Sophos Cloud Optix
Microsoft has just released an update to security advisory 2607712 permanently moving all five of DigiNotar’s root certificates to the “revoked” certificate store.
How is this different than the previous update Microsoft released?
- It provides protection for all supported versions of Windows (XP, 2003, Vista, 2008, 7 and 2008R2).
- It covers all five root certificates owned by DigiNotar. The previous release only blocked two.
- Users are no longer presented with a certificate warning, they are prevented from accessing sites with SSL certificates issued by DigiNotar.
The third point is a particularly important one. Previously users were presented with a dialog asking them if they wish to proceed (which most users click through) as seen below.
Considering the risk involved with these compromised certificates Microsoft has taken the additional step of fully revoking them. This prevents the user from clicking though, effectively blocking all access to sites using DigiNotar keys.
All Windows users using automatic updates will apply this update and no reboot is required (except for Windows XP). What about the users in the Netherlands? Won’t they be prevented from accessing a lot of secure websites with legitimate certificates from DigiNotar?
Yes. Microsoft has worked with the Dutch authorities to delay the rollout of this update to users in the Netherlands and their territories until next Tuesday (Patch Tuesday coincidentally).
This will give the many .nl websites an opportunity to replace their DigiNotar certificates with something more trustworthy. Users in the Netherlands will not be prevented from applying the update, it simply won’t automatically apply until next Tuesday.
What about Apple users? Well, apparently they are too busy playing Angry Birds and making pictures in Photoshop to worry about pesky certificate issues.
My advice if you run a Mac? Use BootCamp and Windows 7 until Apple decides to provide a patch. Or I guess you could use Firefox (not Chome, it also uses Apple’s KeyChain)…
Thanks to the JoshMeister for correcting me on Chrome using the Apple KeyChain, not its separate list like on Windows and Linux.
Update: Some folks have been asking for more information on this story. Please find the missing piece of the story in these previous posts:
Use bootcamp & windows 7? No intelligent Mac user uses IE. Are 90 years old? Lol
Thanks for the advice but your explanation is less than useful, did you not think to explain what this means in laymen's terms? Does the man on the street know anything about any of the five root certificates owned by DigiNotar? What is the "revoked" certificate store – why the Netherlands. You explain nothing at all here!
"What about Apple users? Well, apparently they are too busy playing Angry Birds and making pictures in Photoshop to worry about pesky certificate issues."
Hey! That's a slam…
So, I just now opened Keychain Assistant, selected System Roots, searched for DigiNotar and deleted the root certificate. Am I done?
Unfortunately, no. The KeyChain still trusts Extended Validation certificates even after deleting the root… Check out http://ps-enable.com/articles/diginotar-revoke-tr… for full instructions
Actually, Chrome for Mac is not a good solution because it uses the Mac OS X Keychain (same as Safari):
https://secure.wikimedia.org/wikipedia/en/wiki/Ke… http://security.thejoshmeister.com/2011/08/how-to…
Also, as I pointed out in my article (second URL above) this issue affects mobile platforms too. Windows Phone 7 is not affected, but Apple's iOS (which runs on iPhone, iPad, and iPod touch) is affected and still unpatched. Apple needs to patch both Mac OS X and iOS to remove the DigiNotar certificate.
Chrome for Mac does use Keychain, but in addition, in its own code, Chrome has blacklisted DigiNotar as a trusted certificate. http://nakedsecurity.sophos.com/2011/08/31/google…
Unfortunately Chrome for Mac does not honor the Google blacklist. I confirmed this on my Lion desktop, so for now you need to follow the instructions from ps | Enable mentioned in the comment above.
Windows XP requires a reboot
I updated the article, thanks for the comment. Not a lot of XP machines around here to test on these days.