eWEEK Labs Blog - Security - Does Apple’s “when we feel like it” approach to security leave users hanging? | eWeek

Does Apple’s “when we feel like it” approach to security leave users hanging?

Écrit par
P. J. Connolly
P. J. Connolly
Apr 15, 2011
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Apple finally got around to responding to last month’s SSL certificate snafu on April 14, by issuing updates for its Safari browser, the Mac OS X operating system and the iOS mobile platform. Safari 5.0.5 and Mac OS X Security Update 2011-002 can be downloaded from Apple’s Software Update service, while the iOS updates (4.3.2 for iPads and GSM iPhones, and 4.2.7 for CDMA iPhones) are available through iTunes. The updates also include fixes for issues with the QuickLook document preview feature and the WebKit layout engine.

The gatekeepers of other major browsers had issued fixes for the bogus SSL certificates long before Apple’s move. Google had updated the Chrome Beta and Stable channels on March 17, without providing much in the way of an explanation, but Mozilla’s update on March 22 seemed to be the first public acknowledgment that. Microsoft followed on March 23 with its update to Internet Explorer that blocked the bogus certificates.

Comodo had notified the browser makers of the problem on March 16, the day after a hacker operating out of Iran had requested nine certificates, linked to highly trafficked web presences – including Google, Microsoft Live, Mozilla, Skype and Yahoo. Browsers using the Online Certificate Status Protocol (OCSP) to interactively validate SSL certificates would not have honored those certificates, which had been revoked by Comodo upon discovery of a breach affecting one of its resellers.

Safari, unfortunately, doesn’t use OCSP as a default; it can be enabled on Mac OS X in the Keychain Access utility, by setting the value on the Certificates tab of the Preferences dialog to “Best Attempt.” It’s also a good idea to set the same value for the Certificate Revocation List, immediately below the OSCP setting.

This incident raises two questions: the first, of course, is why doesn’t Safari have OCSP enabled by default. The second question is “what took Apple so long to fix this?”

The company, as usual, isn’t speaking.

(Edited on 4/15 to fix a paragraph break, and to note that it’s been over 20 hours since I asked Apple for comment, with no response from the company. I guess they’re all busy filling out their 1040s.)

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.