Yay for not using safari
Chrome: best browsing experience
Firefox: best debugging experience (firebug)
Opera: best multiplatform mobile browser
Safari: ?
Internet Explorer: ?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Releases Security Update 2011-005 for OS X to Address Compromised Certificates
- Thread starter MacRumors
- Start date
- Sort by reaction score
Chrome: best browsing experience
Firefox: best debugging experience (firebug)
Opera: best multiplatform mobile browser
Safari: ?
Internet Explorer: ?
It is good to reboot your computer every once in a while.
The fact that it takes Apple a week to patch a major security flaw and then doesn't hit every version is a good reason not to ever use Safari.
When the update involves replacing an already-running system service that cannot be shut down on the fly without destabilizing everything else that depends upon it, that's the price you pay. Is it really such a big deal?
Reboots remind me the monolithic kernel era.
http://en.wikipedia.org/wiki/XNU
"Like some other modern kernels, XNU is a hybrid, containing features of both monolithic and microkernels, attempting to make the best use of both technologies, such as the message passing capability of microkernels enabling greater modularity and larger portions of the OS to benefit from protected memory, as well as retaining the speed of monolithic kernels for certain critical tasks."
Wirelessly posted (Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16)
No way I'm switching to FireFox or Chrome I don't like tabbed browsing, and Safari seems to have a better UI than the other ones I do have FireFox installed for some of the plugind
I even use Safari in parallels
No way I'm switching to FireFox or Chrome I don't like tabbed browsing, and Safari seems to have a better UI than the other ones I do have FireFox installed for some of the plugind
I even use Safari in parallels
This update removes all trust in DigiNotar as a certificate authority.
This action is due to the security industry justifiably no longer trusting DigiNotar.
But, Lion users by default and SL users that have enabled OCSP and CRL were potentially protected from the specific compromised DigiNotar certificates prior to this update.
See the quote below for details:
----------
Enable OCSP and CRL in the "Keychain Access" preferences.
See the "Mac Security Suggestions" link in my sig for more details (see #14).
This action is due to the security industry justifiably no longer trusting DigiNotar.
But, Lion users by default and SL users that have enabled OCSP and CRL were potentially protected from the specific compromised DigiNotar certificates prior to this update.
See the quote below for details:
----------
Do the compromised certificates only exist on Snow Leopard and Lion?
What about Leopard?
Enable OCSP and CRL in the "Keychain Access" preferences.
See the "Mac Security Suggestions" link in my sig for more details (see #14).
Apparently, from what I've read, when people used the Kaychain manager to manually remove DigiNotar as a CA, they were able to demonstrate websites known to be using DigiNotar certificates, still being silently accepted in Safari. This was due to a quirk in the way in which OS X handled so-called "EV Certificates".
Are you certain that enabling OCSP and CRL would not also leave you at the mercy of OS X's quirky handling of "EV Certificates"?
Isn't Safari tabbed browsing? As for the UI, thats not the most important part of a web browser. The way it displays the page is what you should care about.
You know, you can configure Firefox to take away tabbed browsing if you want.
If you're running Lion or Snow Leopard, there's no reason for you to switch.
If you're using Leopard or older, then you may be exposing yourself to unnecessary risk.
Really? I mean, I can buy it for OS X, but Safari for Windows genuinely sucks as a browser. I prefer even IE to the Windows version of Safari. In fact, IE9 is a pretty good browser. When none of us were looking, IE went and grew up.
OCSP and CRL do not remove the DigiNotar trusted root certificate.
But, it does revoke access to websites that use known compromised certificates from any certificate issuing authority.
The websites that could be accessed that had DigiNotar certificates were not websites that had their certificate revoked via CRLs.
To clarify, CRL revokes certificates issued to specific websites if the certificate is known to be compromised but it does not revoke root certificates for certificate authorities.
The extra measure of removing DigiNotar from the list of trusted certificate authorities is due to the security industry no longer trusting the procedures used by DigiNotar.
