Ryan Sleevi, a software developer who has contributed to Google's Chrome project, noticed the issue too. After poking around the Mac OS X source code, though, he uncovered the cause.

Users can revoke a certificate using Keychain, but if they happen to visit a site that uses the more-secure Extended Validation Certificates, the Mac will accept the EV certificate even if it's been issued by a certificate authority marked as untrusted in Keychain.

"When Apple thinks you're looking at an EV Cert, they check things differently," Sleevi said in an interview Wednesday. "They override some of your settings and completely disregard them."

Designed as a way to reassure Web surfers that they're not being phished, Extended Validation Certificates turn the browser address bar green. They're widely used by sites that have a lot of HTTPS traffic.

It's troubling that such a basic component of Internet security could have such an obvious flaw on the Mac, several security experts said Wednesday. "In a real-world sense, it probably won't affect a lot of people, but for me it's a little bit troubling that the security advice on what you're supposed to do plain doesn't work," said Jeremiah Grossman, chief technology officer with WhiteHat Security.