Apple Needs to Respond to Danger
Schouwenberg was concerned how "deep this attack may have run." On Sept. 6, a user claiming to be behind the earlier attack on New Jersey-based certificate authority Comodo posted a note on text-sharing site Pastebin claiming responsibility for the DigiNotar breach as well as four other high-profile CAs, including GlobalSign. The alleged attacker claimed to still have the ability to issue rogue certificates from the other CAs. Google and Mozilla have already updated their browsers to block all DigiNotar certificates. Google shipped a new version of Chrome on Sept. 3, and Mozilla updated both Firefox 6 and Firefox 3.6 on Sept. 6. Mozilla's Director of Firefox Engineering Johnathan Nightingale said the removal was "not a temporary suspension," but a "complete" one.As is characteristic of Apple whenever there is a security issue, the company has yet to warn its users or act. "I know you [Apple] don't like to talk about security, but now would be a great time to show you care" and protect users, Wisniewski said to Apple. Since Microsoft has issued the update to all supported versions of Windows, including Windows XP and Windows 2003, all Windows users "will no longer be presented with the dangerous option" of mistakenly overriding the suspicious SSL certificate warning, Wisniewski told eWEEK over email. He recommended that Mac OS X users use BootCamp and Windows 7 to browse the Web or use Firefox. Chrome uses the KeyChain to validate certificates on Mac OS X, making it vulnerable to the same issue as Safari, Wisniewski said. The update will be automatically downloaded and installed on machines that have Automatic Update enabled, Microsoft said in the security advisory. However, the company is checking the PC's geographic location before downloading the update to delay pushing the changes to its Dutch customers. Once the certificates are blocked, users will be unable to access a lot of the Websites that have legitimate SSL certificates signed by DigiNotar, such as various Dutch government and business Websites. The one-week delay would give the Dutch government time to obtain new certificates from some other "more trustworthy" certificate authority, Wisniewski said. "At the explicit request of the Dutch government, Microsoft will delay deployment of this update in the Netherlands for one week to give the government time to replace certificates," Dave Forstrom, a director in Microsoft's Trustworthy Computing group, said in a blog post today. Dutch user can still manually update by going to the country-specific Windows Update site, Forstrom said.
"Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort," wrote Nightingale in a blog post on Sept. 2.