Digital certificate theft shines spotlight on Safari limitation
By Marco Tabini
The recent theft of a small number of digital certificates, used by Web browsers to verify the identity of secure Websites, has put Safari users at potential risk, according to security developer and research firm Intego. The security developer says it’s due to a limitation in the way Apple’s browser handles the validation of online identities.
Several days ago, hackers managed to successfully request fraudulent digital certificates for various popular Websites—including Google, Yahoo, Skype, and others—from an affiliate of Comodo, which is one of several companies that issues digital certificates.
Digital certificates are used by browsers to verify that the site on the other end of a secure connection is who they purport to be. In other words, when you visit your bank online or shop at Amazon, certificates make sure that it really is your bank or Amazon. Those certificates are issued by a certificate authority, like Comodo; as long as the browser trusts the issuer, it implicitly trusts the certificates it’s given out. (In Safari, you can view the certificate of a secure site by clicking on the padlock icon in the top right corner of the window or on the company name in the location field.)
The security breach threw a monkey wrench in this process, by allowing hackers to essentially pretend that a site of their own creation was in fact Google, Yahoo, or Skype. Backed by the fraudulent certificates, these fake sites could be used to trick people into giving up all sorts of personal information.
Luckily, certificate authorities can revoke those digital certificates, rendering them useless to the would-be hackers—but it only works if your browser knows the certificates have been revoked. This process doesn’t happen automatically in all browsers. Safari, in particular, relies on the built-in security management features of Mac OS X’s Keychain Manager—and Keychain Manager’s validation feature is off by default.
Fortunately, as Intego mentions in its blog post, it only takes a couple of clicks to make Safari safe from this potential vulnerability again. All you need to do is run Keychain Access (found in your /Applications/Utilities folder, or by just typing its name into Spotlight) and then make sure that the various certificate-revocation protocols are enabled in the app’s settings panel. Visit the link above for full instructions. However, it’s worth noting that enabling these options can slow down your browsing process.
Despite the potential seriousness of this problem, it is important to note a couple of things. The first is that actually exploiting those fraudulent certificates requires a lot of things to go just right for the would-be attackers—they’d have to create perfect replicas of the Websites in question and convince users to visit them. It’s also worth pointing out that the above solution only pertains to Safari. Other popular Mac browsers, like Chrome or Firefox, rely on a different certificate validation mechanism, but they ought to be safe as long as you keep them up-to-date.