Apple arrives late to the party with an update protecting users from fraudulent DigitNotar SSL certificates
Apple has revoked all DigiNotar security certificates by issuing a Mac OS X update in response to the hack of the Dutch SSL certificate authority.
The iMac and MacBook-maker issued the update for Snow Leopard (10.6) and Lion (10.7) users on Friday in order to ensure all certificates from the compromised CA would no longer be trusted.
Apple’s update page says: “Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.”
The same page also spells out the threat posed by not updating, saying: “An attacker with a privileged network position may intercept user credentials or other sensitive information.”
Playing catch up
Until this update Apple was lagging Mozilla, Microsoft and Google in responding to the crisis, with its competitors having each begun invalidating DigiNotar certificates through their web browsers by this time last week.
But Chester Wisniewski, senior security advisor at Sophos Canada, wrote on the Naked Security blog that neither Apple, Microsoft, Google nor RIM had moved to protect their mobile user, presenting an opportunity for Apple.
“This is an opportunity for Apple to get ahead of the competition. It is much easier for Apple to patch iDevices then Google to fix Androids, get the handset makers to apply the fixes and then convince the carriers to deploy the updates,” he wrote.
The DigiNotar attack emerged on the 30 August revealed that a fraudulent Google certificate reportedly issued by DigiNotar had been doing the rounds since 10 July.
This meant that for nearly two months hackers had been able to set up fake versions of Google websites that appeared genuine to Google users and their web browsers.
Wide reaching problem
Last week the extent of the compromise appeared to include certificates in the names of the CIA, MI6, Google, Facebook, Twitter, Microsoft, Skype, Mozilla, Yahoo, Tor, WordPress, Mossad, AOL and LogMeIn and DigiNotar had been removed from many of the browser brands’ lists of trusted authorities.
The number of certificates stolen from DigitNotar is said to be more than 500 and they may include intermediate signing certificates. These allow authority to be assigned to intermediaries to sign and validate certificates on DigiNotar’s behalf.
When properly administered, SSL certificates are the only proof that you are talking to the organisation you are supposed to be talking to on the Internet and no-one is listening in.