How to: Disable DigiNotar SSL certificate
The DigiNotar Breach has exposed everyone, regardless of platform, to having their Gmail intercepted via a man-in-the-middle attack and read. The nut of the issue is summarized by Wired:
News about the hack at DigiNotar broke this weekend after reports began circulating from people in Iran who claimed they were getting browser error messages when they tried to load the Gmail website. Google subsequently confirmed that a fraudulent Google certificate issued to a non-Google entity was operating in the wild, allowing someone to conduct a man-in-the-middle attack to intercept Gmail browsing.
To date Microsoft and Google have blacklisted more than 200 SSL certificates, and Mozilla has issued Firefox 6 and Thunderbird 6 patches. Apple has neither made a statement nor issued a patch.
If you’re concerned about this issue vis-a-vis Safari and DigiNotar SSL certificates, which could potentially affect more than just Gmail security, here’s what you need to do.
1. Open Keychain Access — find it via Spotlight or go to ~/Applications/Utilities in Finder
2. Type or paste “diginotar” in Keychain’s search field (shown above)
3. Double click the DigiNotar Root CA certificate
4. Open up the Trust settings, click Never Trust
5. When prompted, enter your password
6. Restart Safari, then go to diginotar.com. If you get the warning, “Safari can’t verify…” all is well.
Or, just kill it
However, Wired and Ars Technica report because of an issue with how Safari handles certificates simply not trusting
might will not be enough.
There is still a relatively simple fix to the problem until Apple issues a patch to Mac OS X, however. Using Keychain Access, users can simply delete any DigiNotar certs from the Keychain instead of marking them “untrusted.” Since the authority has already revoked all the fraudulent certs, they will no longer validate when Safari or other Mac OS X programs encounter them again.
Thereupon, this Gmail and 18-hour-a-day internet user, as suggested by Wired et al, deleted the DigiNotar certificate entirely.
Again, just select DigiNotar in Keychain, hit the Delete key and provide your password when prompted.
For the change to take effect, you must restart Safari. Then go to diginotar.com — if you get the warning, “Safari can’t verify…” all is well.
Feeling more secure or is this issue just to esoteric to care about?