

SSL Certificate Scandal Exposes Bug in Mac OS X - boh
http://securitywatch.pcmag.com/apple/287205-ssl-certificate-scandal-exposes-bug-in-mac-os-x

======
eridius
On TUAW, the comments on a post[1] about removing the DigiNotar certificate
indicate that all you really have to do is quit and relaunch Safari to get it
to notice that the certificate has been marked as untrusted. How did this
article decide that EV-SSL was to blame?

[1] [http://www.tuaw.com/2011/09/01/how-to-get-rid-of-
diginotar-d...](http://www.tuaw.com/2011/09/01/how-to-get-rid-of-diginotar-
digital-certificates-from-os-x/#aolc=A8HEMA)

~~~
yogsototh
I just tried even without restarting Safari and it seems to work.

------
kelnos
Marking as not trusted in Lion seems to work fine. When I open DigiNotar's own
site[1] in Safari, I get a "can't verify the identity..." dialog popup. Not
sure how to check if it's an EV cert, though it'd be surprising if they're not
using an EV cert for their own CA site!

Also works in Chrome...

[1] <https://service.diginotar.nl/files/DigiNotar%20Root%20CA.crt>

~~~
MediaBehavior
Safari 5.1 won't even let me try that link, saying:

"Safari can't open the page... because Safari can't establish a secure
connection to the server 'service.diginotar.nl' "

------
windexh8er
Just delete the cert altogether - there's no reason to leave it on the system
at this point (i.e. Google Chrome does not trust it in the latest updates
regardless).

<http://vimeo.com/28362457>

~~~
RyanKearney
The problem is the certificate can be re-added when you do an update (if the
update included new root CA's). Thus it's usually safer to just mark the CA as
untrusted.

~~~
windexh8er
The update would be a new certificate, and the old one would still be marked
as untrusted (unless it was deleted by the update). Even if you mark the old
one as untrusted the new one would work regardless (i.e. there's 5 Verisign
root certs in Lion - 2x class 3s).

I doubt root cert updates are an update to the entire set (at least that's
what I would hope) - less chance of breaking something else in the process.

------
calloc
Ehm ... I am not seeing this at all. I have marked the certificate as not
trusted ever, and I get warnings no matter what on their site, whether they
are using EV-SSL or not.

------
eli
Is there a single person here who is able to reproduce this bug? This story
seems kinda bogus.

~~~
dchest
Yes, see my other comment <http://news.ycombinator.com/item?id=2951386>

------
dchest
Issue in Chromium bug tracker:
<http://code.google.com/p/chromium/issues/detail?id=94732>

rdar (filed by Chromium devs): rdar://10051665

On HN: <http://news.ycombinator.com/item?id=2940530>

------
ams6110
Seems to me there is going to be a growing demand for greater accountability
in CAs. Does the protocol support requiring a certificate to be signed by two
(or more) trusted CAs? Then even if one CA is hacked or spoofed into signing a
bogus certificate, hopefully the other one hasn't been.

~~~
tptacek
The line between how a browser or even a TLS library validates a certificate
and what the protocol requires is blurry (you can do more than the TLS
protocol itself needs you to do), but, no, you can't sign a cert with 2 CAs.

~~~
caf
You could, however, have two certificates issued by different CAs signing the
same public key. I'm not sure if the protocol requires the additional
certificates to be part of the same chain, though.

------
pygorex
Works for me on OSX 10.6.6 - disable DigiNotar in Keychain Access then attempt
to visit the DigiNotar site over SSL at <https://service.diginotar.nl/> \-
either fails outright or generate a certificate warning.

------
arkitaip
Slightly off topic but anyone knows how Opera has been handling this? I've
searched around a bit and looked at Opera's cert settings and can't figure out
if Opera has fixed this or not.

~~~
lmkg
Found an Opera team blog post on it:

[http://my.opera.com/securitygroup/blog/2011/08/30/when-
certi...](http://my.opera.com/securitygroup/blog/2011/08/30/when-certificate-
authorities-are-hacked-2)

------
sigzero
Seems to work for me and I didn't restart Safari.

------
earl
On 10.6.8 and chrome, I had to delete the certs not disable them to get
security warnings when visiting eg
[https://onlineaanvraag.diginotar.nl/Digiforms/StartPage.aspx...](https://onlineaanvraag.diginotar.nl/Digiforms/StartPage.aspx?FORM_ID=12)

