Apple is keeping mum about when – or if – it will blacklist SSL certificates more than a week after other browser makers moved to break trust with the disgraced Dutch certificate authority DigiNotar.
With each new day revealing more about the extent of the breach, experts warn that Apple is leaving users of the company’s Safari Web Browser and mobile devices vulnerable to man in the middle attacks.
Apple’s Safari Web browser and iOS mobile devices have not been updated to reflect the breach at DigiNotar. That means that Websites using fraudulent certificates issued by the compromised certificate authority wouldn’t be treated as “high risk” by Safari or iOS-based devices like the iPhone and iPad. Apple did not not responded to multiple requests for comments on its plans to address the DigiNotar compromise from Threatpost.
Competing browser vendors including Microsoft, Google and The Mozilla Foundation moved to break trust with DigiNotar’s compromised certificate authorities almost immediately after word of a fraudulent certificate for Google.com issued by DigiNotar broke on August 27th. Both companies have taken additional steps since then to expand the reach of their bans as more information about the extent of the breach has been made public. Specialty browser makers like The Tor Project have responded in a similar fashion.
Not so, Apple, which hasn’t issued an update to its Mac OSX or iOS mobile operating systems, nor its Safari Web browser to address the compromise. Nor has Apple given its tens of millions of users any concrete advice on how to protect themselves from man in the middle attacks using rogue DigiNotar-issued certificates in the absence of a vendor patch. Some advice has trickled online. Coriolis Systems, an independent software firm that created the iPartition and iDefrag programs for Apple’s Mac operating system, published instructions on disabling the DigiNotar root CA on their Mac systems manually, though it was subsequently revealed that doing so wouldn’t entirely protect users from man in the middle attacks. The plog ps-enable has issued more exacting instructions to completely revoke trust in DigiNotar from the Mac OS X keychain, the Mac’s built-in password and certificate management system. However, Apple has neither endorsed nor refuted those manual workarounds.
That has left Mac and iOS users scrambling for answers on how to protect themselves. “Basically, until Apple either releases a security update with this CA cert removed, or adds a way for me to remove it myself, nobody is allowed to use iPads or iPhones for any company-related purpose at work,” wrote a user with the handle John Simpson on an Apple support forum.
Roel Schouwenberg, a senior security analyst at Kaspersky Lab, said that the delay is puzzling, but that Apple was similarly slow to respond to the breach of Comodo, another certificate authority, in March.
“It’s very surprising Apple isn’t just going out and fixing these issues. Especially when you consider the fix should be easy and security can be leveraged as a differentiator,” Schouwenberg said.
He said the delay may be linked to problems revoking EV (or “extended verification”) SSL certificates in OSX. Whatever the case, he said the company’s lack of communication about when or if a fix is coming is inexcusable. “If there is a technical reason for their slow response to these issues they should communicate it. Either way, their silence is not acceptable. It’s all the more reason not to use Safari.”