DigiNotar neglect on PowerPC
by
zen
Today I was looking through Keychain, and was reminded of the DigiNotar certificate simply through memory, because it hasn't lived on any of my macs since late 2011. It's one of those things I set and literally forget in this case. Luckily for the sake of a screenshot, I have an older drive I keep with a stock Leopard install for just these occasions.
In 2011 Apple announced that they were no longer going to update Leopard at all on PowerPC or Intel. Then around spring 2012, they ended up releasing a security update for Leopard that fixed the DigiNotar issue. This update was Intel only unfortunately. Truly pathetic. Thanks Apple.
The good news is that disabling or deleting this vulnerable certificate is very easy. For the ultimate level of security when it comes to certificates like this, you should use a browser with a private browsing function, along with script blocking. Those things combined together would give you a browsing environment nearly as secure as current OS X, and even save you a bunch of CPU cycles.
Along with DigiNotar, you should make it a habit to look through your certificates every so often, and delete or mark as "Never Trust" to disable any expired items that might exist.
How to disable DigiNotar or any other certificate:
1. Open "Keychain Access" from the Utilities folder in Applications.
2. Select "System Roots" in the top left. It may take a moment to show them all.
3. Navigate to the "DigiNotar Root" certificate. Double click to disable or select and delete.
4. If you're choosing not to delete and have double clicked it simply expand the "Trust" settings.
5. Set the top option named "When using this certificate" to "Never Trust" which will automatically set all the trust functions the same way. Use the screenshot below for reference.
Screenshot
I will be sure to update you in the future when other certificates or anything else becomes vulnerable. These days I am paying more and more attention to Leopard security, because it is at a point now where it will only become less secure as the months and years go by. There are far too many people that are either in denial or ignorant to this fact.
Subscribe to:
Post Comments (Atom)
Nice Lion Theme! Thank for all of the security posts that you have done. If I get a G4 or G5 that I could run Leopard on, I will disable this certificate.
ReplyDeleteThanks for the heads up on this. I marked it as "never trust". For some reason, I was unable to delete it. When I click on it and hit the delete key, a confirmation dialog box appears. After confirmation, the certificate remains visible, though marked as "never trust".
ReplyDeleteKeith
I was unable to delete it, too. Marking it as "never trust" worked, though.
ReplyDeleteThanks for keeping on top of these Leopard security issues, Zen.
If you're logged in as admin and you click the lock followed by your password in Keychain it should delete without issue. It has worked for me every time I have done it.
ReplyDeleteToday, I first opened the System Preferences/System/Accounts panel and disabled "Guest Account". Then I followed your instructions and was able to successfully delete the certificate.
ReplyDeleteMy computer is in my home and is only used by myself, so I have it log in automatically. I'm guessing some time in the past, I must have accidentaly set it to log in as "guest".
This blog is on the bookmark bar of all my browsers and I check it daily. Thanks again for the good information.
Keith
After initially having failed at deleting the DigiNotar certificate even though logged in as admin, I clicked in the search box in the upper right-hand corner of the window and typed "Diginotar". Two items with the same name, DigiNotar Root CA, came up. I deleted both with no problem.
ReplyDelete