Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Mac users: enable certificate revocation checking (securityskeptic.typepad.com)
52 points by gmac on April 4, 2011 | hide | past | favorite | 12 comments


Setting OCSP checking to best attempt doesn't really solve anything because, if you're assuming that an attacker is MITMing your HTTPS connection, it's not too much more to assume that they can intercept your OCSP checks too.

http://www.imperialviolet.org/2011/03/18/revocation.html

On the other hand, setting strict checking means that large parts of the web become unusable when a major OCSP server goes down and that would immediately make them juicy DDoS targets.


> Attacks in Tunisia and only open WiFi networks are the sort of attacks which can defeat revocation.

Could you give more details about this statement from your essay?


IIRC, another drawback of enabling this is that you reveal your browser history. On mobile device right now so not easy to find article to cite but should be avail via a quick search


And of course after enabling this for Safari the Mac App Store starts to hang on startup in Certificate check code path. :(

I recently enabled "Logout after idle for [ ] min" setting to be more secure on OSX and LoginWindow just hangs if I leave the laptop idle and let it go to sleep.

Looks like Apple only tests for default and common settings.


I enabled it as well. App store doesn't hang, but is much slower: downloading an app normally starts after 1 second, with the fix enabled it takes 8s to even start.

LoginWindow sleep worked fine when logging off and pressing the sleep button. Didn't have time to properly test your case.

The big question for me is: How do people with iPhone and iPads enable this? The test in the article yields "not trusted" instead of revoked...

Funny that Apple has revoking turned on for App certs, but not for SSL. Guess they value their platform higher than user data...


About the LoginWindow - I have password protected screen saver enabled as well. Perhaps that's what you are missing.

For me after I wake it up from sleep after 60 minutes (the setting for idle logout), it wakes up to a beach ball and I can't enter my password.


Hmm, that's poor. https://bugreport.apple.com/? (Or can I only access this because I'm a registered developer?)


I have been filing bugs at that URL since some time but they invariably go nowhere - no updates for years, bugs aren't fixed most times. So kind of kills my incentive. And no, anyone can report bugs using that URL - no need to be a registered developer, at least not yet.


If you're a dev, file an official bug and mirror it here: http://openradar.appspot.com/faq

Brings the incentive back: if Apple doesn't fix things, there is still a public record of the open bug.

Prevents people from wasting time writing up the same bug over+over.

Also increases the likelihood of getting fixed: if somebody else sees your open bug at openradar, they can file a second bug at Apple. Apple detects that they're duplicates, which "votes up" your bug.


What's your hardware setup? OS version?


MacBook Pro 17" 2010 model, 8G RAM, 10.6.7 all updates applied. [ Also screensaver is enabled along with asking for password ]


The recommended settings[0] in Keychain Access.app appear to be the defaults in the Lion (10.7) Developer Preview 2.

[0] Preferences > Certificates:

  Online Certificate Status Protocol (OCSP): Best Attempt
  Certificate Revocation List (CRL): Best Attempt
  Priority: OCSP




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: