Apple Criticized For Not Blocking Stolen Certs

CWmike writes "A security researcher is criticizing Apple for lagging with its response to the DigiNotar certificate fiasco. He is urging the company to quickly update Mac OS X to protect users. 'We're looking at some very serious issues [about trust on the Web] and it doesn't help matters when Apple is dragging its feet,' said Paul Henry, a security and forensics analyst with Lumension. Unlike Microsoft, which updated Windows on Tuesday to block all SSL certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same. Meanwhile, even Mac OS X users who want to go DIY are stymied, reports Bob McMillan, because the OS can't properly revoke dodgy digital certificates."

Re:Not just Apple...

[Golthar]

At the request of the Dutch government, Microsoft is delaying the update in the Netherlands (home of DigiNotar) until next week, to avoid confusion (and to buy the government more time to roll out new certs).

I feel much safer now, knowing our government has the power to stop Microsoft from rolling out security updates in a country.

I'm in the Netherlands and I got the patch just fine.
Must be because I use the English version of Windows

Re:Certificate revocation

[slimjim8094]

Certificates can be revoked by putting them on the certificate revocation list [wikipedia.org]. The OCSP [wikipedia.org] protocol is analogous. Here, try it yourself: http://validation.diginotar.nl/ [diginotar.nl] - get an OCSP client (IE7+, FF3+, Chrome, etc do it automatically) and try to authenticate any of the fraudulent certificates.

Somebody getting a hold of the private keys for the CA itself is a bigger problem - keys can be signed by the attacker faster than they can be revoked. I haven't heard that that's the case - just that fraudulent certs were made, presumably through the same semi-automated process that everybody else uses.

I don't know if there's a way to revoke a CA cert (that is, *all* certificates signed by a certificate). But that doesn't seem to be required here, so the standard revocation procedure works.

Re:Not just Apple...

[Tomato42]

The only thing that might prevent this, is hoping the revocation list of diginotar is complete

> implying browsers actually check CRL or OCSP responses

HA HA, good one. Only Opera checks OCSP and won't show you that the site is "secure" when it can't contact the OCSP server. Firefox can be defeated by putting "3" in the OCSP response (come on, we're talking about full scale MITM, adding OCSP to atack, which also uses HTTP is trivial). IE even when gets a OCSP failure or can't connect to OCSP at all will still show green bar...
If you're using regular certificates Firefox and IE don't even check for OCSP...

Re:Not just Apple...

[dingen]

The Fox-IT audit did not find any evidence of fraudulent certificates under this root, so there no clear and present danger for these certificates.

That is old information. The Dutch government only asked Mozilla to not block their root while the Fox-IT audit was still in progress. But by the time it was finished, it could not be proven the Staat Der Nederlanden CA was clean, so they then gave up on DigiNotar entirely and gave Mozilla the OK to block everything.

Idiots, certs are easy to disable in OSX

[BitZtream]

reports Bob McMillan, because the OS can't properly revoke dodgy digital certificates."

Really? Cause I just set the trust to 'Never' in Keychain Access and it works just fine.

If you don't know how to do something, you shouldn't talk out your ass.

• Open Keychain Access from Applications/Utilities
• Click on System Roots keychain
• Click on Certificates category to filter down to only certs
• Double click on DigiNortor certificate.
• Expand 'Trust' drop down
• The first option is: 'When using this certificate:' change that option to 'NEVER'
• Close Keychain Access and rest assured knowing the blogger who wrote this article is a fucking douche using slashdot for slashvertising and talking out his ass without a clue

Re:Idiots, certs are easy to disable in OSX

[Anonymous Coward]

FTFA:

Ryan Sleevi, a software developer who has contributed to Google's Chrome project, noticed the issue too. After poking around the Mac OS X source code, though, he uncovered the cause.

Users can revoke a certificate using Keychain, but if they happen to visit a site that uses the more-secure Extended Validation Certificates, the Mac will accept the EV certificate even if it's been issued by a certificate authority marked as untrusted in Keychain.

Re:Idiots, certs are easy to disable in OSX

[forand]

This works fine as long as you don't visit an EV site. You must delete the cert, and make changes to your system on OS X. This is not an easy fix for most people. Please find more info here [arstechnica.com]

Re:Yup.

[Anonymous Coward]

You should probably learn to read the article before mouthing off, as what you describe is specifically stated as not necessarily working:

Users can revoke a certificate using Keychain, but if they happen to visit a site that uses the more-secure Extended Validation Certificates, the Mac will accept the EV certificate even if it's been issued by a certificate authority marked as untrusted in Keychain.

"When Apple thinks you're looking at an EV Cert, they check things differently," Sleevi said in an interview Wednesday. "They override some of your settings and completely disregard them."