Skip to content

Posts tagged ‘Certificate Authority’

14
Apr

Revoking Chinese CNNIC Root Certificate in Mac OS X

Apple SecurityEarlier this month, Google and Firefox both dropped the Root Certificate of Chinese Certificate Authority CNNIC, after it was discovered that it had delegated its authority to an Egyptian intermediary to allow it to fraudulently sign SSL/TLS certificates for the google.com domain (presumably for the purposes of performing man-in-the-middle attacks and snooping on Egyptian internet traffic).

Apple, despite releasing Mac OS X 10.10.3 and iOS 8.3, has yet to remove this rogue CA. I hope that Apple joins in and revokes the CNNIC in an upcoming update, but in the meantime you can remove it from OS X yourself!

Simply run the following command in the Terminal and *poof*, another unnecessary and untrusted CA bites the dust:

sudo security delete-certificate -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain

It’s worth pointing out that a deleted Root CA cert may re-appear in a subsequent system update (I will check when 10.10.4 comes out). The alternative to this, which can only be achieved using Keychain Access (I believe), is to tell OS X to never trust a given Root CA certificate – a setting that shouldn’t be undone by future updates. To do this:

  1. Open Keychain Access
  2. Click on ‘System Roots’ on the left
  3. Right-click on the Root CA you don’t trust (ie. CNNIC ROOT) and select Get Info
  4. Expand the ‘Trust’ section
  5. Select ‘Never Trust’ from the “When using this certificate” dropdown
  6. Close the panel (OS X will probably ask for your password to authenticate the change)
  7. You should then see a red X icon next to the untrusted cert.

I personally think that our operating systems and browsers already trust far too many Root CAs, many of which are unnecessary, others are potentially malicious. OS X by default trusts around 204 Root CAs. I’m planning on cutting this down to a short list of CAs that are both (a) trusted and (b) necessary for normal day-to-day use of the Internet. I’ll report back on that when I get time.

Unfortunately, there is no mechanism in iOS to remove certificates from the Root CA store. The list of current trusted Root CAs in iOS can be found here.

10
Sep

Security Update 2011-005 Fixes DigiNotar SSL Vulnerability

Apple has finally issued Security Update 2011-005 to address the recent issues around compromised Dutch certificate authority DigiNotar. It was discovered that at least 531 fraudulent SSL certificates were issued by DigiNotar, leading to their root certificate being revoked in all major operating systems and browsers over the past two weeks. A man-in-the-middle attacker in possession of one of these certs (eg. Google, Skype), would be able to intercept SSL-encrypted traffic to those sites. It is believed that the use of these fraudulent certs may have been limited to the Iranian government.

This patch removes the DigiNotar CA from the trusted root certificates in the Mac OS X keychain (which is also used by Safari) for Lion and Snow Leopard. Unfortunately no patch has been issued for Leopard (10.5) users, leaving them at a heightened risk from these bad certificates. It is recommended that Leopard users delete the DigiNotar CA certificate from the Keychain using the following steps:

  1. Open Keychain Access (/Applications/Utilities/Keychain Access)
  2. Click on the System Roots keychain in the top-left hand panel
  3. Click on Certificates in the bottom-left hand panel
  4. Type DigiNotar into the search field in the top right.
  5. Right-click on the DigiNotar Root CA, and select Delete.
For sysadmins, the following Terminal command achieves the same thing:
# sudo /usr/bin/security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain

Firefox users should update to the latest version of Firefox. Here is the full Apple description for this update:

Security Update 2011-005

  • Certificate Trust Policy Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

    Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.

26
Mar

Safari, Mac OS X and Fraudulent SSL Certificates (Comodo)

Following the recent hacking of Comodo, a certificate authority that distributes SSL certificates, web users to the following domains are at a higher risk of phishing and sniffing attacks:

  • login.live.com
  • mail.google.com
  • www.google.com
  • login.yahoo.com
  • login.skype.com
  • addons.mozilla.org

Attackers were able to obtain SSL certificates for these domains, essentially allowing them to pose as those websites. The certificates have since been revoked by Comodo, however this relies on browsers checking for them by checking Comodo’s Certificate Revocation List (CRL) and having the Online Certificate Status Protocol (OCSP) enabled. Firefox and Chrome were updated last week to block the fraudulent certs, but Safari doesn’t do CRL and OCSP checking by default.

Hit the jump for how to enable these checks in OSX and Safari. Read moreRead more

css.php