Apple users left to defend themselves against certificate attacks

Filed Under: Apple, Apple Safari, Data loss, Firefox, Privacy

Bad apple courtesy of CogDogBlog's Flickr photostreamIn light of the disclosure on Wednesday about 9 fraudulent SSL certificates being issued by a partner of Comodo, Microsoft was quick to respond with an update to protect users of Windows.

Apple however has not reacted leaving many OS X users in the dark. Mike Shannon from SophosLabs did some research for me this week so we could provide a guide on configuring your Mac to be secured against these bogus certificates.

Unfortunately not all browsers behave the same on OS X so we have to describe a few different processes to ensure maximum protection.

OS X KeychainApple Safari and Google Chrome both support the Apple Keychain application for managing digital certificates and determining who you trust.

You will need to open the Keychain Access application. Go to Applications -> Utilities -> Keychain Access or press Cmd+Shift+U and open Keychain Access.

Choose the Keychain Access menu in the Menu Bar and choose Preferences or press Cmd+[comma]. Within the preferences dialog choose the certificates button and set both OCSP and CRL to "Best Attempt".

Keychain preferences

Firefox users have some good news, some bad. The good news is that OCSP is enabled by default. For certificate authorities that support OCSP Firefox will automatically protect you, and thankfully Comodo does provide an OCSP service.

The bad news is that certificate revocation lists must be manually imported if a certificate that does not support OCSP must be revoked. If you need to manually import a CRL you can choose Firefox in the Menu Bar and select Preferences -> Advanced -> Encryption -> Revocation.

Opera appears to have OCSP enabled by default similar to Firefox. Opera does not allow the manual importation of CRLs, but does appear to allow you to import a revoked certificate. This does not seem to be of any practical use... Hopefully the Opera team will reconsider the implementation of certificates in a future release.

Update: Mozilla have confirmed that the released version of Firefox 4 and updates to 3.5 and 3.6 have a hard coded blacklist blocking these certificates.

Creative Commons image of a bad apple courtesy of CogDogBlog's Flickr photostream.

, , , , , ,

You might like

32 Responses to Apple users left to defend themselves against certificate attacks

  1. Thu Win · 1307 days ago

    Take that Apple fans and those moaning about Microsoft!

  2. Maria · 1307 days ago

    Agreed, Thu Win. Glad Apple is getting a little more popular so people can finally start SUCKING IT (and stop claiming "virus-free") for getting a crap shit computer. :)

  3. Born in Bristol · 1307 days ago

    Is this envy causing such a vindictive response?

    • Bearmugs · 1306 days ago

      It''s typical for drivers of Ford Pintos to put down Ferrari owners. Have you driven a Ford lately. Make sure your crash insurance is paid up.

      • erroneousgiant · 1305 days ago

        I HATE apple because they aren't upfront with their users about the protection they need....and then the smug bar***** sit a gloat about owning an apple product. How do you expect the educated world to respond?

        • nottellinyou · 1305 days ago

          Seriously? What are you talking about? What "protection" do I need? please tell me! No one "gloats" here it's all based upon the fact that we don't want to run processor sucking software looking for viruses that don't YET exist or a handful of "proof-of-concept" malware apps. That's not smug it's common sense! You Windows fanbois are the ones that make wild claims that the Mac pretends to be more secure etc., the reality is that for what ever reason I don't need to worry about 99% of the security issues you do and for THAT reason I'm not yet inclined to spend money and performance on what may happen in the future. For TEN YEARS we Mac owners have been told to prepare for the worst! For TEN YEARS we Mac users have been told it's security by obscurity and with the rising fortunes of Apple it's a matter of time. Seriously EVERY YEAR we're told that!!! It's getting old! One day there will be some security issue I'm sure if it but the fact is there is none now and that FACT not smug.

          • erroneousgiant · 1303 days ago

            Well I'm on Linux actually. If it were the case that Mac were so immune maybe you could tell me why 17% of a recent botnet were Mac computers, and why for that matter xprotect had a recent update regarding torjans? Proof-of-concept that

  4. hildigunnur · 1307 days ago

    Apple haters still going strong...

  5. Alphaman · 1306 days ago

    Meanwhile, back on topic...

    I found a minor nit in the article: It's not Cmd-<period> to invoke an application's preferences, but Cmd-<comma>.

    • Chester Wisniewski · 1306 days ago

      Sorry about that, my HTML got munged. Thanks for catching the error. I have wrote it out now as Cmd+[comma].

