Sunday, 4 September 2011


A bug in the Mac OS X Keychain software was exposed when a recently a Dutch certificate issuing authority has issued a fraudulant SSL certificate for * This was caused by a hack of the DigiNotar system and 200 certificates were issued. DigiNotar is one of the largest certificate issuing authorities, it is trusted by a large number of browsers and operating systems.
Many vendors have issued fixes for the root certificate and most users are secure against it. Mozilla has issued an update on how to manually remove the certificate, Microsoft has also issued a notice and list of affected operating systems on its security advisory board. However, a bug seems to have surfaced on the Mac OS X. Its Keychain software does not seem to recognize that the DigiNotar certificate has been manually removed.
As it turns out, this is because of the EV-SSL (Extended Validation SSL) certificate, Keychain ignores the fact that the certificate has been marked as Untrusted by the user. Keychain should ideally override the EV-SSL with the users preferences but that’s not happening so far.
Here’s how to manually disable the certificate in Keychain as there is no official fix for it so far.
1.       Open the Keychain Access app (found in /Applications/Utilities or just search for it using the Spotlight menu in the top-right corner of your screen)
2.       Click on System Roots and then Certificates on the left side of the Keychain Access window. In the search bar in the top-right corner of the window, type “diginotar” (without quotation marks)
3.       Double-click on DigiNotar Root CA, click on the triangle next to Trust to expand that section, and then next to “When using this certificate:” select “Never Trust”

No comments:

Post a Comment