Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Safari Security The Internet Apple

Apple Finally Removes DigiNotar Certs In Safari 149

Trailrunner7 writes "Apple has finally released a fix for the certificate trust issue caused by the attack on DigiNotar, more than a week after the fraudulent certificates were identified and other browser vendors moved to revoke trust in them. While Microsoft, Mozilla and Google had been communicating with users about the issue and pushing out new versions and updates to eliminate the compromised certificate authorities from their browsers, Apple had been mum about the attack and hadn't given any indication of when it might issue an update for Safari. On Friday the company published a security advisory for Mac OS X users, saying that it was removing DigiNotar's certificates from its trust list."
This discussion has been archived. No new comments can be posted.

Apple Finally Removes DigiNotar Certs In Safari

Comments Filter:
  • by DoctorNathaniel ( 459436 ) <nathaniel.tagg@g[ ]l.com ['mai' in gap]> on Friday September 09, 2011 @04:40PM (#37356778) Homepage

    So, it took them 1 week to come out with an update to patch their browser? That doesn't seem an egregious delay to me. I haven't yet patched any of my other browsers yet. I'd be surprised if most users patch within the week of bugfix releases anyway.

    And if I understand it, this "security hole" is basically that you won't get bad-certificate warnings if you visit certain fraudulent sites... which isn't likely to happen unless you're clicking links in phishing emails.

    This hyperbole about apple being slow seems like hot air to me.

    • by CharlyFoxtrot ( 1607527 ) on Friday September 09, 2011 @04:47PM (#37356870)

      Also the summary praises Google for their quick reaction but Android is still vulnerable, as is iOS BTW. You'd think that'd rate a mention at least.

      • Android is still vulnerable, as is iOS BTW.

        Once again, stock iOS is vulnerable, whereas jailbroken ones can have iSSLFix [github.com] installed on them. In addition to patching an extremely boneheaded certificate vulnerability [recurity-labs.com] and providing cert blacklists for iOS devices that have not received new firmware, the DigiNotar CA was blacklisted via a patch almost a week ago.

        Anyone with a jailbroken iOS device that doesn't have the patch should download and install it. You can simply search for it in Cydia.

        • Anyone with a jailbroken iOS device that doesn't have the patch should download and install it. You can simply search for it in Cydia.

          Cool, I'll do that.

        • by DarkOx ( 621550 )

          How good an idea is for people to installing lists of CAs form some site on the internet? Sure they might take DigiNotar out but who did they put in? For SSL to authenticate reliably and securely it has to be managed by the end user carefully, and that requires understanding.

          • by RulerOf ( 975607 )

            How good an idea is for people to installing lists of CAs form some site on the internet? Sure they might take DigiNotar out but who did they put in? For SSL to authenticate reliably and securely it has to be managed by the end user carefully, and that requires understanding.

            It's open source. Granted, I believe what the patch notes are saying, but if you really, really want to, audit the source and compile it yourself :P

        • So you trust a bunch of known criminals over legitimate businesses for your security needs ...

          You sir aren't real bright, even if it does appear to work out in your favor this time, this is a really stupid idea.

          • by RulerOf ( 975607 )

            So you trust a bunch of known criminals over legitimate businesses for your security needs ...

            You sir aren't real bright, even if it does appear to work out in your favor this time, this is a really stupid idea.

            I'm going to assume that was a joke.

            If it wasn't, I'd like to point out that iSSLFix is free and open source, and I highly doubt that everyone who works on or with jailbroken iOS software, including the owner of Cydia, Jay Freeman, would endorse it in that case.

    • by HTH NE1 ( 675604 )

      Shouldn't the iOS version of Safari need a patch too?

    • This is actually a valid Apple-bash. The invalid certs were issued as signed root CAs, which means the holder of then could create a SSL cert for Bank Of America that appears completely valid with no errors from the browser and no errors when you check the chain of trust. Its essentially a T-2000 doppelganger that you can't detect until it changes its hand into a marlinspike and stabs you. The only folks likely to detect it, without the certificate revocation, are the same security certificate chain savvy t

      • by UnknowingFool ( 672806 ) on Friday September 09, 2011 @05:50PM (#37357546)
        The problem isn't that there isn't a mechanism to revoke certs in OS X. It exists in KeyChain. The problem was that the implementation was flawed as it could be overriden. So when it was pointed out to Apple, they fixed it in a week's time. Would you rather Apple quickly release a patch that didn't work?
    • by v1 ( 525388 ) on Friday September 09, 2011 @04:57PM (#37356990) Homepage Journal

      So, it took them 1 week to come out with an update to patch their browser?

      They didn't patch their browser. That's not the way to fix the problem. The certificates Safari trusts are in the system keychain. Security Update 2011-005 [apple.com] addresses the problem.

      Certificate Trust Policy

      Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1

      Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

      Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.

