The security incident at DigiNotar has created a big hole in online security. DigiNotar’s CA has been hacked and cannot be trusted anymore. The list of know fraudulent certificates contains some high level domains e.g. google.com, mozilla.com, yahoo.com, torproject.org, and many more.
Some browsers and OS already have been hardened with a patch or an updated CRL but how about Mac OS X users?
Security risk
DigiNotar already revoked many certificates but can’t tell how many rogue certificates have been issued by the hackers. Thererfore it’s not safe to solely rely on an updated CRL. A malicious person could use these certificates to trick your browser in few very specific scenarios only. Unlikely but still possible.
Instead you should untrust DigiNotar’s root certificate completely. This is also advised by security experts. Luckily DigiNotar isn’t too big or popular (and now will never become) so the remaining valid certificates shouldn’t affect almost any user.
Update: Mac OS X doesn’t handle EV (Extended Validation) SSL certificates correctly and may not warn you if a site uses an EV SSL cert. EV certs are supposed to enhance security and will show the company’s name in green (Safari, Chrome, FireFox) or color the address bar green in your browser (IE). I haven’t found such a page yet to confirm the bug in OS X Lion (see idg.no link below). If this is true I hope Apple will fix it soon with a patch.
Update #2: Finally I found a site that uses the EV SSL sub certificate and I can confirm the bug in Mac OS X Lion 10.7.2. mentioned above. As you can see in the screenshots Safari 5.1 and Chrome 13.0 do not issue any warning though the root CA clearly is not trusted/valid. Chrome at least marks the lock with a tiny yellow triangle but you have to click it to see there’s something fishy about the site’s cert (if you’re not aware that it’s supposed be green). Only FireFox 6.0.1 will present a clear warning you can’t ignore or bypass by accident. You can check your browser with test link #4 but hurry up, the cert will expire 09/09/11.
Check your browser
You can check your browser’s security by opening an HTTPS site that uses DigiNotar’s root certficate or has been signed by this cert.
If you click the SSL test link #1 below your browser should show a warning message before opening the page. This link doesn’t contain any harmful code, it’s just a HTTPS link to DigiNotar’s home page which has been signed by its own root certificate.
Update: DigiNotar has installed a new certifiacte valid from Sep 1st 2011 so I added 2 more links that still use the old root certificate. These new links point directly to the .crt files.
Update #2: All links have been invalidated by redirection or have been removed from DigiNotar’s site. I’ve added a few more links but these will probably be updated soon, too. You can try other sites from this DigiNotar notifications list of domains and sites signed by DigiNotar.
DigiNotar SSL test link #1(DigiNotar.com)DigiNotar SSL test link #2(DigiNotar TopRoot cert)DigiNotar SSL test link #3(DigiNotar EV SSL Sub CA cert)DigiNotar EV SSL test link #4(uses EV SSL signed by DigiNotar root CA,exposes OS X bug, cert expired)DigiNotar SSL test link #5(updated cert from new root CA)DigiNotar SSL test link #6(updated cert from new root CA)- balienet.nl (DigiNotar PKIoverheid CA)
- goestenopdam.nl (DigiNotar EV CA)
- robeheer.nl (DigiNotar Services 1024 CA)
Untrust or delete root cert?
It requires authentication for each change.
- Open Keychain Access
- Search for diginotar
- Inspect each DigiNotar Root CA certificate (right click > Get Info)
- Expand Trust
- Set When using this certificate: to Never Trust
Instead of untrusting this cert you could also delete it from your keychain but it could be reinstalled with and update or next time you visit a site signed by this root cert. So I prefer to keep it but not trust it.
Update #3: Not trusting a certificate should invalidate the complete subsequent keychain of trust but because of the bug in Safari/Mac EV SSL certificates still validate even if signed by an untrusted CA. Until this bug has been confirmed and fixed by Apple the only way to circumvent this problem is to delete all DigiNotar certificates from your keychain. You can drag them onto your Desktop (or any other location) in case you’d like to re-import them later. Some users reported the certs were re-installed after visiting a SSL site that has been signed with such a certificate. I couldn’t reproduce this but I’m aware that it may possible depending on your security settings.
So my new advise is to delete the flaky certs and keep an eye on the certificates in your keychain.
Links – Info
- Protection against fraudulent DigiNotar certificates (mozilla.org)
- DigiNotar SSL breach (sans.edu)
- Hackers may have stolen over 200 SSL certificates (computerworld.com)
- DigiNotar security incident (vasco.com)
- Mac OS X can’t properly revoke dodgy digital certificates (idg.no)
- Fraudulent Digital Certificates Could Allow Spoofing (microsoft.com)
DigiNotar (SSL test link, should not open w/o warning!)- GlobalSign EV SSL test link (valid EV cert, should show name in address bar in green, no warning)
- DigiNotar Notifications (Google Docs spreadsheet, known compromised domains)
- DigiNotar filed bankruptcy (vasco.com)
Links – Instructions
- FireFox: Deleting the DigiNotar CA certificate (mozilla.com)
- Adobe Reader & Acrobat: Update on DigiNotar and the Adobe Approved Trust List (AATL) (adobe.com)
- Windows XP/Vista/7: View or manage your certificates (microsoft.com)
Related posts:
30 Responses to Check, untrust and remove DigiNotar HTTPS/SSL CA root certificate on Mac OS X
Leave a Reply
Trackbacks & Pingbacks & Twitter
-
How To: Check, untrust and disable DigiNotar HTTPS/SSL CA root certificate on … – http://t.co/fVureMR
-
[...] before panicking about unsafe digital certificates, the folks over at io101.org posted a how-to on getting the DigiNotar certificates off your [...]
