Protecting Your Mac From the DigiNotar.nl Certificate Compromise
Download a package that will delete the DigiNotar Root CA certificates and will revoke the trust on the two root certificates and the four DigiNotar intermediate certificates. The package is now at version 2.1. Please use this version instead of versions 1.0 and 2.0.
Update (11-Sep-2011 9:35 PM EDT): Apple has finally released an official fix for Snow Leopard (Mac OS X 10.6) and Lion (Mac OS X 10.7). If you are running Leopard (Mac OS X 10.5) on PPC machines, the version 2.1 package has been tested and works with Leopard. Still no sign of an update for iOS, unfortunately.
You do not need to remove my package if you want to install Apple's package; there is no conflict. (Although I don't recommend installing my package after the Apple update -- there will be errors.) If you do want to remove it, delete the six DigiNotar certificates in the System keychain.
It appears that GlobalSign's web server was compromised, but not their CA architecture. We don't need to worry about fraudulent certificates from GlobalSign.
On July 10, 2011, DigiNotar.nl (a Netherlands CA) issued a fraudulent SSL certificate for the domain *.google.com, which would be valid for all google.com domains. DigiNotar has not been forthcoming about how the attackers were able to obtain the fraudulent certificate, releasing only a PR statement without any content. This means that more fraudulent certificates may have already been issued or may be issued in the future for *.google.com or other domains. The latest news is that there have been over 500 fraudulent certificates issued. While current indications are that it was used to snoop on G-Mail communications in Iran, no one knows what other places it might be used and for what other purposes.
Why Do We Care?
Furthermore, due to the nature of the certificates system, until the DigiNotar.nl registrar is completely secured and how the attack was conducted becomes publicly available, every SSL protected website and service in the world is vulnerable.
DigiNotar has been very tight-lipped about the problem. They have issued only one press release about the situation, and what’s in the press release does not correspond to other observable facts, such as the content of their Certificate Revocation List. Swa Frantzen at SANS and Jonathan Nightingale from Mozilla have both written excellent explanations of why DigiNotar’s response has been lacking.
Because so many fraudulent certificates for so many high-value domains were issued (such as for yahoo.com), and there doesn’t seem to be a trustworthy list of the fraudulent certificates, there is a high risk that other sites may have been compromised and the end user would not be able to tell. The biggest risk to most users is identity theft by phishing of passwords. This could then lead to other compromises and eventually financial losses.
In addition, users in Iran and other countries with totalitarian governments should also be concerned that their communications may have been compromised.
What Counter-steps Have Been Taken?
Microsoft IE, Google Chrome, and Mozilla Firefox already have or have announced plans to very shortly blacklist all DigiNotar.nl certificates. If you are running IE (any version) on Vista, Windows 7, Server 2008, or Server 2008 R2; or an up to date version of Firefox or Chrome, you'll be OK in the near future. This is pretty much a death penalty for the DigiNotar CA.
Apple has not yet updated Mac OS X and Safari as of this writing or made any announcements about its plans. In addition, there is a bug on Apple systems with the handling of Extended Validation certificates. If an EV certificate is traced back to an invalid (as opposed to non-existent) root certificate, it will be treated as valid. This is undoubtedly slowing Apple’s response.
DigiNotar has two root certificates.
“C=NL,O=DigiNotar,CN=DigiNotar Root CA”, SHA-1=C060ED44CBD881BD0EF86C0BA287DDCF8167478C
“C=NL,O=DigiNotar,CN=DigiNotar Root CA G2” SHA-1=43D9BCB568E039D073A74A71D8511F7476089CC3
Only the first one is in Mac OS X’s System Roots by default, but either is present it needs to be deleted for protection. After that, both certificates need to be imported into the System keychain (whether they were in the System Roots or not), and marked as "Not Trusted".
In addition, DigiNotar uses two intermediate certificates (that were signed by an Entrust root certificate) to sign downstream certificates.
“C=NL,O=DigiNotar,CN=DigiNotar Root CA” SHA-1=367D4B3B4FCBBC0B767B2EC0CDB2A36EAB71A4EB
“C=NL,O=DigiNotar,CN=DigiNotar Services 1024 CA” SHA-1=F8A54E03AADC5692B850496A4C4630FFEAA29D83
That’s right — they have two different certificates with the same name! One that is signed by Entrust, one that is their own root. These need to be imported into the System keychain and marked as "Not Trusted".
Lastly, DigiNotar has two intermediate certificates from the Dutch government CA that they use to sign downstream certificates for government agency websites.
“C=NL,O=DigiNotar B.V.,CN=DigiNotar PKIoverheid CA Overheid en Bedrijven” SHA-1=40AA38731BD189F9CDB5B9DC35E2136F38777AF4
“C=NL,O=DigiNotar B.V.,CN=DigiNotar PKIoverheid CA Organisatie - G2” SHA-1=5DE83EE82AC5090AEA9D6AC4E7A6E213F946E179
These, too, need to be imported into the System keychain and marked as "Not Trusted".
Links to download these certificates in PEM format:
- C=NL,O=DigiNotar,CN=DigiNotar Root CA
- C=NL,O=DigiNotar,CN=DigiNotar Root CA G2
- C=NL,O=DigiNotar,CN=DigiNotar Root CA (Signed by Entrust)
- C=NL,O=DigiNotar,CN=DigiNotar Services 1024 CA
- C=NL,O=DigiNotar B.V.,CN=DigiNotar PKIoverheid CA Overheid en Bedrijven
- C=NL,O=DigiNotar B.V.,CN=DigiNotar PKIoverheid CA Organisatie - G2
Corrective Actions That You Can Do On a Mac
Until Apple releases a security update for this issue, you can protect yourself on an individual Mac computer by doing the following two actions.
First, delete the “DigiNotar Root CA” certificate (and the “DigiNotar Root CA G2” certificate if you have it) from your trusted roots, such as in the System Roots key chain. (The actual file is /System/LibraryKeychains/SystemRootCertificates.keychain.) Second, import both root certificates into the System keychain, and mark them as "Not Trusted". Third, import all four of the intermediate certificates into the System keychain, and mark them as “Not Trusted”. If you are on Snow Leopard or Lion, there is an Installer package on my website that will do these steps for you. If you are on Leopard or earlier, please follow the step-by-step instructions below.
A Serious Problem
All of this will be in vain if a user just clicks through the “invalid certificate” warning dialog box and marks the certificate as valid in his or her own personal keychain. All too many users are just conditioned to do this by now.
I don’t see a good way of handling this. I’m going to work on an application that can be used to sweep for known invalid certificates in the user’s keychain, but that’s going to take some serious effort. All we can do at this point is try to educate users.
iOS Note: Unfortunately there is no equivalent process available for iOS at this point. You can add your own trusted CA certificates via the iPhone Config Utility and Configuration Profiles, but you cannot remove or modify the trust levels for pre-installed system certificates.
This is a selection of informative links on the compromise of the DigiNotar CA. It is by no means complete, and is not intended to be. If you have a link that you think should be added to the list, please e-mail it to me.
Tor Project blog page with latest update: https://blog.torproject.org/blog/diginotar-damage-disclosure
Ed Marczak’s page: http://radiotope.com/content/remove-certificate
Swa Frantzen from SANS: https://isc.sans.edu/diary/DigiNotar+breach+-+the+story+so+far
Jonathan Nightingale from Mozilla:
DigiNotar's certificates: http://www.diginotar.nl/Klantenservice/Rootcertificaten/tabid/308/Default.aspx