Safari Security: Protecting Your Mac From the Certificate Compromise

Discussion in 'Mac Apps and Mac App Store' started by Bigmacduck, Sep 7, 2011.

  1. Bigmacduck, Sep 7, 2011
    Last edited by a moderator: Sep 8, 2011

    Bigmacduck macrumors regular

    Feb 15, 2009
    On July 10, 2011, (a Netherlands CA) issued a fraudulent SSL certificate for the domain *, which would be valid for all domains. DigiNotar has not been forthcoming about how the attackers were able to obtain the fraudulent certificate, releasing only a PR statement without any content. This means that more fraudulent certificates may have already been issued or may be issued in the future for * or other domains. The latest news is that there have been over 500 fraudulent certificates issued. While current indications are that it was used to snoop on G-Mail communications in Iran, no one knows what other places it might be used and for what other purposes.

    Read full text on

    and press article here:

  2. Bigmacduck thread starter macrumors regular

    Feb 15, 2009
  3. Porco macrumors 68030


    Mar 28, 2005
    Unless I missed it and it already was, this issue should be a major article on the front page of MacRumors IMHO, it potentially affects every mac user far more than how good the iPhone 5 will be at taking pictures of Sushi (not that there's anything wrong with that too!).
  4. Bigmacduck thread starter macrumors regular

    Feb 15, 2009
    I love Sushi, but I am also very concerned of security. A big part of my life is stored on Apple devices. I want to trust SSL connections and the browser and the OS.

    Seems that not too many members of this forim are interested in that topic (yet)...
  5. Porco macrumors 68030


    Mar 28, 2005
    Yeah, I am perturbed how little everyone seems to care.

    Hopefully Apple will issue updates soon for OS X and iOS, they're lagging behind on this...
  6. Daveoc64 macrumors 601

    Jan 16, 2008
    Bristol, UK
    What a shock!
  7. munkery, Sep 8, 2011
    Last edited: Sep 9, 2011

    munkery macrumors 68020


    Dec 18, 2006
    Not totally sure about this but I believe DigiNotar has already released CRLs for the compromised certificates so if you have system-wide OCSP and CRL enabled in Keychain Access, the issue is already mitigated.

    These features are enabled by default in Lion.

    Apparently, DigiNotar does not make it easy to view each individual certificate that has been revoked via the CRLs it releases.

    But, compromised certificates that have been seen in the wild have been revoked.

    So, it appears that some action is being taken via CRLs.

    It should be noted that if all these certificates have been revoked via CRLs than Safari has actually provided better protection than other browsers that have only recently received updates to mitigate this issue.

Share This Page