Friday, 01 April 2011
Mac users listen up! Enable certificate checking
Please revoke DigiNotar CA trust too!
If there is a silver lining, Comodo's provided details of the incident, including the affected domain names and serial numbers here. These certificates have been revoked, so users and applications that check certificate revocation status will not be affected by the bogus certificates.
My colleague Craig Watkins at Transcend, Inc. points out that not everyone has revocation enabled and provided a detailed explanation of how Mac OS users can enable this defense on a private mailing list. His explanation and testing is well documented and timely, so I invited him to post it here.
What follows is fully attributed to Craig Watkins. I take no credit except for
having the good sense to keep company with really competent people and recognizing an opportunity to share this competence with you:-)
Google, Microsoft, and Mozilla have patched their browsers (by 23 March) to add these specific certs to a blacklist that will never be trusted. So far Apple has not done this, but that's OK if
everything is working fine with certificate status checking.
The complication is that OCSP and CRL checking is disabled by default in Mac OS (except for Extended Validation "EV" certificates). You should turn it on. While I don't see a
a big risk to most of us from the Comodo issue, in general it is a very good idea to enable this checking. To do this on Mac OS 10.6: