Diginotar

A look at common myths about the DigiNotar breach and how Mac users should react to it.

 

There are many people who are shrugging their shoulders and not doing anything about this. Part of it must be complacency — “I use a Mac which is more secure, so I don’t have anything to worry about.” Part of it is ignorance; I’ve heard a number of reasons based on wrong information recently. Part of it is fear — “I don’t want to mess up my system”. Part of it is laziness — “but it’s easy to defend against this problem”.

 

I use a Mac, I don’t have anything to worry about

This security breach attacked systems nowhere near your computer. Further attacks will take place somewhere other than your computer. As a result of this breach, the attacker can now impersonate secure websites and capture your username and password. This becomes an opening wedge into many other websites and services. The relative security of your Mac is irrelevant; the attack works on outside systems and servers. The only thing you can do is change settings so that your computer no longer trusts the compromised certificates.

 

As long as I follow good practices (e.g., not clicking on links in e-mails) I don’t have to worry about this attack.

The whole SSL/digital certificate system does two things. First, it encrypts everything between the client (such as a browser) and the server. Second, it assures the client that it is connecting to the real server and not to an impostor.

With the DigiNotar breach, the attacker was able to obtain a large number of fraudulent certificates. Each certificate allows him to impersonate a website in a seamless, undetectable fashion. It doesn’t matter if you got there by clicking on a link, using a bookmark, or typing in the URL. He can then perform a “Man in the Middle” attack (abbreviated as MITM). He can see everything that you type, and he can see every page that you get back from the server.

But wait, it gets worse. The attacker can perform a large-scale attack, rather than just going after one person or a few people. He can set up a server that intercepts all of the communications from lots of people, inspects the contents, and stores the interesting information. For instance, he could set up the MITM server so that it ignores most web pages, but saves those that contain logins to the website. (It’s not hard to do at all.) He can then look at the saved information and get the logins for hundreds or thousands of people.

The only defense is to configure your systems so that it no longer allows the attacker to do the seamless, undetectable impersonation.

 

I don’t have anything worth protecting

  • Do you have anything in your bank account?
  • Do you have a computer?
  • Do you have friends? Do they have bank accounts?
  • Do you get credit card offers in the mail?

All of these and more are reasons for an attacker to get your personal information. All too many people use the same login name and password everywhere. Once an attacker is able to compromise a username and password he can try it in lots of places. Access to your e-mail account can allow an attacker to use the password reset system on many websites to gain access as well. Once he has access to these system, he can then take money out, scam your friends, or open credit cards in your name.

Cleaning up identity theft is a real pain. Cleaning up the mess can take hours on the phone, writing letters, and dealing with various government offices and credit agencies. The whole process can take a year or more, once you discover the problem.

 

I have security software on my Mac that will protect me

All security software checks files on your Mac only, including any downloaded from the Internet. It cannot check the files on a remote server, where the attack originates. This attack does not work by downloading any files to your Mac. Instead, it works by silently stealing the identity of a server on the Internet. Your security software won’t trigger any warnings from this.

 

I’m not in Iran or opposing the Iranian government so I’m not affected

We know that one fraudulent certificate was detected by a user in Iran when he tried to access his G-Mail account. However, over 500 fraudulent certificates were issued, that we know about. Given the depth of the breach, it’s unlikely that this is a complete count. Even if the attacker was originally doing so for the Iranian government, it’s unlikely that it was the only place targeted. It’s also human nature that such fraudulent certificates may already have been sold on the black market to outside criminals.

 

I use FireFox or Chrome, so I’m already safe

While web browsers use certificates, they’re not the only applications that use certificates. Mail, iChat, and WebDAV file sharing all use certificates as well, and only a system-level procedure can protect you from the vulnerability.

 

Won’t the fix cause problems in my system?

While nothing in life is guaranteed, this one is pretty safe. The official Apple Security Update 2011-005 only changes three files, all in /System/Library/Keychains. The unofficial update that I put together will modify one file in /System/Library/Keychains, plus one file in /Library/Keychains (which is the place for non-Apple changes to the system). None of these locations affects actual binary code, only trust configurations for certificates.

 

If I do get a certificate warning how can I be careful?

First, look at the details. Look for the root certificate or one of the intermediate certificates. If one of them says “DigiNotar” anywhere in the name, treat it as a problem.