Microsoft has just released an update to security advisory 2607712 permanently moving all five of DigiNotar’s root certificates to the “revoked” certificate store.
How is this different than the previous update Microsoft released?
- It provides protection for all supported versions of Windows (XP, 2003, Vista, 2008, 7 and 2008R2).
- It covers all five root certificates owned by DigiNotar. The previous release only blocked two.
- Users are no longer presented with a certificate warning, they are prevented from accessing sites with SSL certificates issued by DigiNotar.
The third point is a particularly important one. Previously users were presented with a dialog asking them if they wish to proceed (which most users click through) as seen below.
Considering the risk involved with these compromised certificates Microsoft has taken the additional step of fully revoking them. This prevents the user from clicking though, effectively blocking all access to sites using DigiNotar keys.
All Windows users using automatic updates will apply this update and no reboot is required (except for Windows XP). What about the users in the Netherlands? Won’t they be prevented from accessing a lot of secure websites with legitimate certificates from DigiNotar?
Yes. Microsoft has worked with the Dutch authorities to delay the rollout of this update to users in the Netherlands and their territories until next Tuesday (Patch Tuesday coincidentally).
This will give the many .nl websites an opportunity to replace their DigiNotar certificates with something more trustworthy. Users in the Netherlands will not be prevented from applying the update, it simply won’t automatically apply until next Tuesday.
What about Apple users? Well, apparently they are too busy playing Angry Birds and making pictures in Photoshop to worry about pesky certificate issues.
My advice if you run a Mac? Use BootCamp and Windows 7 until Apple decides to provide a patch. Or I guess you could use Firefox (not Chome, it also uses Apple’s KeyChain)…
Thanks to the JoshMeister for correcting me on Chrome using the Apple KeyChain, not its separate list like on Windows and Linux.
Update: Some folks have been asking for more information on this story. Please find the missing piece of the story in these previous posts:
- Falsely issued Google SSL certificate in the wild for more than 5 weeks
- Google blacklists 247 certificates. Is it related to DigiNotar hacking incident?
- SSL certificate debacle includes CIA, MI6, Mossad and Tor
- Operation Black Tulip: Fox-IT’s report on the DigiNotar breach