      So (1) it pulls DigiNotar from the chain of trust, and (2) sends all browsers (and email apps, and anything else that cares to validate certs) accurate information for EV certificates that chain off an untrusted root. Patching the browser shouldn't be necessary and wouldn't address the actual problem, although considering it took Apple an unusually long time to get this update out the door, I can see why some other browser vendors hardcoded out DigiNotar.

      But for Apple this wasn't merely a matter of pulling a cert, they also had to fix a bug. Rushing a security bug fix out the door without testing it is arguably a worse security respopnse than taking a few days longer to test before pushing. (it's not like it took months like a few other big names I could toss in the ring to ignite a flame war)

      • by BZ ( 40346 )

        > (2) sends all browsers (and email apps

        Only the ones that use the OS certificate store as their trust store.

        For browsers, that happens to be "Safari", out of the commonly-used ones. Firefox uses its own certificate store, as do Chrome and Opera, and don't rely on the one in the OS itself.

      • by yuhong ( 1378501 )

        The same is true of IE on Windows too BTW, which uses the system SChannel and thus the system cert store.

    • As much as I love Apple products I got to admit, this tiny week delay may be more significant than apple fans would like to think.

      Early today I got my first ever virus infection (in my Windows machine) while running Safari. Not sure if its related, but I'm guessing it is. For the first time I got to give a tip of the hat to Microsoft, Security Essentials caught the virus infection immediately and got rid of it. Good thing it was a well known trojan and not a new unknown virus... then again if that was the c

      • by BitZtream ( 692029 ) on Sunday September 11, 2011 @10:03AM (#37367814)

        You got a virus because you downloaded something from somewhere you shouldn't have.

        Unless you downloaded something from a SSL site, also had your DNS and your upstream DNS compromised to direct you to a fake SSL download site, and then actually downloaded something via SSL with a stolen cert ... then well theres no way this had anything to do with it.

        You got a virus because you did something stupid, not because someone else did.

        You got a virus for the same reason every windows user gets a virus, STOP CLICKING ON RANDOM LINKS FROM EMAIL ADDRESSES YOU'VE NEVER SEEN. THERE IS NO PACKAGE WAITING ON YOUR FROM DHL OR REPORT FOR YOU TO REVIEW IN ORDER TO GET YOUR MILLIONS.

    • I haven't yet patched any of my other browsers yet

      And if I understand it, this "security hole" is basically that you won't get bad-certificate warnings if you visit certain fraudulent sites.

      You might want to check a site like slashdot, maybe there is an article on the problem? Could be something else than what you guessed without checking.

    • by MrJones ( 4691 )

      A whole week? Thats just insane! Anyway, stop the Apple bashing. I miss CmdrTaco editorial ...

    • by AmiMoJo ( 196126 )

      And if I understand it, this "security hole" is basically that you won't get bad-certificate warnings if you visit certain fraudulent sites... which isn't likely to happen unless you're clicking links in phishing emails.

      Or you live in Iran, or North Korea, or China... And maybe the UK and US too if you are paranoid. Many governments would like to be able to read their citizen's email, or see how much they have in that Swiss bank account.

  • by Lord Grey ( 463613 ) on Friday September 09, 2011 @04:41PM (#37356792)

    I just applied the fix and now I have to restart my Mac. What the hell? Is my MacBook masquerading as a Windows machine all of the sudden?

    It just works. After a slight delay.

    • by tangent ( 3677 )

      Updates to Safari always require an OS X restart, for the same reason IE updates on Windows do: the "browser" is really just a UI wrapper around a core system component.

      Unlike Windows, OS X allows you to replace in-use files without restarting, so you may be able to get away with restarting only the affected apps, rather than the entire system, but I don't think I'd take that risk.

      • This fix didn't touch Safari... it fixed a bug regarding revocation in the system keychain, and then revoked the key. Since the entire OS hangs on the keychain, making a change to fix a bug in the revocation code requires a restart (all Apple authentication goes through this system, so leaving an authenticated process running while patching would be a bad idea).

        Seems to me Apple could easily set up another option for updates though, even though it wouldn't have worked for this instance -- kill and restart

    • by guruevi ( 827432 )

      Run softwareupdate -i -a from the command line. You won't ever need to restart although sometimes, if you do that, the applications you updated might not start (eg. iTunes and Safari).

      Restart is necessary so it can reload the correct kernel extensions and clear out the applications that have it in-use. It's not super important in most cases but even if you unload/reload the kext files you could make the system unstable or make it panic. I usually don't restart the system especially the server systems for th

    • With Lion's window reopening, I find restarts to be *much* less painful.

      That said, when Software Update tells you to restart, you can usually Force-Quit it and continue working.

      • Lion's window reopening is great ... right up till you start an app with an old document in it ... that the person looking over your shoulder sees ... and its about the day they are getting fired.

