Home » Mac, Reviews, how to

How to: Disable DigiNotar SSL certificate

1 September 2011 7,495 views 2 Comments

The DigiNotar Breach has exposed everyone, regardless of platform, to having their Gmail intercepted via a man-in-the-middle attack and read. The nut of the issue is summarized by Wired:

Free Shipping and Gift with Purchase in Adobe Edu News about the hack at DigiNotar broke this weekend after reports began circulating from people in Iran who claimed they were getting browser error messages when they tried to load the Gmail website. Google subsequently confirmed that a fraudulent Google certificate issued to a non-Google entity was operating in the wild, allowing someone to conduct a man-in-the-middle attack to intercept Gmail browsing.

To date Microsoft and Google have blacklisted more than 200 SSL certificates, and Mozilla has issued Firefox 6 and Thunderbird 6 patches. Apple has neither made a statement nor issued a patch.

If you’re concerned about this issue vis-a-vis Safari and DigiNotar SSL certificates, which could potentially affect more than just Gmail security, here’s what you need to do.

1. Open Keychain Access — find it via Spotlight or go to ~/Applications/Utilities in Finder

2. Type or paste “diginotar” in Keychain’s search field (shown above)

3. Double click the DigiNotar Root CA certificate

4. Open up the Trust settings, click Never Trust

5. When prompted, enter your password

6. Restart Safari, then go to diginotar.com. If you get the warning, “Safari can’t verify…” all is well.

Or, just kill it

However, Wired and Ars Technica report because of an issue with how Safari handles certificates simply not trusting might will not be enough.

There is still a relatively simple fix to the problem until Apple issues a patch to Mac OS X, however. Using Keychain Access, users can simply delete any DigiNotar certs from the Keychain instead of marking them “untrusted.” Since the authority has already revoked all the fraudulent certs, they will no longer validate when Safari or other Mac OS X programs encounter them again.

Thereupon, this Gmail and 18-hour-a-day internet user, as suggested by Wired et al, deleted the DigiNotar certificate entirely.

Again, just select DigiNotar in Keychain, hit the Delete key and provide your password when prompted.

For the change to take effect, you must restart Safari. Then go to diginotar.com — if you get the warning, “Safari can’t verify…” all is well.

Feeling more secure or is this issue just to esoteric to care about?

via Coriolis News and TUAW

MacBook Pro The fastest, most powerful MacBook Pro

2 Comments »

  • Camino 2.0.8 quashes bugs, bad SSL certificates | FairerPlatform said:

    [...] improved bad SSL certificate handling. That means you need to edit the certificates yourself, which is the method I prefer — i.e. read who’s been hacked and take action versus waiting for Apple, Google, Mozilla, [...]

    # 10 September 2011 at 3:36 pm
  • Ant said:

    “… just select DigiNotar in Keychain, hit the Delete key and provide your password when prompted.” didn’t work for me since Mac OS X 10.5.8 beeps at me. :(

    # 18 September 2011 at 6:52 pm

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.