Security August 30, 2011 at 9:14 pm

Protecting Your Mac From the DigiNotar.nl Certificate Compromise

Go directly to step-by-step instructions. 

On July 10, 2011, DigiNotar.nl (a Netherlands CA) issued a fraudulent SSL certificate for the domain *.google.com, which would be valid for all google.com domains. DigiNotar has not been forthcoming about how the attackers were able to obtain the fraudulent certificate, releasing only a PR statement without any content. This means that more fraudulent certificates may have already been issued or may be issued in the future for *.google.com or other domains. While current indications are that it was used to snoop on G-Mail communications in Iran, no one knows what other places it might be used and for what other purposes. 

 

Furthermore, due to the nature of the certificates system, until the DigiNotar.nl registrar is completely secured and how the attack was conducted becomes publicly available, every SSL protected website and service in the world is vulnerable. 

 

Microsoft IE, Google Chrome, and Mozilla Firefox already have or have announced plans to very shortly blacklist all DigiNotar.nl certificates. If you are running IE (any version) on Vista, Windows 7, Server 2008, or Server 2008 R2; or an up to date version of Firefox or Chrome, you'll be OK in the near future. This is pretty much a death penalty for the DigiNotar CA. I would have been a bit more forgiving, perhaps, but the actions of the security teams at Microsoft, Google, and Mozilla have convinced me that revoking the trust of the DigiNotar CA is necessary. 

 

Apple has not yet updated Mac OS X and Safari as of this writing or made any announcements about its plans.  Until Apple releases a security update for this issue, you can protect yourself on an individual Mac computer by following the steps in this article, which includes steps for managing the process via MCX and shell scripting for mass deployment.  

 

NOTE: Unfortunately there is no equivalent process available for iOS at this point. You can add your own trusted CA certificates via the iPhone Config Utility and Configuration Profiles, but you cannot remove or modify the trust levels for pre-installed system certificates. 

6 Comments

  • You can also remove the cert using the security command (for use with ARD Send UNIX or payload free package etc):

    sudo security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain

    (that’s the SHA-1 hash for the DigiNotar Root CA cert)

  • I’ve updated the tools mpkg on my web page so that it will:

    1) Delete the "DigiNotar Root CA" and "DigiNotar Root CA G2" certificates.

    2) Import the "DigiNotar Services 1024 CA" and "DigiNotar Root CA" intermediate certificates signed by Entrust and mark them as not trusted.

    3) Import the "DigiNotar PKIoverheid CA Overheid en Bedrijven" and "DigiNotar PKIoverheid CA Organisatie G2" signed by the Dutch national government CA and mark them as not trusted.

    This is ready for deployment on Snow Leopard systems. It will work but does not apply all trust settings on Lion. I will be working on updating the text on the page to give more details.

    Spread the word.


    Paul Suh http://www.ps-enable.com/
    [email protected] (240) 672-4212

  • Folks,

    I just updated my web page and the installer package with the latest information. It now handles revoking the trust for the Extended Validation certificates.

    Spread the word, widely.

    –Paul


    Paul Suh http://www.ps-enable.com/
    [email protected] (240) 672-4212

    • @PuLSe Thanks for the package, tested fine in our LAB environments. I’ll alert our clients.

      Don Montalvo, TX


      Don Montalvo, TX

  • Pushed to a dozen pilot users, no issues. I wonder why it took 2+ months for Apple to release this?

    Don Montalvo, TX


    Don Montalvo, TX

  • Interesting, so now that Apple released a security patch, do we need to reverse the “fix” before applying Apple’s patch?

    Don


    Don Montalvo, TX

Leave a reply

You must be logged in to post a comment.