An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Security Updates
#17437 09/16/11 12:35 AM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
OK, Microsoft security update (haha), Adobe Reader security update, Apple security update, all in one day? What's up with that?


Mid 2010 MacBook Pro 13"
2.4GHz, 750GB SATA HD, 8 GB RAM, OS 10.7.5
1 HDX1500 2TB Ext.HD, 2 HDX1500 1TB Ext.HD
HP Laserjet 6MP printing postscript via 10/100 Intel print server
Netgear WN2500RP Range Extender (Ira rocks!)
Linksys WRT1900AC Wireless Router
Brother MFC-9340CDW Color Laser
iPad Air
Re: Security Updates
slolerner #17439 09/16/11 03:41 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
They're all a result of the DigiNotar debacle.

DigiNotar is, or was, a Dutch certificate authority, that got hacked a while back. The hackers created a bunch of forged security certificates for a lot of high-profile Web sites, including Google and eBay, which they then sold on to the Iranian government. The Iranian government used the forged SSL certificates to intercept people's communications, read their Gmail mail, and so on.

Basically, a certificate authority (or CA) is the root of trust in the whole chain of SSL certificates. A security certificate is an encryption key that is issued to a Web site. The key contains the name of the Web site, the digital encryption signature of the CA where it came from, and the codes that let a Web browser set up a secure, encrypted link with that Web site.

The idea is that a CA will do background checks on a Web site before issuing a security certificate. When you connect to a Web site securely using SSL, the browser will check that the security certificate is valid, and that it was issued by a trustworthy company. Every browser carries a list of the CAs that the browser programmer considers reputable and trustworthy. If the browser sees a security certificate that didn't come from a reputable, trustworthy CA, the browser refuses to use it and warns you that the site might be bogus.

When DigiNotar got hacked, the hackers were able to create genuine security certificates--more than 500 in all--that let them set up sites that seemed like the real thing. The Iranian government for a time redirected any attempt to reach gmail.com to its own servers, which looked just like gmail and presented what seemed to be a legitimate security certificate for gmail. Worse, from a security standpoint, even though DigiNotar had been hacked, they didn't tell anyone about it for months.

The security updates from Apple, Adobe, and Microsoft all remove DigiNotar from the list of trusted CAs. From now on, Safari, Internet Explorer, Acrobat Reader (and others, including Chrome and Firefox) no longer trust DigiNotar security certificates. (Adobe Reader isn't a browser, but it can access the Web and it can read encrypted and signed PDFs, which is why it has a list of CAs in it.)


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Security Updates
tacit #17442 09/16/11 11:45 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
In addition to tacit's excellent description, in case you missed it, is the lengthy article Hacker Rattles Security Circles by Somini Sengupta in The New York Times on September 12, 2011.

Re: Security Updates
grelber #17447 09/16/11 04:48 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
Thanks, I'm glad I asked. I couldn't find news about a new virus or anything. That was full of intrigue. "Do I have to change passwords?" sez paranoid me living inside easygoing me.


Re: Security Updates
slolerner #17452 09/16/11 08:54 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
Nope. No need to change passwords unless you were using an Iranian ISP between June and September of this year to access Gmail, Google Groups, Google Accounts, Mozilla, the Mozilla Firefox repository, or the like.

The stolen certificates were only present, from everything I've been able to gather, on certain state-run ISPs inside Iran.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Security Updates
tacit #17455 09/16/11 10:07 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
ummmm... nope.

Re: Security Updates
tacit #17480 09/19/11 06:12 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: tacit
Worse, from a security standpoint, even though DigiNotar had been hacked, they didn't tell anyone about it for months.

For this specific reason alone, they should go away, completely, forever. In the business they are in, this is the ultimate unforgivable mistake. It's bad enough when you get hacked, but when you cover it up, that's simply unforgivable.


I work for the Department of Redundancy Department
Re: Security Updates
Virtual1 #17506 09/20/11 04:58 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Originally Posted By: Virtual1
For this specific reason alone, they should go away, completely, forever. [...]
It's bad enough when you get hacked, but when you cover it up, that's simply unforgivable.

Looks like your wish got granted, at least formally. Earlier today the Haarlem District Court in the Netherlands declared DigiNotar BV bankrupt, following an earlier filing of a voluntary bankruptcy petition* by the company. That said, parent company Vasco will likely set up a successor to DigiNotar using its intellectual property etc.

With regard to an active cover-up by DigiNotar, the preliminary report of an investigation into the DigiNotar hack doesn't indicate there was one. At this point it isn't clear yet whether DigiNotar will be prosecuted for criminal liability other than the fact that they didn't file a report of the break-in with the authorities as soon as they noticed it (presumably on June 19; see 'Timeline', section 5.4 of the report).

*) This filing became inevitable after OPTA (the Dutch telecom authority) had revoked the company's license as Trusted Third Party. DigiNotar was ordered to revoke all existing certificates and forbidden to issue new ones.


alternaut moderator
Re: Security Updates
alternaut #17568 09/24/11 05:33 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
More user info on this topic (or 'tacit expanded'): Keep your Mac safe from Web security flaws.


alternaut moderator

Moderated by  alternaut, cyn 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.023s Queries: 32 (0.016s) Memory: 0.6115 MB (Peak: 0.6991 MB) Data Comp: Zlib Server Time: 2024-03-28 17:18:14 UTC
Valid HTML 5 and Valid CSS