Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Criticized For Not Blocking Stolen Certs

samzenpus posted more than 3 years ago | from the I-am-disappoint dept.

Security 154

CWmike writes "A security researcher is criticizing Apple for lagging with its response to the DigiNotar certificate fiasco. He is urging the company to quickly update Mac OS X to protect users. 'We're looking at some very serious issues [about trust on the Web] and it doesn't help matters when Apple is dragging its feet,' said Paul Henry, a security and forensics analyst with Lumension. Unlike Microsoft, which updated Windows on Tuesday to block all SSL certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same. Meanwhile, even Mac OS X users who want to go DIY are stymied, reports Bob McMillan, because the OS can't properly revoke dodgy digital certificates."

Sorry! There are no comments related to the filter you selected.

lol (0, Funny)

Anonymous Coward | more than 3 years ago | (#37348812)

macs cant get hacked

Re:lol (0)

Anonymous Coward | more than 3 years ago | (#37348886)

-5 Trollbait

Not just Apple... (3, Interesting)

Amarantine (1100187) | more than 3 years ago | (#37348838)

At the request of the Dutch government, Microsoft is delaying the update in the Netherlands (home of DigiNotar) until next week, to avoid confusion (and to buy the government more time to roll out new certs).

I feel much safer now, knowing our government has the power to stop Microsoft from rolling out security updates in a country.

Re:Not just Apple... (1)

mwvdlee (775178) | more than 3 years ago | (#37348852)

Yup. Much better to just shut down the government for a few days than to not overreact to an already fixed security issue.

Re:Not just Apple... (1)

sjames (1099) | more than 3 years ago | (#37348926)

Apparently it;'s NOT a fixed security issue if you use IE in the Netherlands. It WOULD be fixed if the certificate were removed.

Re:Not just Apple... (0)

Anonymous Coward | more than 3 years ago | (#37348946)

How is it already fixed?

As far as I can tell, a huge list of domains right now have a diginotar signed certificate in the hands of an unknown iranian hacker. This list includes *.*.com, and these certificates are marked secure.

Any number of things can, right now, be happening to unknowing dutch (or safari) users thinking they are on a trusted site.

The only thing that might prevent this, is hoping the revocation list of diginotar is complete, and the hacker has not somehow copied the CA key itself.

Re:Not just Apple... (1)

jonwil (467024) | more than 3 years ago | (#37349198)

One would hope that any and all private keys for the DigiNotar root certificates have been regenerated and replaced and are NEVER going to be used to generate certificates again.

Re:Not just Apple... (4, Informative)

Tomato42 (2416694) | more than 3 years ago | (#37349222)

The only thing that might prevent this, is hoping the revocation list of diginotar is complete

> implying browsers actually check CRL or OCSP responses

HA HA, good one. Only Opera checks OCSP and won't show you that the site is "secure" when it can't contact the OCSP server. Firefox can be defeated by putting "3" in the OCSP response (come on, we're talking about full scale MITM, adding OCSP to atack, which also uses HTTP is trivial). IE even when gets a OCSP failure or can't connect to OCSP at all will still show green bar...
If you're using regular certificates Firefox and IE don't even check for OCSP...

Re:Not just Apple... (4, Informative)

Golthar (162696) | more than 3 years ago | (#37348856)

At the request of the Dutch government, Microsoft is delaying the update in the Netherlands (home of DigiNotar) until next week, to avoid confusion (and to buy the government more time to roll out new certs).

I feel much safer now, knowing our government has the power to stop Microsoft from rolling out security updates in a country.

I'm in the Netherlands and I got the patch just fine.
Must be because I use the English version of Windows

Re:Not just Apple... (1)

Zeikzeil (1099785) | more than 3 years ago | (#37348980)

Even on some computers that run Dutch versions of WIndows the patch got installed apparently. MS called it an error. I call it not honoring an agreement. Not that I think this agreement was a good idea to begin with.

Re:Not just Apple... (2)

nitehawk214 (222219) | more than 3 years ago | (#37350006)

That Microsoft was looking out for customer's interests rather than governments? I would think this should be applauded.

Re:Not just Apple... (1)

Zeikzeil (1099785) | more than 3 years ago | (#37350416)

Don't get me wrong, I agree. the one time MS acts quickly someone asks them to hold. I think MS should not have agreed to it. That's why I said the agreement wasn't a good idea to begin with. The Dutch government should hurry to get new certificates in place, not ask MS to put the patch on hold.

Re:Not just Apple... (0)

Anonymous Coward | more than 3 years ago | (#37348986)

Me too. It appears to be just the patches for the localized Dutch Windows versions.