-
How to check, untrust and disable DigiNotar root certificate on Mac OS X http://t.co/ddgklEy
-
How to: check, untrust, & disable hacked #DigiNotar HTTPS/SSL CA root certificates on Mac OS X http://t.co/EFPwQtb courtesy of @io101org
-
[...] dank aan: http://www.io101.org/blog/howto/check-untrust-disable-diginotar-https-ssl-root-ca-certificate-mac-os... Share this:Share Dit bericht werd geplaatst in Diversen door Bart . Bookmark de permalink [...]
-
@JeroenvanderGun @SamirAllioui Zie bijv. hier voor uitleg: http://t.co/cy2P99z
-
[...] more into the DigiNotar CA compromise and how to fix it temporarily on Mac OS X until Apple releases a patch [...]
-
Maar even met de hand het Diginotar root-cerificaat op onbetrouwbaar gezet. http://t.co/tD4hosc
-
How to set Diginotar CA as untrusted in Mac OS X: http://t.co/nvtxMlm #in
-
Na #diginotar je Mac weer betrouwbaarmaken: "Check, untrust and remove DigiNotar HTTPS/SSL CA root certificate on OS X" http://t.co/BV7F24X
-
Attention Mac OS X users! Disable and remove your #DigiNotar root certificate(s); your online security is compromised. http://t.co/5XXbhez
-
HAPPY “untrust/delete the #DigiNotar root certificate from your OS X installation yet” MONDAY! http://t.co/Zjp16k5
-
How To: Check, untrust and remove DigiNotar HTTPS/SSL CA root certificate on Mac OS X http://t.co/gngSQSn
-
Voor de #Apple #OSX gebruikers out there… http://j.mp/po9keF (link @paulvanbuuren) #ict #security #diginotar #li
-
Untrust or delete the Diginotar cert from Lion http://t.co/q9XQX4O
-
DigiNotar issue exposed a MacOS X issue which doesn’t warn EV SSL certs signed with untrusted root CA. sigh… http://t.co/3FQqGCk
-
[...] Firefox, Google Chrome, Opera or Apple Safari *and* disable the DigiNotar root certificates. This post explains how to disable the DigiNotar certificates on OS X. This post explains how to disable the DigiNotar certificates on [...]
-
http://t.co/lmr7f33 #security #mac #solution como solucionar un importante problema de seguridad para las personas con mac
in
in
in
in
in
As of today 09/01/11 DigiNotar has installed a new certificate (open cert details in link #1) so I added 2 more test links. I also updated the description.
If anybody knows a domain that uses DigiNotar’s EV (Extended Validation) SSL cert please post a link here.
As far as I can check the bug is NOT present in Lion (10.7.1). I removed the Diginotar root ca from the keychain and I DO get an ‘untrusted’ warning from Safari. It is important to log out and log in before to get Safari show the warning.
The bug in Mac OS X is that a root certificate which has been revoked (Never Trust) but still resides in your keychain will be ignored if a EV SSL cert has been used down the chain of trust (see screenshot).
By removing the cert from the keychain it’ll throw a warning because of the missing link in the chain of trusted certificates. Hence my new advise to remove it, like you did.
I have not been able to reproduce the reported Safari bug in 10.7.1. If I mark the DigiNotar root certificate as untrusted, Safari does the right thing. I did not have to remove the certificate.
I posted a howto for automatically deleting the Diginotar root certificate on my blog at http://HaveGNUwillTravel.ApesSeekingKnowledge.net/2011/09/automate-removing-diginotar-ca.html which covers both using puppet to delete it and how to create a payload-less package that you can push to your Macs that will delete it.
Note that what I posted is strictly for the system keychain, not Firefox – you’ll have to update FF separately.
Hi,
I’ve some users using safari on Windows. Do you know if they are safe?
How does safari validates certificates in this case?
BR,
Cyr
MS released an updated CRL (MS KB 2607712) for Windows a couple of days ago.
A quick test with Safari 5.1 (7534.50) on Win 7 x64 showed a warning on test link #3 so your Windows users should be fine if all updates applied. Chrome 13.0 and FireFox 6.0.1 showed same behavior as on Mac OS X Lion.
The maestre.com test now fails to validate in Safari, but that is only because their SSL certificate expired earlier today.
Thx Chris, I just updated the article. For other test links check the DigiNotar Notifications Google Docs spreadsheet (see link in post).
To keep your system secure just apply all available (security) updates and check for updated versions of all of your browsers. This should do it for now.
iOS (iPhone/iPad/iPod touch) users still have to wait for an update…
My Firefox 6.0.2 installation is compromised and I can’t believe it is only me but I only see reference to DigiNotar.
There are 10 certificates in my Firefox Certificate Manager that I have not added and I have tried to delete repeatedly. They purport to be issues by “UTN USERFirst Hardware Root CA, “http://www.usertrust.com”.
They are for the following domains
addons.mozilla.com
kuix.de
login.live.com
login.skype.com
login.yahoo.com (three certs)
mail.google.com
http://www.google.com
I am a qualified network security engineer (CCSP) with 10 years experience. I my opinion this represents an immediate threat to anyone trying to log on to domains above as they are susceptible to a man in the middle attack and compromise of their privacy. In the Middle East this could be life threatening. In the medium term this represents a very serious threat to e-commerce. Other browsers Internet Explorer 9, Chrome V14… show the certificates disabled (worryingly I can’t seem to manage the certificates on Safari!).
I am posting this to raise awareness
Thx for sharing your concern, Bill. Got the same list in Severs tab of FireFox 6.0.2 certificate manager. When I click “View…” the windows’s title sais “… Bogus (name of cert)” and on “Edit Trust…” it’s already set to “Do not trust the authenticity of this certificate.”
These seem to be the newly added hardcoded non-trusted certificates. Look again and if these aren’t marked as untrusted in your FF then you’re in deep trouble.