        That was turned off as soon as I could find a way.

        when Software Update tells you to restart, you can usually Force-Quit it and continue working.

        You do realize that all it does before that is essentially downloads the items, runs the updates on things that don't need restarting, and preps the ones that require restarts ... if you kill software update when it says a restart is needed then you aren't actually

  • Certs are broken. (Score:5, Insightful)

    by Speare ( 84249 ) on Friday September 09, 2011 @04:43PM (#37356810) Homepage Journal

    Diginotar was just the beginning of the reports, but truth is, CAs have been broken for a long time and SSL sessions that depend on CA certs are useless. A couple weeks ago, there was a handy how-to page to show how you can go into Mac OS X's keychain to reject Diginotar... one CA entry down, but several hundred others. If you think the NSA, Mossad, MI6, and fifty other countries haven't slipped MitM SSL boxes on various trunks hoping to score a session depending on these CAs, you're deluded.

    • Thank you.
      I finally understood why everyone says SSL is broken.

    • by ljw1004 ( 764174 )

      I may be deluded, but I certainly don't believe that Algeria, Romania or Peru have done that (to pick a few of the 50th largest countries ranked by GDP). I think their intelligence departments just aren't that well financed or modernized.

    • The problem with SSL has always been that there's a single point of failure. If you compromise the CA, you ultimately compromise SSL itself until trust for that particular CA gets revoked.

      In the short term, browsers should remember the last CA of each site. If it changes, throw up a warning page. That's a good stop-gap measure for MITM (instead of the stupid warning page for self-signed certs). In the long term, there needs to be some combination of distributed (P2P) certificate validation, and multiply sig

    • by Lennie ( 16154 )

      I've always had and still have "mixed feelings" about this.

      There are 2 types of MitM attacks on SSL:
      - force a normal CA to create a certificate for a nation for a certain website on request, maybe even create a subCA so they can sign anything they like
      - a lot of nations have governmental organisations that have their own CA

      If they use the last one, the one you probably meant, is detectable by a user (if properly instructed). gmail.com should obviously not be signed with a cert from CCNIC. If you really are

      • by Qzukk ( 229616 )

        There are 2 types of MitM attacks on SSL:

        You forgot #3:
        - ship your customers an installation CD which helpfully updates your certificate store with ISP-provided CA certs. AT&T did this at one time, I declined to install the cert despite the warning from the installer that if I didn't click OK on the popup I would not be able to configure the modem/router (configured it just fine, thanks).

        Of course, this is a much riskier version since if they actually attempted to use that CA, everyone who rejected the

  • Apple's fundamental problem is that they don't know how to MANAGE security. They don't know how to communicate. They don't know how to be up-front and honest about what they're doing. They don't know how to set clear expectations. Microsoft learned this a long time ago. (Incidentally, Linus won a pwnie for his silent patching a few years back I think.)
    • Yes, Microsoft is indeed upfront about setting clear expectations. That's why everyone on the planet knows ctrl+alt+delete.

  • 1. What about Safari for Windows? 2. So...Leopard was released less than four years ago, after Windows Vista came out in 2006, yet Apple can't be bothered to patch it?
  • Apple has consistently been slow to fix security issues like this in the past so it is no surprise they were last to address the issue,
  • In other news, Microsoft posts security bulletins 4 days early, scrambles to fix mistake [arstechnica.com].... oh, sorry I didn't realizes /. was in "bash apple" mode again.

  • Worth noting that, keeping in line with maximizing a forced adoption of the latest cat, the fix is only available for those using the latest version of Snow Leopard or Lion. At least at this time (5 PM CDT, 9 Sep 2011) the rest of the MacOS universe can go suck an egg...

    Just like the case of adopting Lion. If you want to skip a cat and not have to pay for Snow Leopard, tough luck, compadre. Lion ONLY installs on top of Snow Leopard.

    • MacOS hasn't existed since version 9. Yes, I think computers from the early 2000s can go suck an egg, to include my 1999 G4 that still runs, but I don't pretend to use it for daily computing, banking, and maintaining valid certs.

      Lion only installs on top of Snow Leopard because it is an upgrade, not a stand alone release. Even the Apple Lion pages use "upgrade" all over the place. The price of $29 reflects that as well. http://www.apple.com/macosx/how-to-buy/ [apple.com]

  • by gstrickler ( 920733 ) on Friday September 09, 2011 @06:33PM (#37357930)

    It's only for OS 10.6.8 and 10.7.1. Users of PowerPC Macs can't use any OS after 10.5.8, and many users of Intel based Macs won't update past 10.6.6 because 10.6.7/10.6.8 introduce some significant compatibility issues. It's great that they released a fix, but it's only a fix for 50%-80% of the user base. I guest the rest have to manually remove the Diginotar root cert?

  • No updates for this one? :(

"Remember, extremism in the nondefense of moderation is not a virtue." -- Peter Neumann, about usenet

Working...