Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Safari Security: Protecting Your Mac From the DigiNotar.nl Certificate Compromise

B

Bigmacduck

macrumors regular
Original poster
Feb 15, 2009
228
5
On July 10, 2011, DigiNotar.nl (a Netherlands CA) issued a fraudulent SSL certificate for the domain *.google.com, which would be valid for all google.com domains. DigiNotar has not been forthcoming about how the attackers were able to obtain the fraudulent certificate, releasing only a PR statement without any content. This means that more fraudulent certificates may have already been issued or may be issued in the future for *.google.com or other domains. The latest news is that there have been over 500 fraudulent certificates issued. While current indications are that it was used to snoop on G-Mail communications in Iran, no one knows what other places it might be used and for what other purposes.

Read full text on http://ps-enable.com/articles/diginotar-revoke-trust

and press article here: http://www.theregister.co.uk/2011/09/06/iphone_android_users_vulnerable/

:eek:
 
Last edited by a moderator:
Unless I missed it and it already was, this issue should be a major article on the front page of MacRumors IMHO, it potentially affects every mac user far more than how good the iPhone 5 will be at taking pictures of Sushi (not that there's anything wrong with that too!).
 
I love Sushi, but I am also very concerned of security. A big part of my life is stored on Apple devices. I want to trust SSL connections and the browser and the OS.

Seems that not too many members of this forim are interested in that topic (yet)...
 
Yeah, I am perturbed how little everyone seems to care.

Hopefully Apple will issue updates soon for OS X and iOS, they're lagging behind on this...
 
Not totally sure about this but I believe DigiNotar has already released CRLs for the compromised certificates so if you have system-wide OCSP and CRL enabled in Keychain Access, the issue is already mitigated.

These features are enabled by default in Lion.

Apparently, DigiNotar does not make it easy to view each individual certificate that has been revoked via the CRLs it releases.

They might have been added to another CRL, hard to say as DigiNotar does not allow directory listing and doesn't have an easy to find list of CRLs they publish either.
Click to expand...

That the revocations happened on July 19th, 21st and 27th, and that almost 200 still have an unknown revocation status. [The rogue certificates were issued on July 10th, 18th and 20th].
Click to expand...

But, compromised certificates that have been seen in the wild have been revoked.

So, it appears that some action is being taken via CRLs.

http://isc.sans.edu/diary.html?storyid=11500&rss

It should be noted that if all these certificates have been revoked via CRLs than Safari has actually provided better protection than other browsers that have only recently received updates to mitigate this issue.
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back