Wat is far worse: The software for tax-forms provided by the Dutch tax department insist of posting the forms and updating itself through IE on Windows and Safari on OSX.
This his hardcoded. It completely ignores the default browser preferences.
And there is no technical reason for that at all. The actual web-site behind it works fine in Chrome and Firefox.
You can even start the process in Firefox or Chrome without any problems and at some point the browser-change is forced upon you by the software.
Especially on Mac's this means that there is no way to tell if the old Diginotar or the new Getronics certificates are used because the browser happily accepts both.

Re:Not just Apple... (1)

Eskarel (565631) | more than 3 years ago | (#37349048)

That's because it's not using IE, it's using the windows HTML libraries which are incidentally IE like, they're always there so they are what developers program against.

Re:Not just Apple... (0)

Anonymous Coward | more than 3 years ago | (#37349556)

Not on OSX.... But Safari is always there.

I understand their reasoning but I don't have to like it....

Thats hilarious: The captcha is "SIGNED".

Re:Not just Apple... (0, Troll)

That Guy From Mrktng (2274712) | more than 3 years ago | (#37348868)

Sigh *problems of the first world* Microsoft can dictate/leverage/downright-bribe governments in developing nations to exclude anything Linux/Open from public schools, guess theres some balance in the universe after all and I hope that makes you feel better... oh wait.

Re:Not just Apple... (0, Funny)

Anonymous Coward | more than 3 years ago | (#37349052)

Thank you for picking a random thread to externate your thinkings abobut MS and Open Source, but this is an Apple bashing thread, you should look more carefully next time. Id*ot.

Re:Not just Apple... (1)

Anonymous Coward | more than 3 years ago | (#37349212)

Not really. The Dutch government asked Microsoft the same thing that it asked Mozilla: not to block the Staat Der Nederlanden Root (yet), of which DigiNotar was one of the partners. The Fox-IT audit did not find any evidence of fraudulent certificates under this root, so there no clear and present danger for these certificates.

That said, the root certificate will be invalidated anyway. The government is only asking for more time to do so. We're talking about renewing some 10,000 certificates btw, and granting these certificates is not a turnkey operation.

Re:Not just Apple... (3, Informative)

dingen (958134) | more than 3 years ago | (#37349308)

The Fox-IT audit did not find any evidence of fraudulent certificates under this root, so there no clear and present danger for these certificates.

That is old information. The Dutch government only asked Mozilla to not block their root while the Fox-IT audit was still in progress. But by the time it was finished, it could not be proven the Staat Der Nederlanden CA was clean, so they then gave up on DigiNotar entirely and gave Mozilla the OK to block everything.

Re:Not just Apple... (1)

im3w1l (2009474) | more than 3 years ago | (#37349878)

Why couldn't they just whitelist the most critical, known-legit, certs instead?

Re:Not just Apple... (0)

daem0n1x (748565) | more than 3 years ago | (#37350016)

I feel much safer now, knowing our government has the power to stop Microsoft from rolling out security updates in a country.

Better than the opposite. I trust governments more than corporations. Governments are (still) elected and accountable before their citizens

Of course, unless you're an anti-government fanatic libertarian nut-job.

Re:Not just Apple... (0)

Anonymous Coward | more than 3 years ago | (#37350054)

Well, as we have just learned, that trust was misplaced.

FUD (3, Funny)

Anonymous Coward | more than 3 years ago | (#37348844)

These certs are blocked on all Apple equipment and always have been. Anyone getting the certificate accepted is obviously holding it wrong.

Re:FUD (1)

oobayly (1056050) | more than 3 years ago | (#37349378)

Why anonymous? I very nearly had coffee on my monitor because of that.

Re:FUD (0)

CheerfulMacFanboy (1900788) | more than 3 years ago | (#37349648)

Why anonymous? I very nearly had coffee on my monitor because of that.

Let me guess: he's American, you are not. Causing coffee on a monitor is reason to sue.

Re:FUD (0)

Anonymous Coward | more than 3 years ago | (#37349866)

Also, just get off Apple's back, you haters!
 
They're not a business-oriented company, after all. They just make the shiny.

Reality (5, Funny)

mcrbids (148650) | more than 3 years ago | (#37348850)

Somewhere deep in Silicon Valley, a programmer is looking at a comment something like this:

/*******
FIXME: WTF Hack here. CRLs require authentication of being revoked, but we never bothered to check the callback of the revoke. Maybe if we bothered to have a revoke infrastructure? For now, we'll just not bother fixing this until 10.1 or 10.2.
******/
return true;

Re:Reality (1)

alannon (54117) | more than 3 years ago | (#37348930)

If you read the article, you would learn that this isn't the case. It's pretty clearly a bug (not a missing revocation infrastructure) since the problem only occurs on Extended Validation certs. Otherwise, the revocation works as it should.

Regardless. (0)

Anonymous Coward | more than 3 years ago | (#37348994)

It's funny anyway. Grumpy grumpy grumpy.

Re:Reality (0)

Anonymous Coward | more than 3 years ago | (#37349010)

What do you mean by "read the article"?

Certificate revocation (5, Interesting)

wvmarle (1070040) | more than 3 years ago | (#37348858)

The biggest issue that has come to light here imho is that it's nigh impossible to revoke an issued certificate. When a certificate is out, and it's signed by a trusted CA, there is basically no way to revoke it. Revoking involves updating browsers, or even complete operating systems (like Windows or OS-X). Just because one CA made a small mistake, got hacked for whatever reason, and the whole world has to update their software.

Errors will be made. Certificates will be issued erroneously by a CA, or through hacking. Certificates will be lost/stolen. But for some reason there is no proper way in the whole system to fix that kind of errors. If we let it be, it's just a matter of time before the whole system crumbles and nothing can be trusted any more.

Any thoughts on this? Any ideas on how this could be fixed?

Re:Certificate revocation (1)

Beryllium Sphere(tm) (193358) | more than 3 years ago | (#37348928)

The major browsers support OCSP. The technology exists, whatever the practical problems are in using it.

Re:Certificate revocation (0)

Anonymous Coward | more than 3 years ago | (#37349342)

if by "support" you mean "try, but gleefully ignore failures", yes. Or if by "major browsers" you mean "Opera". Because they're the only ones that actually require a positive response from OCSP, the others will ignore some or all OCSP failures and pretend everything's OK unless they actually get a negative response.

Re:Certificate revocation (3, Informative)

slimjim8094 (941042) | more than 3 years ago | (#37348932)

Certificates can be revoked by putting them on the certificate revocation list [wikipedia.org] . The OCSP [wikipedia.org] protocol is analogous. Here, try it yourself: http://validation.diginotar.nl/ [diginotar.nl] - get an OCSP client (IE7+, FF3+, Chrome, etc do it automatically) and try to authenticate any of the fraudulent certificates.

Somebody getting a hold of the private keys for the CA itself is a bigger problem - keys can be signed by the attacker faster than they can be revoked. I haven't heard that that's the case - just that fraudulent certs were made, presumably through the same semi-automated process that everybody else uses.

I don't know if there's a way to revoke a CA cert (that is, *all* certificates signed by a certificate). But that doesn't seem to be required here, so the standard revocation procedure works.

Re:Certificate revocation (2)

pankkake (877909) | more than 3 years ago | (#37349234)

Welcome to the Diginotar OCSP Service. To use this service, please use compatibel client software. Thanks.

Why did we ever trust these guys?

Re:Certificate revocation (0)

Anonymous Coward | more than 3 years ago | (#37349806)

Actually that's a common spelling error for the Dutch, so I guess no one really cared.

Re:Certificate revocation (0)

Anonymous Coward | more than 3 years ago | (#37349846)

because they had a lobbier who got dutch government to use them-> that made them trustworthy enough to add to operating systems and browsers.

it's a cyclical reasoning.

Re:Certificate revocation (1)

wvmarle (1070040) | more than 3 years ago | (#37349286)

Certificates can be revoked by putting them on the certificate revocation list [wikipedia.org] . The OCSP [wikipedia.org] protocol is analogous. Here, try it yourself: http://validation.diginotar.nl/ [diginotar.nl] - get an OCSP client (IE7+, FF3+, Chrome, etc do it automatically) and try to authenticate any of the fraudulent certificates.

OK sounds cool. I can't be bothered to try it out myself, I'll take your word for it. But if there's such a revocation system, why do we still need browser or even OS updates to deal with this issue??

Re:Certificate revocation (0)

Anonymous Coward | more than 3 years ago | (#37349366)

Don't take his word for it: I tried using Firefox 6.0.2 and I got the message "Welcome to the Diginotar OCSP Service. To use this service, please use compatibel [sic] client software. Thanks. "

When it comes to this kind of things, never take anybody's word for it. For all we know the GP could be the Iranian hacker himself.

Re:Certificate revocation (1)

Haedrian (1676506) | more than 3 years ago | (#37349658)

Same here. I'm on Firefox 7.0. I'll see if there's a difference with aurora.

