Articles by: PuLSe

Protecting Your Mac From the DigiNotar.nl Certificate Compromise

Go directly to step-by-step instructions. 

On July 10, 2011, DigiNotar.nl (a Netherlands CA) issued a fraudulent SSL certificate for the domain *.google.com, which would be valid for all google.com domains. DigiNotar has not been forthcoming about how the attackers were able to obtain the fraudulent certificate, releasing only a PR statement without any content. This means that more fraudulent certificates may have already been issued or may be issued in the future for *.google.com or other domains. While current indications are that it was used to snoop on G-Mail communications in Iran, no one knows what other places it might be used and for what other purposes. 

 

Furthermore, due to the nature of the certificates system, until the DigiNotar.nl registrar is completely secured and how the attack was conducted becomes publicly available, every SSL protected website and service in the world is vulnerable. 

 

Microsoft IE, Google Chrome, and Mozilla Firefox already have or have announced plans to very shortly blacklist all DigiNotar.nl certificates. If you are running IE (any version) on Vista, Windows 7, Server 2008, or Server 2008 R2; or an up to date version of Firefox or Chrome, you'll be OK in the near future. This is pretty much a death penalty for the DigiNotar CA. I would have been a bit more forgiving, perhaps, but the actions of the security teams at Microsoft, Google, and Mozilla have convinced me that revoking the trust of the DigiNotar CA is necessary. 

 

Apple has not yet updated Mac OS X and Safari as of this writing or made any announcements about its plans.  Until Apple releases a security update for this issue, you can protect yourself on an individual Mac computer by following the steps in this article, which includes steps for managing the process via MCX and shell scripting for mass deployment.  

 

NOTE: Unfortunately there is no equivalent process available for iOS at this point. You can add your own trusted CA certificates via the iPhone Config Utility and Configuration Profiles, but you cannot remove or modify the trust levels for pre-installed system certificates. 

Read more

Policy Banner for Snow Leopard

Folks,

Ok, so I've been quiet for a while, but here's a version of Policy Banner for Snow Leopard. 

<http://ps-enable.com/software/PolicyBannerPreLoginApp.dmg/view>

Open source, MIT-licensed, go have fun with it. 🙂

–Paul

Read more

File Distributor 1.0

If you need to replace every instance of a particular file inside a directory structure (e.g., distribute a set of bookmarks to every user's home directory), you can use my File Distributor application. You put in the path to the file that you want to use as a replacement, the name of the file that you want replaced, and the path to the folder where you want to start the replacement process. You can do this by typing it in, drag and drop, or selecting from a standard file dialog. Grab it from http://ps-enable.com/software/FileDistributor1.0.dmg

Read more

Policy Banner 1.0

A slightly tweaked version of the loginwindow policy banner that we posted about earlier.

Read on for where to get it. 

Read more

MOSXSWebPassword 1.5

An updated version of my WebObjects application that allows for user password changes and resets from a web page, released September 10, 2007. 

Read more

How to Split a Server (Part 3 of 4)

Part 3 of the series where we focus on DNS and mail.

You can find Part 1 and Part 2 of this series which were published eariler.

Read more

How to Split a Server (Part 2 of 4)

In part 1 of the series, I covered the reasons why you would want to separate a single server into multiple servers. Now we move on to the nitty-gritty: how do you actually accomplish the task?

Goal: Set up a separate server in the DMZ that handles web serving and external mail transport. This will reduce the number of direct connections from the outside to the inside server. External contributors will still connect directly to the internal mail server to pick up their mail via IMAP.

Ed. Note: You can find this article with a bit more graphic flavor at the author’s website.

Read more

How to Split a Server (Part 1 of 4)

Some thoughts on getting a small office network setup.

Read on for the beginning of a four part series on configuring some basic connectivity on your server.

Read more

Disk Imaging for Mac OS X Server

Learn how to image a virgin install of OS X Server.

If you are looking to roll out a number of server installs from a disk image, or you just want to be able to roll-back your test server quickly, read on.

Read more