Hacker News new | past | comments | ask | show | jobs | submit login
SSL Certificate Scandal Exposes Bug in Mac OS X (pcmag.com)
78 points by boh on Sept 1, 2011 | hide | past | favorite | 19 comments



On TUAW, the comments on a post[1] about removing the DigiNotar certificate indicate that all you really have to do is quit and relaunch Safari to get it to notice that the certificate has been marked as untrusted. How did this article decide that EV-SSL was to blame?

[1] http://www.tuaw.com/2011/09/01/how-to-get-rid-of-diginotar-d...


I just tried even without restarting Safari and it seems to work.


Marking as not trusted in Lion seems to work fine. When I open DigiNotar's own site[1] in Safari, I get a "can't verify the identity..." dialog popup. Not sure how to check if it's an EV cert, though it'd be surprising if they're not using an EV cert for their own CA site!

Also works in Chrome...

[1] https://service.diginotar.nl/files/DigiNotar%20Root%20CA.crt


Safari 5.1 won't even let me try that link, saying:

"Safari can't open the page... because Safari can't establish a secure connection to the server 'service.diginotar.nl' "


Just delete the cert altogether - there's no reason to leave it on the system at this point (i.e. Google Chrome does not trust it in the latest updates regardless).

http://vimeo.com/28362457


The problem is the certificate can be re-added when you do an update (if the update included new root CA's). Thus it's usually safer to just mark the CA as untrusted.


The update would be a new certificate, and the old one would still be marked as untrusted (unless it was deleted by the update). Even if you mark the old one as untrusted the new one would work regardless (i.e. there's 5 Verisign root certs in Lion - 2x class 3s).

I doubt root cert updates are an update to the entire set (at least that's what I would hope) - less chance of breaking something else in the process.


Ehm ... I am not seeing this at all. I have marked the certificate as not trusted ever, and I get warnings no matter what on their site, whether they are using EV-SSL or not.


Is there a single person here who is able to reproduce this bug? This story seems kinda bogus.



Issue in Chromium bug tracker: http://code.google.com/p/chromium/issues/detail?id=94732

rdar (filed by Chromium devs): rdar://10051665

On HN: http://news.ycombinator.com/item?id=2940530


Seems to me there is going to be a growing demand for greater accountability in CAs. Does the protocol support requiring a certificate to be signed by two (or more) trusted CAs? Then even if one CA is hacked or spoofed into signing a bogus certificate, hopefully the other one hasn't been.


The line between how a browser or even a TLS library validates a certificate and what the protocol requires is blurry (you can do more than the TLS protocol itself needs you to do), but, no, you can't sign a cert with 2 CAs.


You could, however, have two certificates issued by different CAs signing the same public key. I'm not sure if the protocol requires the additional certificates to be part of the same chain, though.


Works for me on OSX 10.6.6 - disable DigiNotar in Keychain Access then attempt to visit the DigiNotar site over SSL at https://service.diginotar.nl/ - either fails outright or generate a certificate warning.


Slightly off topic but anyone knows how Opera has been handling this? I've searched around a bit and looked at Opera's cert settings and can't figure out if Opera has fixed this or not.



Seems to work for me and I didn't restart Safari.


On 10.6.8 and chrome, I had to delete the certs not disable them to get security warnings when visiting eg https://onlineaanvraag.diginotar.nl/Digiforms/StartPage.aspx...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: