Keep your Mac safe from Web security flaws

Today's Best Tech Deals

Picked by Macworld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

1 2 Page 2
Page 2 of 2

In Firefox, choose Firefox -> Preferences, click the Advanced icon, and then click the Authorities tab. Scroll through this list to find the CA you want to remove. Select it, and then either click the Edit Trust button or the Delete or Distrust button. Edit Trust lets you retain the certificate, but disallow its use. Delete or Distrust removes all trust from built-in certificate authority information, or removes a manually entered CA. (Some companies and other entities may choose to trust a CA separately from the global chain of trust built into the browser.)

You can remove the trust from any certificate authority in Firefox.

What about your phone? Sadly, you’re out of luck. The greatest disappointment in all this certificate authority nonsense is that both iOS and Android have lagged behind on dropping support for suborned certificates and hacked CAs. (Windows Phone 7 never included DigiNotar on its approved list.)

Future Efforts

You might despair after reading about the scope of this problem, and the complexity in managing some of the fixes yourself. But don’t lose hope. With the exposure of these flaws, companies that sell hundreds of billions of dollars of goods a year over the Internet are aware that they can’t allow trust to seep away. Browser and operating system developers are also moving into higher gear to avoid putting customers into compromised situations.

Built-in notary support. Future browsers could include the kind of checks that Perspectives and Convergence offer. Better, you might be able to choose the notary servers you trust, so that you can place your faith in the security of particular organizations. The Electronic Frontier Foundation, which has conducted certificate research, could offer a notary service, for instance. The more notaries, the better, as it increases heterogeneity, which improves the chances of problems being spotted instantly.

Domain pinning. You may see browsers including more support for domain pinning, which allows only specific CAs to vouch for a given domain. Google built in a fixed pin for Gmail’s certificate into Chrome’s recent releases so that only three CAs are recognized as valid countersigners, and has a setting that lets you pin domains manually. One could see Apple, Microsoft, Mozilla, and others pinning domains that relate to their own businesses, and working with other companies and organizations to support a global pinned directory. This tremendously reduces the risk of rogue or suborned CAs.

Fewer CAs. It’s very likely that fewer and fewer CAs will be given the blind trust currently offered. Fewer CAs lead to a smaller risk profile and less exposure.

DNSSEC/DANE. A complicated effort is underway that will allow websites to put digital signatures for their certificates into secured DNS (Domain Name System) records. DNS is used to connect a domain name to a machine-readable IP address, and a decade-long effort to provide a cryptographic underpinning (to kill DNS poisoning, among other matters) is nearing fruition.

Dynamic CAs. Microsoft chose to use dynamic lists of CAs starting with Microsoft Vista. It’s also found in Windows 7 and Windows Server 2008. Instead of having a fixed list of CAs that an OS update is required to modify, Microsoft only caches CAs temporarily, for seven days, using a secured service it operates. On visiting a secured website, if the CA that signed its certificate isn’t cached, Windows consults Microsoft’s list, downloads the validation, and then affirms the website’s certificate. Microsoft was able to dump DigiNotar right away, while Apple took weeks to push out a security update that took care of the problem.

These fixes could all have been in place earlier. But it’s the same motivation that puts a traffic light at an intersection only after pedestrians are repeatedly hit by cars. Late—but better late than never.

[Updated 9/24 at 11:20 a.m. PT to add information about the Mac App Store's failure to update apps when strict checking for certificate revocation is enabled in Keychain Access.]

[Senior contributor Glenn Fleishman started hosting websites in 1994 on the nascent Internet, and has dealt with myriad security problems since. His most recent book is Take Control of Your 802.11n AirPort Network, updated for Lion. He contributes regularly to the Economist, the Seattle Times, and BoingBoing.]

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
1 2 Page 2
Page 2 of 2
Shop Tech Products at Amazon