  6. dsect · 1306 days ago

    A bogus certificate is not a virus.

    Registry-sucking morons!

  7. Roger · 1306 days ago

    For FireFox on the Mac, I assume you mean:

    Preferences -> Advanced -> Encryption -> Revocation Lists

    (and not Validation)

    • Chester Wisniewski · 1306 days ago

      Yes Roger, thanks for that. I updated the post with your correction.

  8. For those of us not completely savvy about how certificates & CRLs work, could you clarify how we could determine when we DO "need to manually import a CRL"? And if/when we do, where would we find one?

    • Chester Wisniewski · 1306 days ago

      Unfortunately there are no easy ways to know when this needs to be done, aside from following Naked Security. In this case you have an option... OCSP requires that revoked certificates were issued with an OCSP server in the certificate. Your browser will check with that server and ask if that certificate is still valid. If the OCSP server is unreachable then most configurations allow you proceed without warning.

      If you were to manually import the Certificate Revocation List (CRL) then your browser will never accept the bad certificates, regardless of whether you can reach the OCSP server, or if it were to be compromised itself into telling you the bad certs are OK.

      Hope that helps.

  9. nottellinyou · 1306 days ago

    Wow....the Windows fanbois I guess needed even this crumb to feel good. That's fine! Wouldn't it be nice if protecting from viruses on Windows was a few menu clicks in a preferences dialog? LOL.... Carry on!

    • Thu Win · 1306 days ago

      Ummm... Apple can be infected too. LOL.

      • The Watcher · 1306 days ago

        Infected with what? Do you understand what your even talking about?

        • Thu Win · 1306 days ago

          Umm yes! There are viruses attacking Macs! **Back me up here**

          • Jayg · 1306 days ago

            uh, unless you try lumping a Trojan under the the term "Virus" (they are totally different), no, there are no Mac viruses for the current OS X operating system introduced 2000
            Even OS 9,discontinued around 1999 had somewhere around 23 viruses.
            Mac OS X is a flavour of Unix, the secure system that in one form or another, runs and powers the Internet. One of Nortons VPs actually stated that in a roundabout way a few years ago.

  10. Ken Berger · 1306 days ago

    Why is this important? What is the threat? Like the certificates work?
    If you want your article to be useful then you should tell or reference why anyone should care about this.
    Lets see bogus certificates vs real ones you can buy online and do anything you want with?
    The computer scare-ware I mean security business is so lame.

    • Chester Wisniewski · 1306 days ago

      The threat is that which was blogged about earlier this week, see Mike Wood's post.

      The people who created these SSL certificates could impersonate Yahoo!, Microsoft, GMail or Skype and your Mac would not know that your secure session is being hijacked. By importing certificates and checking your security settings you can be sure your Mac can't be fooled. I hope that's not too "scare-ware" for you.

  11. Ed Truitt · 1306 days ago

    One suggestion for future articles of this type: in the instructions for manually importing a CRL, it would be helpful to include where the CRL is to be imported from (as the browser expects you to type in this info.)

    ~EdT.

  12. erroneousgiant · 1305 days ago

    Some quick ref details for folks wanting to Group Policy the changes needed would have been nice. It wasn't exactly hard to find the right settings.....

  13. Logan · 1304 days ago

    Do you have a url for an updated CRL and/or OCSP black list maintained by single organization - not by Comodo who was breached.

    Also, has anyone contacted Apple to ask them why this very important thing is not enabled by default - or suggested to them that they make this default in an update?

    Because Apple really should make this the default setting.

    Thanks.

  14. London Pete · 1301 days ago

    you have to do this via the keychain application in all user accounts, not just the admin account.

    Again bad apple for not having this setting as default

  15. Chris Cogdon · 1147 days ago

    Safari ignores the setting. Safari does its certificate management through a process called "ocspd" which _will_ do OCSP and CRL management regardless of the settings inside Keychain Access. Ie, Apple users do _not_ need to make modifications to that setting to gain certificate management security for Safari.

    I've determined this as I run Little Snitch, and this program informs me when ocspd attempts to make external connections, and does so frequently whenever I use Safari to access https:// sites, and accesses resources with http://ocsp... and http://crl...

    I do not know what the Keychain Access settings actually do. Perhaps ocspd ignores then, perhaps ocspd uses them as a default unless the process making the request specifically asks them to be turned on. I don't have the information there, but I do know that the OCSPd requests _are_ being made even if the settings are left off, and the information in the above article is inaccurate

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.