Re:Certificate revocation (1)

somersault (912633) | more than 3 years ago | (#37349920)

I can't be bothered to try it out myself, I'll take your word for it

if there's such a revocation system, why do we still need browser or even OS updates to deal with this issue??

Probably because people are too trusting, and never bother to test that OCSP works..

Re:Certificate revocation (1)

wvmarle (1070040) | more than 3 years ago | (#37350432)

I can't be bothered to try it out myself, I'll take your word for it

if there's such a revocation system, why do we still need browser or even OS updates to deal with this issue??

Probably because people are too trusting, and never bother to test that OCSP works..

Do you check the Linux kernel for back doors? Or any other software that you use, like Firefox? I don't. Because I trust the community at large. Not a single vendor. I know there are people that make it their business to make sure there are no back doors in the kernel, or in Firefox, and that SSH has no bugs, and that SSL certificates are secure, and that CAs issue only valid certificates. The whole Diginotar issue came to light not thanks to Diginotar, but thanks to the community at large: security experts that realised something is wrong. I'm not such an expert, I know some of the red flags, but for the rest I'm just a user, like most other people out there, and basically have no choice but to put my trust in those businesses while keeping an eye on media outlets like /. to report on serious issues.

And besides you're completely ignoring my actual question. There is apparently a revocation system in place - and yet we're still struggling with software updates. Ergo, automatic revocation system is broken and useless. And that was my point really.

Re:Certificate revocation (1)

somersault (912633) | more than 3 years ago | (#37350524)

Yes, but the joke was that the revocation system is in place, yet even someone who's asking about it can't be bothered to test it out and see if it works. Bugs won't get fixed if they're not noticed and reported.

Re:Certificate revocation (0)

Anonymous Coward | more than 3 years ago | (#37350404)

Certificates can be revoked by putting them on the certificate revocation list [wikipedia.org] . The OCSP [wikipedia.org] protocol is analogous. Here, try it yourself: http://validation.diginotar.nl/ [diginotar.nl] - get an OCSP client (IE7+, FF3+, Chrome, etc do it automatically) and try to authenticate any of the fraudulent certificates.

OK sounds cool. I can't be bothered to try it out myself, I'll take your word for it. But if there's such a revocation system, why do we still need browser or even OS updates to deal with this issue??

Maybe because security.OCSP.require isn't enabled yet in your browser (the default) and MitM attacks can return fake "unavailable" responses to CRL-lookups?

Re:Certificate revocation (1)

tjohns (657821) | more than 3 years ago | (#37349364)

From what I understand, the Diginotor CRL isn't to be trusted at this point. Logs were deleted as part of the hack, and they're not completely sure which fraudulent certificates were issued.

Their OCSP servers were modified to consider all certificates as revoked, except for those on a whitelist. This is the opposite of how OCSP usually works, and the correct approach in this situation. However, CRLs can only be used as a blacklist.

Source: http://isc.sans.edu/diary.html?storyid=11512 [sans.edu]

Re:Certificate revocation (1)

whiteboy86 (1930018) | more than 3 years ago | (#37348974)

> Any ideas on how this could be fixed?

Take a walk to the trusty stonewalled bank not a 'firewalled' phony bank, don't buy a Mac, another FOSS victory btw..

Opera can revoke certificates updating the browser (0)

Anonymous Coward | more than 3 years ago | (#37348982)

http://my.opera.com/rootstore/blog/2011/09/06/diginotar-first-step-disabling-the-root

Re:Certificate revocation (1)

Anonymous Coward | more than 3 years ago | (#37349104)

FF allows disabling certifiers and it runs on OSX and Windows:
    Preferences | Advanced | Encryption, View Certificates, scroll down to DigiNotar Root Certificate, press Edit and uncheck.

It's a manual update, but no new browser or OS update. And it's supposed to be updated automatically-- I might have disabled it in About:Config

Re:Certificate revocation (0)

Anonymous Coward | more than 3 years ago | (#37349514)

No, the problem lies in blacklisting a trusted _root_ certificate. That requires updates.

There's no problem revoking issued certificates, provided the software you're using actually bothers to check if said certificate has been revoked.

Re:Certificate revocation (0)

Anonymous Coward | more than 3 years ago | (#37349572)

If a CA has a single root cert and they issue everythign based on that one cert, then the CA is probably doing it wrong. To avoid major issues the CA should have one or two levels of certificates below the root one, which would make it easier to fix if one of the lower certs is compromised. If the root cert itself is compromised, then they were doing it wrong and they should just die as a CA. Otherwise you can just trim the rotten branch, make new certs for everyone affected, and apologize.

