Wednesday, August 31, 2011

How to Revoke Trust for DigiNotar Root CA Certs on Mac and in Opera

You may have heard about Dutch root certificate authority DigiNotar issuing valid certificates for *.google.com—to an entity other than Google. The same thing has apparently happened with other high-profile domains as well, including but not limited to login.live.com (used for Hotmail, Bing, and other Microsoft services), login.yahoo.com, *.aol.com, my.screenname.aol.com, www.facebook.com, twitter.com, *.wordpress.com, *.microsoft.com, www.update.microsoft.com, *.windowsupdate.com, *.skype.com, *.logmein.com, *.mozilla.org, addons.mozilla.org, *.torproject.org, *.android.com, and three government intelligence sites: www.cia.gov (U.S. Central Intelligence Agency), www.sis.gov.uk (British Secret Intelligence Service, aka MI6), and *.mossad.gov.il (Israel's Institute for Intelligence and Special Operations). There were also certificates issued for *.*.com and *.*.org (hopefully browsers would be smart enough to distrust these). If you haven't heard the story, see these write-ups about various stages of the investigation written by (in chronological order) F-Secure, Sophos, SC Magazine UK, and Mozilla Security Blog, and a more technical and detailed explanation from Mozilla's Gervase Markham. As of 4 September 2011, the count of certificates that have been identified as fraudulent is up to 531 (listed here). On 5 September 2011, Fox-IT released the details of its DigiNotar systems audit (nicely summarized in English by Sophos).

Suffice it to say that this is a really bad thing, and it points to some of the problems with the certificate authority system in general (see what Dan Kaminsky has to say on that subject).

So, what can you do to protect yourself from illegitimate DigiNotar-issued certificates?

If you use Internet Explorer on Windows, ensure that you have all the latest Windows updates installed. (Microsoft quickly fixed the issue for Windows 7, Windows Vista, and Windows Server 2008, but it took Microsoft until 6 September 2011 to finally release patches for Windows XP and Windows Server 2003. On 13 September 2011, Microsoft released an updated version of the patch for all supported versions of Windows: XP, Vista, 7, Server 2003, and Server 2008.)

If you're a Firefox user, make sure you're running version 6.0.1 or later (or 3.6.21 or later if you're still using 3.6.x). Firefox 6.0.2 and 3.6.22 fix the issue more completely.

If you use Chrome, make sure you have version 13.0.782.218 or later. (Note that Mac users may not have been fully protected at first when using Chrome; my own tests seemed to indicate that on the Mac, Chrome behaved the same as Safari when handling certificates issued by DigiNotar. It appears that Chrome for Mac uses the certificates in the Mac OS X Keychain, not the certificates used in the Windows and Linux versions of Chrome. Apple has since released Security Update 2011-005 which removes DigiNotar from Mac OS X's trusted certificate authorities; see UPDATE 9 for details.)

(NOTE: On 9 September 2011, Apple released a patch to remove trust for DigiNotar certificates from Mac OS X. See UPDATE 9 below for details. Since Apple is no longer releasing security updates for Mac OS X v10.5 Leopard including all G4/G5-based Macs, you still need to manually delete DigiNotar Root CA from Keychain Access in Leopard.) If you use Safari on a Mac, there's no official fix from Apple yet, but you can manually revoke trust for DigiNotar-issued certificates by following these steps:
  1. Open the Keychain Access app (found in /Applications/Utilities or just search for it using the Spotlight menu in the top-right corner of your screen)
  2. Click on System Roots and then Certificates on the left side of the Keychain Access window. In the search bar in the top-right corner of the window, type "diginotar" (without quotation marks)
  3. Double-click on DigiNotar Root CA, click on the triangle next to Trust to expand that section, and then next to "When using this certificate:" select "Never Trust" (IMPORTANT: Please see UPDATE 3 below for an explanation of why it is actually better to delete the certificate altogether, and UPDATE 1 for details on how to do so)

UPDATE 1: Edward Marczak (a personal friend, Google employee, and Executive Editor at MacTech Magazine) suggests deleting the certificate altogether rather than just disabling it. You can delete it right from within Apple's Keychain Access app using the basic steps outlined above (just right-click on the certificate and select "Delete 'DigiNotar Root CA'"). Ed also provides a tip for Mac sysadmins on how to delete the certificate via a Terminal command, which could be useful if you have remote shell access to the Macs you support.

