Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Forgets to Renew SSL Certificate, Breaking OS X Software Update [Fixed]
- Thread starter MacRumors
- Start date
- Sort by reaction score
Nah, we just forget to look at it or too pissed off to care because something that should work isn't working. Oh make sure you take that help desk call, while trying to fix the technology that has the business broken, and by the way here's this ad-hoc project we need done by Friday. It's Wednesday clearly you have enough time that normally takes 2 weeks and compress it to 2 days.
They're not the only ones.
This is one of the easiest things to forget in IT-land, up there with not renewing a domain and other once-in-a-few-years tasks.
It was not an Apple site but a banking site that gave me the problem - the certificate was expired. Kind of a problem when people don't keep up with their security details.
Is there a way to check the certificate of a site without trying to do business on that site?
Is there a way to check the certificate of a site without trying to do business on that site?
Last edited:
Of greater concern is how quickly we fall to pieces at the slightest problem. The world is not a perfect place, and that includes Apple. Get over it.
of course.... and Windows just doesn't work at all.
And even that's not gonna work out. Apple should actually be doing something they are 100% focused on.. not 50%, and then turn the other way or delays..
This is just wasting time we could be putting updates out or fixing Mavericks.
And even that's not gonna work out. Apple should actually be doing something they are 100% focused on.. not 50%, and then turn the other way or delays..
This is just wasting time we could be putting updates out or fixing Mavericks.
Wow, that seems like a pretty massive security vulnerability, why does this work at all?
Just type in for example "https://slashdot.org" in your browser for a very popular website that has the same problem. Basically, "https://" in front of a website address means you want a secure connection, and your browser will check their certificates.
----------
Because a certificate has built in a setting "valid until May 25th 2014", for example, so if your computer thinks the current date is before May 25th, it's fine; if the computer thinks the current date is after May 25th, it's not accepted.
It is not _really_ a security problem. If nobody cracked the certificate, it's secure, whether it is expired or not. If somebody cracked the certificate, it's insecure, whether it is expired or not.
The only situation where the expiry date is a problem would be if let's say someone cracked a certificate today that Apple used in 1999, and that expired in 1999, and Apple didn't bother to revoke the certificate because it is so outdated that nobody would be using it. So if you accept a certificate that expired years ago by setting your clock back, that's stupid. One that expired yesterday, no big risk.
There must be servers somewhere that actually give the certificates out. For example, if I type in https://www.macrumors.com, there will be a server somewhere on the macrumors site that sends the macrumors certificate to me. _That_ server could check and send emergency emails to various places every time a certificate is sent that will become invalid within 7 days. (And if you have a working process to replace certificates a minute before they become invalid, then replacing them a week early should be easy).
of course.... and Windows just doesn't work at all.
And even that's not gonna work out. Apple should actually be doing something they are 100% focused on.. not 50%, and then turn the other way or delays..
This is just wasting time we could be putting updates out or fixing Mavericks.
How do you know Apple is not putting 100% on R&D for Mavericks or anything else they do for that matter? Just because you don't see it in your face doesn't mean they aren't doing it. And we just learned about this issue today on MR. It's already fixed the same day. People need to calm down.
Lol, you should see the software that big red, Oracle, sends to its customers that pay literally millions of dollars in licensing and support every year
If Apple renew the certificate on their end without an OS X update, why can't they fix the FaceTime certificate on iOS 6?
My understanding is that iOS 6 + FaceTime works fine on devices that can *not* be updated to iOS 7. Anybody with an iOS 7-compatible device resisting the upgrade on principle deserves what they get. My 2¢.
I wish I had experienced this window of 3 minutes? So I could could forget about my other problems and focus on this major one while receiving massages and free Apple gear for an apology.
----------
that is scary!
----------
that is scary!
Anyone that has ever worked in IT for a large corporation knows that nobody got fired for this. Sure, someone is probably going to get dinged on their next performance review, but unless the person who did this was already on a written "performance improvement plan", they will be in on Tuesday like everyone else. Just with some egg on their face.
probably
The question I have is whether or not the certificate was renewed [probably] and whether or not it was deployed to the right servers [probably not].
I had a similar instance around the time of the Heartbleed problem - but it's quite possible that it was unrelated. One of Apple's SMTP servers had a REVOKED certificate. Not expired, but revoked!
So it is obvious to me that Apple's server deployment folks are not "on the ball".
The question I have is whether or not the certificate was renewed [probably] and whether or not it was deployed to the right servers [probably not].
I had a similar instance around the time of the Heartbleed problem - but it's quite possible that it was unrelated. One of Apple's SMTP servers had a REVOKED certificate. Not expired, but revoked!
So it is obvious to me that Apple's server deployment folks are not "on the ball".
This was fixed so quickly that I'm not sure why everyone is making such a big deal about it. Stuff like this happens, the site could've easily been taken down by a network problem as well. There is no such thing as 100% uptime. Apple has done a really good job in the past few years keeping their services up; I don't think anybody should get fired for this.
I bet next time you make a mistake at work, you will hope that you don't get fired over it. **** happens. If the guy screws up again, yeah, fire him. But not for one mistake. I'm disappointed to see so many people calling for his head, just like King Joffrey.
I bet next time you make a mistake at work, you will hope that you don't get fired over it. **** happens. If the guy screws up again, yeah, fire him. But not for one mistake. I'm disappointed to see so many people calling for his head, just like King Joffrey.
why is this a vulnerability ?
If you reset your clock so your system will accept an uncompromised but out-of-date certificate -- what's the vulnerability? Did the private key suddenly pop out unannounced ??
No. Your only problem is that it might have been revoked/canceled and you wouldn't know. But if it had not been compromised -- and there is no allegation that it happened in this case -- what's your problem ??
Please explain your concern.
If you reset your clock so your system will accept an uncompromised but out-of-date certificate -- what's the vulnerability? Did the private key suddenly pop out unannounced ??
No. Your only problem is that it might have been revoked/canceled and you wouldn't know. But if it had not been compromised -- and there is no allegation that it happened in this case -- what's your problem ??
Please explain your concern.
You are talking about the Web Server that hosts the site's certificate (Apache, IIS, iPlanet etc.). But it doesn't really matter what server checks and emails the certificate warnings. In most cases it happens to be not the web server because none of them have built in functionality to do that and require customization which IT people hate. But more than that the reason for the cert warning system being a separate outside one is that it is part of general health check system. If the web server is hosed it cannot detect that itself - you need an external, some times geographically dispersed system to reliably detect such errors. Cert checks are an convenient and semi automatic addon to those systems.
They're not the only ones.
This is one of the easiest things to forget in IT-land, up there with not renewing a domain and other once-in-a-few-years tasks.
Yep, Apple is not alone.
Twice in the past year or two Microsoft has forgotten to update the certificates on all of their Bing map servers, causing secure map requests to fail.
And I keep running across other, more minor, sites with expired certs.
Still no excuse, of course. At the least, a secure health check should've found it early in the day, so it could be fixed immediately.