An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#17437 - 09/15/11 05:35 PM Security Updates
slolerner Offline


Registered: 08/25/09
Loc: New York City
OK, Microsoft security update (haha), Adobe Reader security update, Apple security update, all in one day? What's up with that?
_________________________
Mid 2010 MacBook Pro 13"
2.4GHz, 750GB SATA HD, 8 GB RAM, OS 10.7.5
1 HDX1500 2TB Ext.HD, 2 HDX1500 1TB Ext.HD
HP Laserjet 6MP printing postscript via 10/100 Intel print server
Netgear WN2500RP Range Extender (Ira rocks!)
Linksys WRT1900AC Wireless Router
Brother MFC-9340CDW Color Laser
iPad Air

Top
#17439 - 09/15/11 08:41 PM Re: Security Updates [Re: slolerner]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
They're all a result of the DigiNotar debacle.

DigiNotar is, or was, a Dutch certificate authority, that got hacked a while back. The hackers created a bunch of forged security certificates for a lot of high-profile Web sites, including Google and eBay, which they then sold on to the Iranian government. The Iranian government used the forged SSL certificates to intercept people's communications, read their Gmail mail, and so on.

Basically, a certificate authority (or CA) is the root of trust in the whole chain of SSL certificates. A security certificate is an encryption key that is issued to a Web site. The key contains the name of the Web site, the digital encryption signature of the CA where it came from, and the codes that let a Web browser set up a secure, encrypted link with that Web site.

The idea is that a CA will do background checks on a Web site before issuing a security certificate. When you connect to a Web site securely using SSL, the browser will check that the security certificate is valid, and that it was issued by a trustworthy company. Every browser carries a list of the CAs that the browser programmer considers reputable and trustworthy. If the browser sees a security certificate that didn't come from a reputable, trustworthy CA, the browser refuses to use it and warns you that the site might be bogus.

When DigiNotar got hacked, the hackers were able to create genuine security certificates--more than 500 in all--that let them set up sites that seemed like the real thing. The Iranian government for a time redirected any attempt to reach gmail.com to its own servers, which looked just like gmail and presented what seemed to be a legitimate security certificate for gmail. Worse, from a security standpoint, even though DigiNotar had been hacked, they didn't tell anyone about it for months.

The security updates from Apple, Adobe, and Microsoft all remove DigiNotar from the list of trusted CAs. From now on, Safari, Internet Explorer, Acrobat Reader (and others, including Chrome and Firefox) no longer trust DigiNotar security certificates. (Adobe Reader isn't a browser, but it can access the Web and it can read encrypted and signed PDFs, which is why it has a list of CAs in it.)
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#17442 - 09/16/11 04:45 AM Re: Security Updates [Re: tacit]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
In addition to tacit's excellent description, in case you missed it, is the lengthy article Hacker Rattles Security Circles by Somini Sengupta in The New York Times on September 12, 2011.

Top
#17447 - 09/16/11 09:48 AM Re: Security Updates [Re: grelber]
slolerner Offline


Registered: 08/25/09
Loc: New York City
Thanks, I'm glad I asked. I couldn't find news about a new virus or anything. That was full of intrigue. "Do I have to change passwords?" sez paranoid me living inside easygoing me.


Top
#17452 - 09/16/11 01:54 PM Re: Security Updates [Re: slolerner]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Nope. No need to change passwords unless you were using an Iranian ISP between June and September of this year to access Gmail, Google Groups, Google Accounts, Mozilla, the Mozilla Firefox repository, or the like.

The stolen certificates were only present, from everything I've been able to gather, on certain state-run ISPs inside Iran.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#17455 - 09/16/11 03:07 PM Re: Security Updates [Re: tacit]
slolerner Offline


Registered: 08/25/09
Loc: New York City
ummmm... nope.

Top
#17480 - 09/19/11 11:12 AM Re: Security Updates [Re: tacit]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: tacit
Worse, from a security standpoint, even though DigiNotar had been hacked, they didn't tell anyone about it for months.

For this specific reason alone, they should go away, completely, forever. In the business they are in, this is the ultimate unforgivable mistake. It's bad enough when you get hacked, but when you cover it up, that's simply unforgivable.
_________________________
I work for the Department of Redundancy Department

Top
#17506 - 09/20/11 09:58 AM Re: Security Updates [Re: Virtual1]
alternaut Offline

Moderator

Registered: 08/04/09
Originally Posted By: Virtual1
For this specific reason alone, they should go away, completely, forever. [...]
It's bad enough when you get hacked, but when you cover it up, that's simply unforgivable.

Looks like your wish got granted, at least formally. Earlier today the Haarlem District Court in the Netherlands declared DigiNotar BV bankrupt, following an earlier filing of a voluntary bankruptcy petition* by the company. That said, parent company Vasco will likely set up a successor to DigiNotar using its intellectual property etc.

With regard to an active cover-up by DigiNotar, the preliminary report of an investigation into the DigiNotar hack doesn't indicate there was one. At this point it isn't clear yet whether DigiNotar will be prosecuted for criminal liability other than the fact that they didn't file a report of the break-in with the authorities as soon as they noticed it (presumably on June 19; see 'Timeline', section 5.4 of the report).

*) This filing became inevitable after OPTA (the Dutch telecom authority) had revoked the company's license as Trusted Third Party. DigiNotar was ordered to revoke all existing certificates and forbidden to issue new ones.
_________________________
alternaut moderator

Top
#17568 - 09/24/11 10:33 AM Re: Security Updates [Re: alternaut]
alternaut Offline

Moderator

Registered: 08/04/09
More user info on this topic (or 'tacit expanded'): Keep your Mac safe from Web security flaws.
_________________________
alternaut moderator

Top

Moderator:  alternaut, cyn