Re:Certificate revocation (1)

cyrano.mac (916276) | more than 3 years ago | (#37349750)

Why don't you just delete diginotar and comodo certs yourself? I mean, it's a trust relationship. If you, the user, no longer trust a notar, just delete it's certificate and find out which of your SSL connections no longer works or defaults to an unsecured connection. You can find and delete certificates in the prefs of some browsers. On OSX, it's the Keychain Util, of course.

Re:Certificate revocation (1)

wvmarle (1070040) | more than 3 years ago | (#37350462)

I just get an update from Ubuntu that blacklists Diginotar. So that part is done.

Yet you're also one of those people that doesn't get the point. This kind of blacklisting should be done automatically, in real time, without needing to update software on a client computer. Now other comments mention that there is some automated system, yet the fact that these updates get so much attention and are presented as "the solution" tells me that that system is broken.

It's Safari not the OS (1)

Anonymous Coward | more than 3 years ago | (#37348892)

The problem lies with Safari not with OSX. Use a different browser. This is not an OS problem. I do wish Apple would get their finger out and fix it though.

Re:It's Safari not the OS (0)

zippthorne (748122) | more than 3 years ago | (#37349712)

No, it's an OS problem.

On OSX Safari, of course, and I think FF, Opera, and Chrome, do not use their own root certificate list like on windows. They use the OS level keychain service for their encryption needs, whether it be form data or certificates.

This has the advantage that changing the certificate trust value will affect all browsers on your system (that use the built-in encryption services), and other things that require certs (like VPN) and the disadvantage that, if it's not working correctly, will be broken everywhere.

Re:It's Safari not the OS (1)

BitZtream (692029) | more than 3 years ago | (#37349950)

No, it's an OS problem.

The only problem is ignorant users. The OS does a fine job of revoking certs, if you know how to use the OS.

You just revoke them in Keychain Access and they are revoked system wide. Open it, find your cert, mark it as never trusted. Takes about 8 seconds, I timed it.

Anyone who thinks certificates can't be revoked in OSX is an idiot.

Re:It's Safari not the OS (0)

Anonymous Coward | more than 3 years ago | (#37349980)

Opera uses its own certificate root storage, and one where certificates can be updated and revoked without installing a new version of the browser.

Double standards? (1)

trifish (826353) | more than 3 years ago | (#37348904)

Comodo hasn't had just one, but two such breaches in the past few years (use the Slashdot search to find the stories).

How come their certificates are still trusted and included with all browsers and operating systems whereas Diginotar's certificates were obliterated from all browser and almost all operating systems immediately?

Is it because DigiNotar is only a regional Dutch CA? Talk about disgusting double standards then.

Re:Double standards? (1)

Elbart (1233584) | more than 3 years ago | (#37348934)

Comodo immediately disclosed the breach and made it known to all affected parties. DigiNotar sat on it and kept quiet for months.

Re:Double standards? (1)

trifish (826353) | more than 3 years ago | (#37349018)

I don't care they reacted quickly. It has happened TWICE to Comodo.

It's about trust. I don't trust amateurs who can't even learn from their own mistakes.

I've distrusted Comodo's certificate like I did with DigiNotar and the Chinese CA.

The reason not to remove Comodo can't be that they're bigger than DigiNotar. Double standards are absolutely unacceptable in this field.

Re:Double standards? (1)

cyrano.mac (916276) | more than 3 years ago | (#37349690)

Comodo also lied about it. They painted a sophisticated attack from Iran. Now we know that the "hacker" was a Turkish script kiddy who's still bragging about it... That's the scary part: the intruder wasn't even any good. He's just an absolute beginner who follows "How To?" hacking vids on YouTube. And what happened to the lying Comodo CEO? Right, he's chosen as CEO of the year by RSA's InfoSecurity's 2011 Global Excellence Awards ... If you want to know how bad the problem is, how little is being done by the CA's and a possible, available solution if you use Firefox, have a look at Moxy Marlinspike's vids on YouTube...

Re:Double standards? (3, Insightful)

sjames (1099) | more than 3 years ago | (#37348950)

Because Comodo proactively detected the problem, put a stop to it, and had an appropriate audit log showing how large the problem was and what certs were wrongly issued.

Evin DigiNotar acknowledges that removal of their root key is the only way to contain their leak.

OTOH, I chose to disable Comodo's keys in my browser.

Re:Double standards? (2)

nedlohs (1335013) | more than 3 years ago | (#37348958)

because Comodo's announced the problem and revoked the bad certificates within minutes of them being created. Whereas DigiNotar did nothing for a month.

