Archive for August, 2011

Protecting Your Mac From the DigiNotar.nl Certificate Compromise

Go directly to step-by-step instructions. 

On July 10, 2011, DigiNotar.nl (a Netherlands CA) issued a fraudulent SSL certificate for the domain *.google.com, which would be valid for all google.com domains. DigiNotar has not been forthcoming about how the attackers were able to obtain the fraudulent certificate, releasing only a PR statement without any content. This means that more fraudulent certificates may have already been issued or may be issued in the future for *.google.com or other domains. While current indications are that it was used to snoop on G-Mail communications in Iran, no one knows what other places it might be used and for what other purposes. 

 

Furthermore, due to the nature of the certificates system, until the DigiNotar.nl registrar is completely secured and how the attack was conducted becomes publicly available, every SSL protected website and service in the world is vulnerable. 

 

Microsoft IE, Google Chrome, and Mozilla Firefox already have or have announced plans to very shortly blacklist all DigiNotar.nl certificates. If you are running IE (any version) on Vista, Windows 7, Server 2008, or Server 2008 R2; or an up to date version of Firefox or Chrome, you'll be OK in the near future. This is pretty much a death penalty for the DigiNotar CA. I would have been a bit more forgiving, perhaps, but the actions of the security teams at Microsoft, Google, and Mozilla have convinced me that revoking the trust of the DigiNotar CA is necessary. 

 

Apple has not yet updated Mac OS X and Safari as of this writing or made any announcements about its plans.  Until Apple releases a security update for this issue, you can protect yourself on an individual Mac computer by following the steps in this article, which includes steps for managing the process via MCX and shell scripting for mass deployment.  

 

NOTE: Unfortunately there is no equivalent process available for iOS at this point. You can add your own trusted CA certificates via the iPhone Config Utility and Configuration Profiles, but you cannot remove or modify the trust levels for pre-installed system certificates. 

Read more