you're reading...
Datenschutz, Netzwelt

Apple users left to defend themselves against certificate attacks

In light of the disclosure on Wednesday about 9 fraudulent SSL certificates being issued by a partner of Comodo, Microsoft was quick to respond with an update to protect users of Windows.

Apple however has not reacted leaving many OS X users in the dark. Mike Shannon from SophosLabs did some research for me this week so we could provide a guide on configuring your Mac to be secured against these bogus certificates.

Unfortunately not all browsers behave the same on OS X so we have to describe a few different processes to ensure maximum protection.

OS X KeychainApple Safari and Google Chrome both support the Apple Keychain application for managing digital certificates and determining who you trust.

You will need to open the Keychain Access application. Go to Applications -> Utilities -> Keychain Access or press Cmd+Shift+U and open Keychain Access.

Choose the Keychain Access menu in the Menu Bar and choose Preferences or press Cmd+[comma]. Within the preferences dialog choose the certificates button and set both OCSP and CRL to „Best Attempt“.

Keychain preferences

Firefox users have some good news, some bad. The good news is that OCSP is enabled by default. For certificate authorities that support OCSP Firefox will automatically protect you, and thankfully Comodo does provide an OCSP service.

The bad news is that certificate revocation lists must be manually imported if a certificate that does not support OCSP must be revoked. If you need to manually import a CRL you can choose Firefox in the Menu Bar and select Preferences -> Advanced -> Encryption -> Revocation.

Opera appears to have OCSP enabled by default similar to Firefox. Opera does not allow the manual importation of CRLs, but does appear to allow you to import a revoked certificate. This does not seem to be of any practical use… Hopefully the Opera team will reconsider the implementation of certificates in a future release.

Update: Mozilla have confirmed that the released version of Firefox 4 and updates to 3.5 and 3.6 have a hard coded blacklist blocking these certificates.

Creative Commons image of a bad apple courtesy of CogDogBlog’s Flickr photostream.

>>> Naked Security



Es gibt noch keine Kommentare.

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:


Du kommentierst mit Deinem WordPress.com-Konto. Abmelden /  Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden /  Ändern )


Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Ändern )


Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Ändern )


Verbinde mit %s

Member of The Internet Defense League




Legal Guide For Bloggers

Bloggers' Rights at EFF


Link Anonymizer

Independent Tests of Antiv-Virus Software

BSD Aktuell

Hacker News

Blog Stats

  • 295,529 hits



%d Bloggern gefällt das: