Apple finally got around to responding to last month’s SSL certificate snafu on April 14, by issuing updates for its Safari browser, the Mac OS X operating system and the iOS mobile platform. Safari 5.0.5 and Mac OS X Security Update 2011-002 can be downloaded from Apple’s Software Update service, while the iOS updates (4.3.2 for iPads and GSM iPhones, and 4.2.7 for CDMA iPhones) are available through iTunes. The updates also include fixes for issues with the QuickLook document preview feature and the WebKit layout engine.
The gatekeepers of other major browsers had issued fixes for the bogus SSL certificates long before Apple’s move. Google had updated the Chrome Beta and Stable channels on March 17, without providing much in the way of an explanation, but Mozilla’s update on March 22 seemed to be the first public acknowledgment that. Microsoft followed on March 23 with its update to Internet Explorer that blocked the bogus certificates.
Comodo had notified the browser makers of the problem on March 16, the day after a hacker operating out of Iran had requested nine certificates, linked to highly trafficked web presences – including Google, Microsoft Live, Mozilla, Skype and Yahoo. Browsers using the Online Certificate Status Protocol (OCSP) to interactively validate SSL certificates would not have honored those certificates, which had been revoked by Comodo upon discovery of a breach affecting one of its resellers.
Safari, unfortunately, doesn’t use OCSP as a default; it can be enabled on Mac OS X in the Keychain Access utility, by setting the value on the Certificates tab of the Preferences dialog to “Best Attempt.” It’s also a good idea to set the same value for the Certificate Revocation List, immediately below the OSCP setting.
This incident raises two questions: the first, of course, is why doesn’t Safari have OCSP enabled by default. The second question is “what took Apple so long to fix this?”
The company, as usual, isn’t speaking.
(Edited on 4/15 to fix a paragraph break, and to note that it’s been over 20 hours since I asked Apple for comment, with no response from the company. I guess they’re all busy filling out their 1040s.)