Apple users left to defend themselves against certificate attacks


Bad apple courtesy of CogDogBlog's Flickr photostreamIn light of the disclosure on Wednesday about 9 fraudulent SSL certificates being issued by a partner of Comodo, Microsoft was quick to respond with an update to protect users of Windows.

Apple however has not reacted leaving many OS X users in the dark. Mike Shannon from SophosLabs did some research for me this week so we could provide a guide on configuring your Mac to be secured against these bogus certificates.

Unfortunately not all browsers behave the same on OS X so we have to describe a few different processes to ensure maximum protection.

OS X KeychainApple Safari and Google Chrome both support the Apple Keychain application for managing digital certificates and determining who you trust.

You will need to open the Keychain Access application. Go to Applications -> Utilities -> Keychain Access or press Cmd+Shift+U and open Keychain Access.

Choose the Keychain Access menu in the Menu Bar and choose Preferences or press Cmd+[comma]. Within the preferences dialog choose the certificates button and set both OCSP and CRL to “Best Attempt”.

Keychain preferences

Firefox users have some good news, some bad. The good news is that OCSP is enabled by default. For certificate authorities that support OCSP Firefox will automatically protect you, and thankfully Comodo does provide an OCSP service.

The bad news is that certificate revocation lists must be manually imported if a certificate that does not support OCSP must be revoked. If you need to manually import a CRL you can choose Firefox in the Menu Bar and select Preferences -> Advanced -> Encryption -> Revocation.

Opera appears to have OCSP enabled by default similar to Firefox. Opera does not allow the manual importation of CRLs, but does appear to allow you to import a revoked certificate. This does not seem to be of any practical use… Hopefully the Opera team will reconsider the implementation of certificates in a future release.

Update: Mozilla have confirmed that the released version of Firefox 4 and updates to 3.5 and 3.6 have a hard coded blacklist blocking these certificates.

Creative Commons image of a bad apple courtesy of CogDogBlog’s Flickr photostream.