computerwoche.de

Archiv

Digital certificate theft shows Safari limitation

24.03.2011
The recent theft of a small number of digital certificates, used by Web browsers to verify the identity of secure Websites, has put Safari users at potential risk, according to security developer and research firm . The security developer says it’s due to a limitation in the way Apple's browser handles the validation of online identities.

Several days ago, hackers managed to successfully request fraudulent digital certificates for various popular Websites—including Google, Yahoo, Skype, and others—from an affiliate of , which is one of several companies that issues digital certificates.

Digital certificates are used by browsers to verify that the site on the other end of a secure connection is who they purport to be. In other words, when you visit your bank online or shop at Amazon, certificates make sure that it really your bank or Amazon. Those certificates are issued by a certificate authority, like Comodo; as long as the browser trusts the issuer, it implicitly trusts the certificates it’s given out. (In Safari, you can view the certificate of a secure site by clicking on the padlock icon in the top right corner of the window or on the company name in the location field.)

The security breach threw a monkey wrench in this process, by allowing hackers to essentially pretend that a site of their own creation was in fact Google, Yahoo, or Skype. Backed by the fraudulent certificates, these fake sites could be used to trick people into giving up all sorts of personal information.

Luckily, certificate authorities can revoke those digital certificates, rendering them useless to the would-be hackers—but it only works if your browser knows the certificates have been revoked. This process doesn’t happen automatically in all browsers. Safari, in particular, relies on the built-in security management features of Mac OS X’s Keychain Manager—and Keychain Manager’s validation feature is off by default.

Fortunately, , it only takes a couple of clicks to make Safari safe from this potential vulnerability again. All you need to do is run Keychain Access (found in your /Applications/Utilities folder, or by just typing its name into Spotlight) and then make sure that the various certificate-revocation protocols are enabled in the app’s settings panel. Visit the link above for full instructions. However, it’s worth noting that enabling these options can slow down your browsing process.