Monday, December 3, 2012
DigiNotar neglect on PowerPC
The post title has a bit of a dual meaning. Apple neglected to update this security vulnerability on PowerPC and I neglected to mention it in my Leopard security in 2012 post. Today I was looking through Keychain and was reminded of the DigiNotar certificate simply through memory because it hasn't lived on any of my macs since late 2011. It's one of those things I set and literally forget in this case. Luckily for the sake of a screenshot, I have an older drive I keep with a stock Leopard install for just these occasions.
In 2011 Apple announced that they were no longer going to update Leopard at all on PowerPC or Intel. Then around spring 2012 they ended up releasing a security update for Leopard that fixed the DigiNotar issue. This update was Intel only unfortunately. Truly pathetic. Thanks Apple.
The good news is that disabling or deleting this vulnerable certificate has not changed anything in terms of function or behavior in my web life. For the ultimate level of security when it comes to certificates like this you should use a browser with a private browsing function along with script blocking. Those things combined together would give you a browsing environment nearly as secure as current OS X and even save you a bunch of CPU cycles.
Along with DigiNotar you should make it a habit to look through your certificates every so often and delete or mark as "Never Trust" to disable any expired items that might exist.
How to disable DigiNotar or any other certificate:
1. Open "Keychain Access" from the Utilities folder in Applications.
2. Select "System Roots" in the top left. It may take a moment to show them all.
3. Navigate to the "DigiNotar Root" certificate. Double click to disable or select and delete.
4. If you're choosing not to delete and have double clicked it simply expand the "Trust" settings.
5. Set the top option named "When using this certificate" to "Never Trust" which will automatically set all the trust functions the same way. Use the screenshot below for reference.
I will be sure to update you in the future when other certificates or anything else becomes vulnerable. These days I am paying more and more attention to Leopard security because it is at a point now where it will only become less secure as the months and years go by. There are far too many people that are either in denial or ignorant to this fact.