I'll update this site again soon with instructions on how to block DigiNotar-issued certificates in the Opera browser.

UPDATE 2: On 30 August 2011, a member of the Opera security group blogged about why the company feels that Opera users are better protected against revoked certificates than users of other browsers (the blog post is titled "When Certificate Authorities are Hacked"). In spite of Opera Software's awareness of the issue, the company chose to release Opera 11.51 on 31 August 2011 without removing DigiNotar from its list of trusted root CAs. It's unclear why Opera Software has chosen not to remove it, but I strongly recommend either disabling or deleting the DigiNotar Root CA so you can more fully protect yourself. Here's how.

If you use Opera, make sure you are running the latest version and then follow these steps:
  1. First, open Opera's Preferences window. If you're using Windows or Linux, you can do this by going to the Opera menu, then Settings, and then "Preferences...", or if you're using Opera on a Mac, just go to the Opera menu (next to the Apple menu) and select "Preferences..."
  2. Click on the Advanced tab, then Security on the left side, and then click on the "Manage Certificates..." button
  3. Click on the Authorities tab, then click on "DigiNotar Root CA", click the "View..." button, and put a check next to "Warn me before using this certificate" and then uncheck "Allow connections to use this certificate", and finally click OK (Alternatively, if you want to delete it altogether, click on the Delete button instead of "View...")
  4. Click OK to close the Certificate Manager window, then OK again to close the Preferences

See UPDATE 7 below for Opera Software's current recommendations about securing the Opera browser and avoiding accidental installation of the DigiNotar Root CA when browsing to a site whose certificate was issued by DigiNotar.

Incidentally, long-time readers of this site will be unsurprised to know that the version of Opera in the Mac App Store is still the old version, 11.50. This is not the first (or the second) time that the Mac App Store has lagged behind on Opera security updates. Opera 11.51 fixes two security vulnerabilities, one of which Opera has classified as High Severity ("Unsecured web content may appear to be secure or trusted through Extended Validation") while the other is classified as Low Severity and its details have not yet been disclosed. If you use Opera on a Mac, you should download it directly from Opera's site, not from the Mac App Store.

UPDATE 3: According to Computerworld, Mac OS X does not properly handle extended validation (EV) certificates that the user or administrator has explicitly marked as untrusted. Until Apple fixes this glitch, the best way to avoid DigiNotar-issued certificates is to delete the root CA in Keychain Access (see UPDATE 1 above), or just use another browser such as Firefox 6.0.2 which has completely removed the DigiNotar Root CA.

UPDATE 4: I have added a list of several of the domains other than *.google.com for which DigiNotar issued fraudulent certificates, as well as a link to F-Secure's article on various DigiNotar hacks, and a link to Johnathan Nightingale and Gerv's articles (from 2 and 3 September 2011, respectively) about Mozilla's insights on the issue. Also, I should mention that the version of Opera in the Mac App Store was updated to 11.51 two days after its release, which is much better than the seven days that Apple typically takes to release security updates in the Mac App Store.

As of 3 September 2011, Microsoft still has not released a fix for Windows XP or Windows Server 2003 users, Apple has not released a fix for Mac OS X users, and Opera still has not seen fit to remove the DigiNotar Root CA from its browser.

It occurred to me that nobody seems to be discussing another serious aspect of the DigiNotar problem. So far all the discussion I've seen is how to fix the problem in Windows, Mac, and Linux. What about mobile platforms? Microsoft lists phones running Windows Phone 7 as "non-affected devices," but virtually every other mobile OS manufacturer has been silent about the issue. Apple has a knowledge base article showing that iOS 4.1 and later has DigiNotar Root CA as a trusted root certificate, which means that iPhone, iPad, and iPod touch are affected and currently have no protection. It is quite possible that other mobile platforms may be affected by this issue as well.

