HomeNewsInternetSafari users still susceptible to attacks using fake DigiNotar certs
  • Print

Safari users still susceptible to attacks using fake DigiNotar certs

  • Thursday, 01 September 2011 13:31

Those using Safari on Mac OS X are still vulnerable to "man-in-the-middle" attacks using fraudulent security certificates that hackers generated from Dutch certificate authority DigiNotar. The problem lies in the way Mac OS X handles a new type of certificate called Extended Validation, or EV certificates. Fortunately, however, there is a relatively easy fix.

DigiNotar had been hacked earlier this week in order to generate hundreds of fake security certificates for numerous websites, including Google, Yahoo, and others. An Iranian hacker appears to have used the certificates for google.com to spy on Iraninan Gmail users' conversations.

Microsoft and Google revoked trust in certificates issued by DigiNotar, and Mozilla issued patches for Firefox and Thunderbird to no longer trust certificates from the company. These changes meant that Chrome, Internet Explorer, and Firefox users would no longer accept secure HTTPS connections from sites using DigiNotar issued certs.

Apple has yet to provide a patch for its Safari browser or Mac OS X, so users were told to use the Keychain to mark any certs issued by DigitNotar as "Never trust." Unfortunately, according to developer Ryan Sleevi, Mac OS X will still accept newer Extended Validation certs—used to help prevent phishing attacks—even from authorities that are marked as untrusted.

"When Apple thinks you're looking at an EV Cert, they check things differently," Sleevi told Computerworld. "They override some of your settings and completely disregard them."

Security experts, including WhiteHat Security CTO Jeremiah Grossman, consider the flaw "troubling." Since Apple tends to not release any information about browser insecurity until it releases the relevant patches, users could potentially be exposed to further exploits in the meantime.

There is still a relatively simple fix to the problem until Apple issues a patch to Mac OS X, however. Using Keychain Access, users can simply delete any DigiNotar certs from the Keychain instead of marking them "untrusted." Since the authority has already revoked all the fraudulent certs, they will no longer validate when Safari or other Mac OS X programs encounter them again.

Read the comments on this post


Full Article
Share Link:
Bookmark Google Yahoo MyWeb Del.icio.us Digg Facebook Myspace Reddit Ma.gnolia Technorati Stumble Upon

Polls

What's your favourite smartphone OS?
 

Shop Wirefly for the Nexus S for Sprint!