Safari, Mac OS X and Fraudulent SSL Certificates (Comodo)

Following the recent hacking of Comodo, a certificate authority that distributes SSL certificates, web users to the following domains are at a higher risk of phishing and sniffing attacks:

• login.live.com
• mail.google.com
• www.google.com
• login.yahoo.com
• login.skype.com
• addons.mozilla.org

Attackers were able to obtain SSL certificates for these domains, essentially allowing them to pose as those websites. The certificates have since been revoked by Comodo, however this relies on browsers checking for them by checking Comodo’s Certificate Revocation List (CRL) and having the Online Certificate Status Protocol (OCSP) enabled. Firefox and Chrome were updated last week to block the fraudulent certs, but Safari doesn’t do CRL and OCSP checking by default.

Hit the jump for how to enable these checks in OSX and Safari.

Intego have a blog post which details how to enable these settings in Mac OS X’s Keychain Access application, which manages certificates. Here is a summary on enabling it:

1. Open Keychain Access (in /Application/Utilities)
2. In the menu, select: Keychain Access > Preferences
3. Click on the Certificates tab
4. Set OCSP and CRL dropdowns to: Best Attempt
5. Set Priority to: OCSP
6. Close the preferences and quit Keychain Access

Hopefully Apple will release a security update soon which permanently blocks these certificates. If you want to go one step further you can also remove trust from Comodo’s root certificate altogether:

1. Open Keychain Access
2. Choose the ‘System Roots’ keychain in the top left
3. Select the COMODO Certification Authority certificate
4. Click on the ‘i’ at the bottom (or right-click and Get Info)
5. Expand the ‘Trust’ area, and set ‘Never Trust’ when using this certificate.
6. Close the window and Mac OS X will request your admin password.

Note that by doing this you will get browser SSL warnings when visiting websites that use Comodo-issues certificates.