Are you using lack of firewall support as an excuse to avoid IPv6?
My dog ate god's plan

Mac users listen up! Enable certificate checking

I hope you've all heard of the events leading to certificate authority Comodo incorrectly issuing SSL server certificates for some high profile web sites. This is disconcerting news, compounded by an announcement yesterday from hacker Ich Sun who claims to have breached a second CA.

Please revoke DigiNotar CA trust too!

If there is a silver lining, Comodo's provided details of the incident, including the affected domain names and serial numbers here. These certificates have been revoked, so users and applications that check certificate revocation status will not be affected by the bogus certificates.

My colleague Craig Watkins at Transcend, Inc. points out that not everyone has revocation enabled and provided a detailed explanation of how Mac OS users can enable this defense on a private mailing list. His explanation and testing is well documented and timely, so I invited him to post it here.

What follows is fully attributed to Craig Watkins. I take no credit except for having the good sense to keep company with really competent people and recognizing an opportunity to share this competence with you:-)

Google, Microsoft, and Mozilla have patched their browsers (by 23 March) to add these specific certs to a blacklist that will never be trusted.  So far Apple has not done this, but that's OK if
everything is working fine with certificate status checking.

The complication is that OCSP and CRL checking is disabled by default in Mac OS (except for Extended Validation "EV" certificates). You should turn it on.  While I don't see a
a big risk to most of us from the Comodo issue, in general it is a very good idea to enable this checking.  To do this on Mac OS 10.6:

- Open Applications -> Utilities -> Keychain Access
- Under Keychain Access menu, select Preferences...
- Select the Certificates tab
- Set "Online Certificate Status Protocol (OCSP)" to
  "Best Attempt"

- Set "Certificate Revocation List (CRL)" to "Best Attempt"
- Set "Priority" to "OCSP"



You can now lock the login keychain and close Keychain Access.

This will effect your Safari and Chrome browsers because they use the keychain.  Firefox has its own certificate store, and it should already be configured to use OCSP by default.  For Firefox,

- Under the Firefox menu, select Preferences...
- Select the Advanced tab
- Select the Encryption sub-tab
- Click the (Validation) button
- Verify that "Use the Online Certificate Status Protocol" is checked
- Verify that "Validate a certificate if it specifies an OCSP server" is selected
- Leave "When an OCSP server connection fails, treat the certificate as
  invalid" unchecked

  (That's consistent with the "Best Attempt" setting in Keychain Access)



To see what it looks like when you visit a site with a revoked certificate, visit

Revoked  Safari

Your browser should not allow you to go to this site and should report that the certificate is revoked.  You'll notice a stern warning from Firefox, a really stern warning from Chrome, and a quite wimpy warning from Safari.  You should get this warning from Safari and Chrome regardless
of your Keychain Access settings because this site uses one of those EV certificates that I mentioned above.  These certificates have added validation requirements and Mac OS will always attempt an OCSP validation so that your browser can show you that "extra-green SSL bar."

The only downside to this extra checking is possibly a slight delay to perform the request the first time you go to a web site and when the cache expires.  This should be less overhead than downloading a small image, so I'm not worrying about it.

Thanks Craig!


Feed You can follow this conversation by subscribing to the comment feed for this post.

Just confirmed that Lion is already configured this way by default. But thanks for the tip!

Opera doesn't allow the revoked certificate as default.

The comments to this entry are closed.