10.8 Security Update 2015-004 breaks SSL?

Discussion in 'OS X Mountain Lion (10.8)' started by binba, Apr 12, 2015.

  1. binba macrumors newbie

    Joined:
    Jul 23, 2010
    #1
    To be more accurate, it appears as if this update installed an invalid/wrong/outdated VeriSign root CA, which prevents me from security using a good chunk of the web - including Apple's own App Store.

    1. After installing the 2015-004 update on my 10.8.5, I realized I couldn't connect to many HTTPS sites including twitter.com, apple.com, and bankofamerica.com without getting certificate warnings. Chrome, for example says ERR_CERT_AUTHORITY_INVALID, "the certificate is not trusted" and "your connection is encrypted with obsolete cryptography".
    2. Chrome and Safari rely on the OS for trusted root CAs.
    3. The mistrust starts with the root CA, "VeriSign Class 3 Public Primary Certification Authority - G5". I can see that a CA with this exact name appears in Keychain as a valid and trusted cert, but its serial number (and therefore SHA-1 and MD5 fingerprints) are completely different form what the browsers see online.
    4. HTTPS connections to other sites (with GeoTrust, Google and other CAs) work fine.

    I could just add the online certificate as trusted, but shrugging it off and proceeding without caution is the worst thing you can do for secure browsing. If I'm visiting a small, specific website that I know and I encounter a self-issued cert it's a one thing, but this is a very different story.

    I only I'm not the last person in the world using 10.8.5 (yet), so if my theory is correct, others must be seeing this too. And if I'm wrong... what the hell is going on?
     
  2. binba thread starter macrumors newbie

    Joined:
    Jul 23, 2010
  3. e93to macrumors 6502a

    e93to

    Joined:
    Jan 23, 2015
    Location:
    Toronto
    #3
    Thanks for the info and letting others know about this.
     

Share This Page