EDIT: BTW, the EV certificate quirk was from users only removing the DigiNotar root certificate. DigiNotar also needed to be removed from the list of Extended Validation (EV) certificate authorities as well. This is essentially what this update accomplishes.
Last edited:
Do the compromised certificates only exist on Snow Leopard and Lion?
What about Leopard?
Leopard? Gee, what about providing leaded gasoline for my 1985 Ford?
----------
Why Apple taking so much time addressing those issue.... You guys a lagging big time! Still love you soooo much
I have a feeling that OSX is a bit more complex than a browser. The amount of testing needed to validate the fix has to be unbelievable complex and time consuming.
Basically older Safari versions have become about as secure as older versions of IE. And Safari has become about as unstable and buggy as IE.Do the compromised certificates only exist on Snow Leopard and Lion?
What about Leopard?
But I shouldn't have to--that's one of the things I like about OS X and dislike (or disliked--it's getting better) about Windows. Plus, I can keep my Mac up for weeks, sometimes months, at a time without any problems--and iOS devices for even longer.
Wirelessly posted (Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16)
In that case, I use Safari because Captchas don't view correctly in FireFox, as for Chrome Well, it uses WebKit and Safari is WebKit based as well And Safari can run chrome Angry Birds I'm not fond of the Chrome UI I don't even Browse the Web on non-Intel machines Safari is windowm-based until you Command-T and a bew tab come up
MacNut said:
In that case, I use Safari because Captchas don't view correctly in FireFox, as for Chrome Well, it uses WebKit and Safari is WebKit based as well And Safari can run chrome Angry Birds I'm not fond of the Chrome UI I don't even Browse the Web on non-Intel machines Safari is windowm-based until you Command-T and a bew tab come up
Seems DigiNotar may not be the only target.
Where to from here? Who are the other 3?
http://www.globalsign.com/company/press/090611-security-response.html
Where to from here? Who are the other 3?
http://www.globalsign.com/company/press/090611-security-response.html
If you're still using Leopard or earlier and wish to remove the compromised certificates, you can do so manually by issuing the commands below in terminal (you need an admin account). This works even when attempting to untrust or delete the certificates via Keychain Access does not:
sudo security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain
sudo security delete-certificate -Z 59AF82799186C7B47507CBCF035746EB04DDB716 /System/Library/Keychains/SystemRootCertificates.keychain
sudo security delete-certificate -Z 101DFA3FD50BCBBB9BB5600C1955A41AF4733A04 /System/Library/Keychains/SystemRootCertificates.keychain
sudo security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain
sudo security delete-certificate -Z 59AF82799186C7B47507CBCF035746EB04DDB716 /System/Library/Keychains/SystemRootCertificates.keychain
sudo security delete-certificate -Z 101DFA3FD50BCBBB9BB5600C1955A41AF4733A04 /System/Library/Keychains/SystemRootCertificates.keychain
Too bad it's still the little kid on the block by a few inches when it comes to standards support though. There is no excuse for the biggest software company in the world to not have implemented the W3C and the WhatWG standards at this point, especially in light of open source groups having done so.
The link provided below is Apple's documentation for enabling OCSP and CRL in Leopard.
http://docs.info.apple.com/article.html?path=Mac/10.5/en/9085.html
----------
Also, MS is not even attempting to support WebGL in IE because graphic drivers in Windows are too buggy and IE's sandbox is too weak to give remote code direct access those kernel level drivers.
http://docs.info.apple.com/article.html?path=Mac/10.5/en/9085.html
----------
Also, MS is not even attempting to support WebGL in IE because graphic drivers in Windows are too buggy and IE's sandbox is too weak to give remote code direct access those kernel level drivers.
iOS is still vulnerable. The fragmentation of iOS devices could be the hold up here and it seems that when we need a prompt update, we won't get it.
Unlike on a Mac, you can't do it manually and there isn't a viable alternative browser option (and many apps use Safari to retrieve content anyway).
Unlike on a Mac, you can't do it manually and there isn't a viable alternative browser option (and many apps use Safari to retrieve content anyway).