DigiNotar, a certificate authority (CA) responsible for issuing digital certificates used to verify a website as authentic, announced on August 30 that hundreds of its certificates had been compromised. While others have reacted quickly, Apple is still mum on plans to protect Mac OS X or iOS users from the rogue certificates.
Companies like Microsoft, Google, and Mozilla took drastic action by simply revoking trust entirely in all DigiNotar certificates. The response has been much more dramatic than the steps taken earlier this year when Comodo suffered a similar breach, but for two very good reasons.
First, the Comodo hack only exposed nine certificates. Contrast that with the reported 531 digital certificates acquired by the DigiNotar hackers and you can see that this incident is a much larger threat.
Second–and more importantly, though–is the difference between how Comodo handled its incident compared with DigiNotar. Comodo immediately announced that the certificates had been compromised and worked with the browser and operating system vendors to implement measures to revoke trust in the rogue certificates. DigiNotar tried to covertly revoke the certificates in question and sweep the issue under the rug.
Lumension security and forensics analyst Paul Henry explains in a blog post, “It is difficult to place trust in a company’s certificates when the company itself perhaps lacks trust,” adding, “When your business is supposed to be entrusted to keep Internet communications secret it’s not a good idea to keep it a secret when you yourself are having issues.”
Then There’s Apple
While websites that rely on the DigiNotar certificates for authentication are scrambling to replace them with trusted certificates from other CAs, vendors like Microsoft, Google, and Mozilla rushed out patches to revoke trust in DigiNotar and protect users from fraudulent or malicious sites using the compromised certificates.
Henry notes, “Apple has remained relatively quiet on the DigiNotar issue too and no patch has been released yet to deal with the issue. Further deleting the certificates manually is difficult and in some cases has been found to be ineffective.”
Does It Really Matter?
Sadly, the state of digital certificates is such a mess that it probably matters little either way. Legitimate companies with legitimate sites often have improper or expired certificates. Users are already jaded and conditioned to simply accept erroneous certificates and bypass browser and operating system warning messages.
Even with DigiNotar certificate trust revoked, a significant percentage of users won’t think twice about circumventing the security measures in place and continuing on to those fraudulent and malicious websites.
Still, revoking trust is a simple fix for Apple and it will prevent at least some portion of users from being exposed to the threat from the rogue DigiNotar certificates–so step it Apple.