UPDATE 5: On 4 September 2011, I added some additional domains at the beginning of this article, and added a link to the source, Gerv's latest blog post. I also mentioned Firefox 6.0.2, which is now available for download and should become an automatic update (or obtainable by clicking on "Check for Updates" in the About Firefox window) later today.

UPDATE 6: Added links for the various Microsoft Windows patches (Microsoft finally released patches for Windows XP and Windows Server 2003). Added link to Sophos' summary of the Fox-IT audit from 5 September 2011. Clarified that Chrome for Mac appears to use the Mac OS X Keychain certificates rather than the custom certificates list used by Chrome for Windows and Linux. Also, I should mention that Mozilla finally released Firefox 6.0.2 officially today, 6 September 2011.

UPDATE 7: During the evening of 6 September 2011, Opera Software announced that it would finally begin dealing with the DigiNotar issue. For now, you still have to manually remove the DigiNotar Root CA if it exists in your copy of Opera, as I described in UPDATE 2 above. Opera Software implies that new installations of Opera (that is, when installing Opera onto systems that did not have it installed previously) will not include the DigiNotar Root CA by default. Opera recommends that if you visit a site with a DigiNotar-issued certificate and it triggers an "Unknown issuer" dialog, click "Reject".

UPDATE 8: It's unclear whether or not this has anything to do with the breach of DigiNotar's certificate security, but it serves as further evidence of how clueless the company was about computer security (as if we need any more convincing after the Fox-IT report): An article (auto-translated by Google) published 7 September 2011 claims that a DigiNotar building in the Netherlands has had a wide-open Wi-Fi network that a local group of hackers has utilized for the past 12 years. (Thanks to Erik Loman for sharing the link and F-Secure's CRO, Mikko Hypponen, for retweeting it.)

UPDATE 9: Apple has finally released an update (namely, Security Update 2011-005) for Mac OS X Snow Leopard version 10.6.8 and Mac OS X Lion version 10.7.1 that removes trust for DigiNotar certificates from the operating system (including the Mac version of Safari). You can read the details about the patch and download the Snow Leopard version or the Lion version of the patch as necessary. If you're unsure which version you need, just click on the Apple menu in the top-left corner of your screen and select About This Mac. From there you can see which version of Mac OS X you're running (if it says 10.5.8 or below, see UPDATE 10), and you can click on the "Software Update..." button to download all available Apple software updates.

UPDATE 10: On 13 September 2011, Microsoft issued a new update which replaced the KB2607712 patches. I had previously given direct links for all 14 versions of the KB2607712 patch in this article. Rather than link to all the new individual patches, I added a link to the new KB2616676 article which contains download links for all supported versions of Windows. Also, I updated this article to mention that Apple did not release (and has no plans to release) Security Update 2011-005 or any future security updates for Mac OS X v10.5 Leopard, including all G4/G5-based Macs, since both Leopard and all pre-Intel Mac hardware have reached the end of their support life cycle.

Also, as of 13 September 2011, Apple still had not released a security update for iOS, so all iPhones, iPads, and iPod touches are still vulnerable to attacks involving DigiNotar-signed certificates.

UPDATE 11: On 12 October 2011, Apple finally patched iOS. Users of iPhone 3GS/4/4S, iPad or iPad 2, or third or fourth generation iPod touch should install iTunes 10.5 (which was released yesterday) and then upgrade their device to iOS 5.0 afterward. Run Apple Software Update to upgrade iTunes, then plug in your device, then click on the device in iTunes, and then click on the "Check for Updates" button to download the latest version of iOS. If you have trouble downloading iOS 5.0 via iTunes, you can find individual download links here and instructions on how to manually install the update here. Apple has a list of security issues fixed in iOS 5.0 here.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.