CAs are all about trust, sure Comodo showed they have some problems but also that they do the right thing when shit happens. DigiNotar showed they are completely untrustworthy - security breaches happen the ignoring them bit is unforgivable for an entity whose role is solely about trust.

Re:Double standards? (2)

slimjim8094 (941042) | more than 3 years ago | (#37348964)

Reading the 'pedia, it seems like DigiNotar's been careless for a while. Only 9 certificates were issued with Comodo, and it was handled very very quickly. It also doesn't seem like Comodo was actually compromised - Wikipedia says "a user account with an affiliate registration authority had been compromised"

By comparison, nobody's quite sure just how many DigiNotar certs were issued, or over how long a period of time. DigiNotar themselves have said they can't ensure that all fraudulent certs will be revoked.

If that wasn't enough, the fact that Comodo is a much, much larger CA is also important. Like it or not, the fallout from distrusting DigiNotar is much less than the fallout for kicking off Comodo would be.

Re:Double standards? (0)

Anonymous Coward | more than 3 years ago | (#37349004)

'pedia

I note your funny use of contraction to hide the fact that you're probably quoting the website that only pretends to be trustworthy and content-verified encyclopedia.

Omitting the "wiki" prefix will help you achieve credibility. LOL

Re:Double standards? (0)

Anonymous Coward | more than 3 years ago | (#37349166)

Yes, and the fact that he mentioned Wikipedia directly by name very close afterwords also clearly indicates that he's schizophrenic. In one hand he's got a deceiving personality. His other personality is honest and true.

Or it could be he just typed it that way for fun.

But I like the first thought better.

Re:Double standards? (0)

Anonymous Coward | more than 3 years ago | (#37349298)

Oooooh... AC questions someones credibility... how will slimjim ever sleep at night again...

Their own fault (1)

ecotax (303198) | more than 3 years ago | (#37349830)

As a Dutch reader, I can guarantee you that nobody in his right mind here minds the way DigiNotar's fiasco is handled. They deserve this, and worse. If you're basically selling trust, you'd better be trustworthy.
On the Mozilla Security Blog, the the reason why they handled this as they dit is explained very well:
http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/ [mozilla.com]

Re:Their own fault (0)

Anonymous Coward | more than 3 years ago | (#37350106)

You are missing the OP's point. The point is that Comodo should have got the same treatment.

Re:Double standards? (1)

RogerWilco (99615) | more than 3 years ago | (#37350326)

DigiNotar didn't tell anyone, when they found out. Given that the CA system is built on trust, it means they have lost everyone's trust.

Next to that, they don't seem to have a good audit trail, so can't tell what is and isn't affected.

Everyone knows computer security can't be 100%. The central issue is trust. DigiNotar is no longer trusted, Comodo is because of the different way they handled things when a breach occurred.

Always the same from Apple (3, Interesting)

Anonymous Coward | more than 3 years ago | (#37348914)

They lack in security and fixing exploits, and yet, they like to brag about somehow being "more secure" than Windows.

Oh, and Microsoft I believe already released a patch... yesterday? Tuesday?

It gets worse (2)

antifoidulus (807088) | more than 3 years ago | (#37349038)

The thing is, I am wondering whether they will even bother to fix it for people still running Leopard. Apple historically has released non-security bugfixes for 10.n, security patches only for 10.(n-1), and basically jack shit for all osver
While ordinarily just a dick move, due to the intel transition this means that there is a large user base out there(namely the ones that still run PPC macs) that basically will never get any new security patches for their systems and they are stuck with either pitching their hardware or taking the risk that they will not be a victim.

Apple really needs to make these EOL policies not only clear, but announce them significantly ahead of time so that people who decide to migrate have plenty of time to do so.

actually (0)

greentshirt (1308037) | more than 3 years ago | (#37349082)

Apple don't "need" to do anything. In fact, they should continue doing exactly what they're doing, considering they are one of the most valuable corporations in the history of money. What "needs" to happen is for people to get their heads out of their asses and stop overpaying for Apple [i]innovation[/i].

Re:actually (1)

greentshirt (1308037) | more than 3 years ago | (#37349088)

also, bbcode fail

Re:actually (0)

Anonymous Coward | more than 3 years ago | (#37349542)

Slashdot uses HTML by default.

Re:actually (0)

dingen (958134) | more than 3 years ago | (#37349110)

Yeah, stop overpaying for Apple's stuff and just switch to another Unix operating system with support for commercial applications like Photoshop, AutoCAD or Cubase. Oh wait, there isn't one.

Re:actually (0)

Anonymous Coward | more than 3 years ago | (#37349280)

Only a tiny fraction of Apple's userbase needs those apps.

Re:actually (0)

Anonymous Coward | more than 3 years ago | (#37349312)

many more than you think

Re:actually (1)

Haedrian (1676506) | more than 3 years ago | (#37349664)

And from that fraction most would be fine with an Open Source Alternative.

However apple looks 'cool' and 'fashionable' and most people who I know have macs don't use any of those.

Re:actually (1)

konohitowa (220547) | more than 3 years ago | (#37349768)

... most people who I know have macs don't use any of those.

There you have it... proof positive! I'll need to register your comment with a DOI for further citation. Until then, I think it would be safe to refer to this as "Haedrian's Llaw".

Re:actually (1)

Haedrian (1676506) | more than 3 years ago | (#37349904)

Allright, lets both camp outside of apple stores and ask people why they're buying macs.

Alternativly we could look at the sales of those 3 programs, and compare them to the Mac userbase.

Strange, I don't see where M$ is screwing up (0, Funny)

Anonymous Coward | more than 3 years ago | (#37349112)

What, no Micro$oft borg icon? And they already patched Windows?? I find that hard to believe. Come on, give the real details of the story. We all know that M$ technologies is pure crap and that anything Apple does is perfection. That's why Apple can drag its feet. As far as I'm concerned Apple doesn't have to do a single thing (it's perfection).

Re:Strange, I don't see where M$ is screwing up (1)

shadesOG (2457562) | more than 3 years ago | (#37349390)

pass the 'Micro$oft borg' :) I don't proclaim to be a security expert, but MS, google, etc did the right thing to revoke the certs.its still reactive not proactive. I vote if it takes an OS update to mandate secure and trusted communication, YOU ARE DOING IT WRONG. haven't been to iran in a while, but do they have even have a mac store? or get OS updates? something is awry

Re:Strange, I don't see where M$ is screwing up (1)

Lieutenant_Dan (583843) | more than 3 years ago | (#37350310)

The problem may be that browsers may not check for CRLs by default, or the DigiNotar's CRL cannot be relied on. So for either scenarios, MS/Google/Mozilla sent out system/software updates to just deal with this CA at the core. Not a bad approach.\

Yes, ideally each browser should by default check if a certificate has been revoked. Hopefully this will be reviewed for the future.

Re:Strange, I don't see where M$ is screwing up (1)

wannabgeek (323414) | more than 3 years ago | (#37350336)

I believe you should get your sarcasm detector checked.

security is a 'trusted chain' (0)

Anonymous Coward | more than 3 years ago | (#37349258)

Do you really believe this is a 'hack by chance'? I believe this is someone exposing the vulnerabilities of monolithic security systems that rely upon 'trusted' entities. One that forces new ideas and systems to deliver better security that governments may not like *cough* 'Pakistan bans encryption'.... which direction do you want to go?

Nothing against Iranian hackers, but do you REALLY believe that iranians exploited CAs to read iranian mail on google? nah... not in my blackbook. I smell NSA and Israelis,,,, I for one welcome a new secure method of CA.

This is stuxnet 2.0

Re:security is a 'trusted chain' (1)

shadesOG (2457562) | more than 3 years ago | (#37349340)

i agree that its an exploitation of weak vulnerability. comodo may have done it to make a point, but what are the chances that others have doing this for a long while?

Yup. (2)

bytesex (112972) | more than 3 years ago | (#37349538)

Same here. Snow Leopard user. Can confirm it. Stupid OS. I hope this will forever silence the 'if you think that firefox is a proper Mac application GTFO' trolls. This time, it's *better* to use Firefox.

Re:Yup. (-1)

BitZtream (692029) | more than 3 years ago | (#37349978)

Why? Because you don't know how to use your OS?

Open Keychain Access, disable the scary cert, and STFU.

As far as stopping the 'firefox isn't a proper OSX App', its not. There is no reason to use Firefox unless you like not having a centralized managed by the OS certificate store.

Disabling the DigiNotar cert is as easy as opening Keychain Access and marking it as never trusted. Instant revocation across the OS, or we could use shitty apps like Firefox which insists on doing it all itself and as such we'd have to figure out how to disable the cert in a shitload of apps.

Once again, your ignorance makes you wrong, its STILL NOT BETTER to use broken ass Firefox.

And yes, my response is trollish, I have no idea how to deal with idiots such as yourself without trolling. If you learned how to use the OS on your computer rather than jerking off to Firefox you probably wouldn't have posted and I wouldn't have had to troll you back.

