Sophos Cloud Optix
In light of the disclosure on Wednesday about 9 fraudulent SSL certificates being issued by a partner of Comodo, Microsoft was quick to respond with an update to protect users of Windows.
Apple however has not reacted leaving many OS X users in the dark. Mike Shannon from SophosLabs did some research for me this week so we could provide a guide on configuring your Mac to be secured against these bogus certificates.
Unfortunately not all browsers behave the same on OS X so we have to describe a few different processes to ensure maximum protection.
Apple Safari and Google Chrome both support the Apple Keychain application for managing digital certificates and determining who you trust.
You will need to open the Keychain Access application. Go to Applications -> Utilities -> Keychain Access or press Cmd+Shift+U and open Keychain Access.
Choose the Keychain Access menu in the Menu Bar and choose Preferences or press Cmd+[comma]. Within the preferences dialog choose the certificates button and set both OCSP and CRL to “Best Attempt”.
Firefox users have some good news, some bad. The good news is that OCSP is enabled by default. For certificate authorities that support OCSP Firefox will automatically protect you, and thankfully Comodo does provide an OCSP service.
The bad news is that certificate revocation lists must be manually imported if a certificate that does not support OCSP must be revoked. If you need to manually import a CRL you can choose Firefox in the Menu Bar and select Preferences -> Advanced -> Encryption -> Revocation.
Opera appears to have OCSP enabled by default similar to Firefox. Opera does not allow the manual importation of CRLs, but does appear to allow you to import a revoked certificate. This does not seem to be of any practical use… Hopefully the Opera team will reconsider the implementation of certificates in a future release.
Update: Mozilla have confirmed that the released version of Firefox 4 and updates to 3.5 and 3.6 have a hard coded blacklist blocking these certificates.
Creative Commons image of a bad apple courtesy of CogDogBlog’s Flickr photostream.
Take that Apple fans and those moaning about Microsoft!
Agreed, Thu Win. Glad Apple is getting a little more popular so people can finally start SUCKING IT (and stop claiming "virus-free") for getting a crap shit computer. 🙂
Nice try. This is not a virus!
Yes, updating IE9 is so automated. Give me a break.
I think you mean IE 8 and Firefox on Windows which are not automated. Good point though.
Is this envy causing such a vindictive response?
It''s typical for drivers of Ford Pintos to put down Ferrari owners. Have you driven a Ford lately. Make sure your crash insurance is paid up.
I HATE apple because they aren't upfront with their users about the protection they need….and then the smug bar***** sit a gloat about owning an apple product. How do you expect the educated world to respond?
Seriously? What are you talking about? What "protection" do I need? please tell me! No one "gloats" here it's all based upon the fact that we don't want to run processor sucking software looking for viruses that don't YET exist or a handful of "proof-of-concept" malware apps. That's not smug it's common sense! You Windows fanbois are the ones that make wild claims that the Mac pretends to be more secure etc., the reality is that for what ever reason I don't need to worry about 99% of the security issues you do and for THAT reason I'm not yet inclined to spend money and performance on what may happen in the future. For TEN YEARS we Mac owners have been told to prepare for the worst! For TEN YEARS we Mac users have been told it's security by obscurity and with the rising fortunes of Apple it's a matter of time. Seriously EVERY YEAR we're told that!!! It's getting old! One day there will be some security issue I'm sure if it but the fact is there is none now and that FACT not smug.
Well I'm on Linux actually. If it were the case that Mac were so immune maybe you could tell me why 17% of a recent botnet were Mac computers, and why for that matter xprotect had a recent update regarding torjans? Proof-of-concept that
Apple haters still going strong…
Meanwhile, back on topic…
I found a minor nit in the article: It's not Cmd-<period> to invoke an application's preferences, but Cmd-<comma>.
Sorry about that, my HTML got munged. Thanks for catching the error. I have wrote it out now as Cmd+[comma].
A bogus certificate is not a virus.
Registry-sucking morons!
For FireFox on the Mac, I assume you mean:
Preferences -> Advanced -> Encryption -> Revocation Lists
(and not Validation)
Yes Roger, thanks for that. I updated the post with your correction.
For those of us not completely savvy about how certificates & CRLs work, could you clarify how we could determine when we DO "need to manually import a CRL"? And if/when we do, where would we find one?
Unfortunately there are no easy ways to know when this needs to be done, aside from following Naked Security. In this case you have an option… OCSP requires that revoked certificates were issued with an OCSP server in the certificate. Your browser will check with that server and ask if that certificate is still valid. If the OCSP server is unreachable then most configurations allow you proceed without warning.
If you were to manually import the Certificate Revocation List (CRL) then your browser will never accept the bad certificates, regardless of whether you can reach the OCSP server, or if it were to be compromised itself into telling you the bad certs are OK.
Hope that helps.
Wow….the Windows fanbois I guess needed even this crumb to feel good. That's fine! Wouldn't it be nice if protecting from viruses on Windows was a few menu clicks in a preferences dialog? LOL…. Carry on!
Ummm… Apple can be infected too. LOL.
Infected with what? Do you understand what your even talking about?
Umm yes! There are viruses attacking Macs! **Back me up here**
uh, unless you try lumping a Trojan under the the term "Virus" (they are totally different), no, there are no Mac viruses for the current OS X operating system introduced 2000
Even OS 9,discontinued around 1999 had somewhere around 23 viruses.
Mac OS X is a flavour of Unix, the secure system that in one form or another, runs and powers the Internet. One of Nortons VPs actually stated that in a roundabout way a few years ago.
Why is this important? What is the threat? Like the certificates work?
If you want your article to be useful then you should tell or reference why anyone should care about this.
Lets see bogus certificates vs real ones you can buy online and do anything you want with?
The computer scare-ware I mean security business is so lame.
The threat is that which was blogged about earlier this week, see Mike Wood's post.
The people who created these SSL certificates could impersonate Yahoo!, Microsoft, GMail or Skype and your Mac would not know that your secure session is being hijacked. By importing certificates and checking your security settings you can be sure your Mac can't be fooled. I hope that's not too "scare-ware" for you.
One suggestion for future articles of this type: in the instructions for manually importing a CRL, it would be helpful to include where the CRL is to be imported from (as the browser expects you to type in this info.)
~EdT.
You can get the CRL here:
http://crl.comodo.net/UTN-USERFirst-Hardware.crl
Thanks Chet!
Some quick ref details for folks wanting to Group Policy the changes needed would have been nice. It wasn't exactly hard to find the right settings…..
Do you have a url for an updated CRL and/or OCSP black list maintained by single organization – not by Comodo who was breached.
Also, has anyone contacted Apple to ask them why this very important thing is not enabled by default – or suggested to them that they make this default in an update?
Because Apple really should make this the default setting.
Thanks.
you have to do this via the keychain application in all user accounts, not just the admin account.
Again bad apple for not having this setting as default
Safari ignores the setting. Safari does its certificate management through a process called "ocspd" which _will_ do OCSP and CRL management regardless of the settings inside Keychain Access. Ie, Apple users do _not_ need to make modifications to that setting to gain certificate management security for Safari.
I've determined this as I run Little Snitch, and this program informs me when ocspd attempts to make external connections, and does so frequently whenever I use Safari to access https:// sites, and accesses resources with http://ocsp… and http://crl…
I do not know what the Keychain Access settings actually do. Perhaps ocspd ignores then, perhaps ocspd uses them as a default unless the process making the request specifically asks them to be turned on. I don't have the information there, but I do know that the OCSPd requests _are_ being made even if the settings are left off, and the information in the above article is inaccurate