Safari, this doesn't happen. Instead, you must delete the certificate entirely. We're not sure why this is so, but Apple has apparently known about this for a while and done nothing to change what would seem like an obvious method for protecting users. We're working on this story, stay tuned for a separate post. - Victor After DigiNotar's servers were hacked last month and began issuing false digital certificates, some Mac users claimed they were finding that despite changing their security settings that sites from DigiNotar were still seen as trusted. IDG News Service (via Computerworld) cited Seth Bromberger, who said after he removed revoked DigiNotar certificates from Keychain that he was still able to access material that should have been marked as untrusted. In other words, setting the certificates to "Never Trust" seemingly had no effect from Safari's viewpoint. However, before panicking about unsafe digital certificates, the folks over at io101.org posted a how-to on getting the DigiNotar certificates off your Mac. Update 3: According to Mr. Bromberger (who is actually a security specialist) now that DigiNotar has re-issued their certificates, the link Megan has below will not work as intended. As he says, " this may have worked before DigiNotar reissued their certs, but now, that link WILL give you the warning she mentions regardless of whether you've deleted the certs or not. This will lead unsuspecting users to conclude that they've successfully mitigated the problem, when they haven't. The reason this happens is because the link in the post gives you a different warning - it's a hostname mismatch as opposed to a "certificate not found/trusted" (or whatever the actual warning is). Only if you click "View certificate" will you see the difference." First, test to see if your browser has DigiNotar SSL access by clicking this link. If there are no DigiNotar certificates on your Mac, you will get the following: However, if you don't get a warning, then do the following: Open Keychain Access Search for DigiNotar Delete the certificate entirely or double-click to bring up options and change the trust setting to "Never Trust" Restart Safari Check the above link again to see if the certificate was blocked. So, what about Bromberger's concerns? I replicated the steps above by first deleting the DigiNotar certificate entirely, then distrusting it. Both times, I received warnings from Safari that I was accessing an insecure site. However, the key here is to restart Safari once the certificate changes are made. When I made the fixes without restarting Safari, I was still granted access to the site. If you're able to replicate Bromberger's issues, we're interested in hearing from you in the comments. Update: Rachel's provided a couple other test links for the certificate, which io101 did as well. Thanks, Rachel!
