Revoking Chinese CNNIC Root Certificate in Mac OS X
Earlier this month, Google and Firefox both dropped the Root Certificate of Chinese Certificate Authority CNNIC, after it was discovered that it had delegated its authority to an Egyptian intermediary to allow it to fraudulently sign SSL/TLS certificates for the google.com domain (presumably for the purposes of performing man-in-the-middle attacks and snooping on Egyptian internet traffic).
Apple, despite releasing Mac OS X 10.10.3 and iOS 8.3, has yet to remove this rogue CA. I hope that Apple joins in and revokes the CNNIC in an upcoming update, but in the meantime you can remove it from OS X yourself!
Simply run the following command in the Terminal and *poof*, another unnecessary and untrusted CA bites the dust:
sudo security delete-certificate -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain
It’s worth pointing out that a deleted Root CA cert may re-appear in a subsequent system update (I will check when 10.10.4 comes out). The alternative to this, which can only be achieved using Keychain Access (I believe), is to tell OS X to never trust a given Root CA certificate – a setting that shouldn’t be undone by future updates. To do this:
- Open Keychain Access
- Click on ‘System Roots’ on the left
- Right-click on the Root CA you don’t trust (ie. CNNIC ROOT) and select Get Info
- Expand the ‘Trust’ section
- Select ‘Never Trust’ from the “When using this certificate” dropdown
- Close the panel (OS X will probably ask for your password to authenticate the change)
- You should then see a red X icon next to the untrusted cert.
I personally think that our operating systems and browsers already trust far too many Root CAs, many of which are unnecessary, others are potentially malicious. OS X by default trusts around 204 Root CAs. I’m planning on cutting this down to a short list of CAs that are both (a) trusted and (b) necessary for normal day-to-day use of the Internet. I’ll report back on that when I get time.
Unfortunately, there is no mechanism in iOS to remove certificates from the Root CA store. The list of current trusted Root CAs in iOS can be found here.
Intercepting Print Jobs with prn-2-me
Don’t let the name fool you, prn-2-me is pronounced “print-to-me”, and not “pr0n-to-me”. I was disappointed too… but not for long!
prn-2-me is a man-in-the-middle python script from Chris John Riley that creates a custom listener (on port 9100 by default) and acts like a printer. Its purpose is to handle incoming PCL and PostScript print jobs, save a copy on your computer, and then forward them on to the actual printer. With a bit of arpspoofing magic, you or an attacker could intercept the print jobs of an entire office.
In theory, this tool could be expanded to allow you to also modify print files before they are sent on to the actual printer. An attacker could substitute specific prints with his own to do all kinds of wonderful and damaging things. Maybe a bit of automagic image editing in python could overlay an image on every file before forwarding it to the printer? Hilarity ensues. (Chris note the feature request)
Chris says he’s planning on integrating this into Metasploit. I’m going to hold him to that!
Download: prn2me.py