Re:Yup. (0)

Anonymous Coward | more than 3 years ago | (#37350312)

Ooh.. some stole macboy's toys!

Here, have some shinies...

YUO jFAIL IT! (-1)

Anonymous Coward | more than 3 years ago | (#37349596)

Hard Info and Tools (3, Interesting)

plsuh (129598) | more than 3 years ago | (#37349844)

Folks,

I have detailed info and tools on my website at

http://ps-enable.com/articles/diginotar-revoke-trust [ps-enable.com]

The short story is that it is possible to protect yourself, but it requires deleting the DigiNotar root cert(s), then revoking trust on the two roots plus four intermediates.

--Paul

What about iOS, Android, WebOS, OperaMini, OperaMo (2)

greggman (102198) | more than 3 years ago | (#37349886)

What about iOS, Android, WebOS, OperaMini, OperaMobile, etc etc etc. Do they all need to be updated?

Idiots, certs are easy to disable in OSX (2, Informative)

BitZtream (692029) | more than 3 years ago | (#37349902)

reports Bob McMillan, because the OS can't properly revoke dodgy digital certificates."

Really? Cause I just set the trust to 'Never' in Keychain Access and it works just fine.

If you don't know how to do something, you shouldn't talk out your ass.

  • Open Keychain Access from Applications/Utilities
  • Click on System Roots keychain
  • Click on Certificates category to filter down to only certs
  • Double click on DigiNortor certificate.
  • Expand 'Trust' drop down
  • The first option is: 'When using this certificate:' change that option to 'NEVER'
  • Close Keychain Access and rest assured knowing the blogger who wrote this article is a fucking douche using slashdot for slashvertising and talking out his ass without a clue

Re:Idiots, certs are easy to disable in OSX (5, Informative)

Anonymous Coward | more than 3 years ago | (#37349960)

FTFA:

Ryan Sleevi, a software developer who has contributed to Google's Chrome project, noticed the issue too. After poking around the Mac OS X source code, though, he uncovered the cause.

Users can revoke a certificate using Keychain, but if they happen to visit a site that uses the more-secure Extended Validation Certificates, the Mac will accept the EV certificate even if it's been issued by a certificate authority marked as untrusted in Keychain.

Re:Idiots, certs are easy to disable in OSX (0)

Anonymous Coward | more than 3 years ago | (#37349968)

Really? Cause I just set the trust to 'Never' in Keychain Access and it works just fine.

False. If you bothered to RTFA, you would know that doesn't apply to EV certs, only regular certificates.

All because big brother Steve won't allow you to choose who to trust. Mac users MUST always trust everyone that big brother Steve says they should trust.

Re:Idiots, certs are easy to disable in OSX (0)

Anonymous Coward | more than 3 years ago | (#37350146)

If you don't know how to do something, you shouldn't talk out your ass.

  • Open Keychain Access from Applications/Utilities
  • Click on System Roots keychain
  • Click on Certificates category to filter down to only certs
  • Double click on DigiNortor certificate.
  • Expand 'Trust' drop down
  • The first option is: 'When using this certificate:' change that option to 'NEVER'
  • Close Keychain Access and rest assured knowing the blogger who wrote this article is a fucking douche using slashdot for slashvertising and talking out his ass without a clue

See, Macs are so user friendly and easy to use. Whereas both Windows and Linux require complicated auto-update mechanisms

Re:Idiots, certs are easy to disable in OSX (0)

Anonymous Coward | more than 3 years ago | (#37350388)

You left out "find a site that's been signed by DigiNotar and access it in your browser to make sure the trust is revoked"

Per the comments at http://www.cantus.us/mac/remove-the-diginotar-ca-trust-from-mac-os-x :

"The problem turns out to be that if a site uses an EV-SSL (Extended Validation SSL) certificate, Keychain will ignore the fact that the user has marked it as untrusted."

so, good luck with that.

Re:Idiots, certs are easy to disable in OSX (3, Informative)

forand (530402) | more than 3 years ago | (#37350512)

This works fine as long as you don't visit an EV site. You must delete the cert, and make changes to your system on OS X. This is not an easy fix for most people. Please find more info here [arstechnica.com]

Serves you right (0)

Anonymous Coward | more than 3 years ago | (#37350270)

Meanwhile, even Mac OS X users who want to go DIY are stymied, reports Bob McMillan, because the OS can't properly revoke dodgy digital certificates.

That's what you get for using a toy operating system.

Simple. Stop trusting Apple (0)

Anonymous Coward | more than 3 years ago | (#37350460)

And switch over to any flavor of Linux. Apple is way overpriced anyway.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?