Mac OS X messes with Certificate Validation

Mac OS X messes with Certificate Validation


Although already the root certificate is not trusted ...
 Security Mac OS X verifies the certificate chain for so-called Extended Validation Certificates (EV SSL) is not sufficient, as Popular Mechanics reports. Have been deprived of a certification authority on the key management confidence, Safari still accepted without a whimper, the EV SSL certificates that were created with the blocked root certificate. Returns the visited websites, however, a simple SSL certificate of the relevant root CA from, appears the expected warning. Security was able to reproduce this behavior on Mac OS X Lion.

Compared with normal SSL certificates are the award criteria in the Extended Validation stricter. Then the certification body about the identity and business address of the applicant's check, while it is sufficient for simple SSL certificates already, to have access to a domain and the associated webmaster email account. This additional protection measures apply only as long as the certification authority is not compromised - as happened in mid-July and DigiNotar previously in Comodo.


... At the bottom of the certificate chain will come out a trusted certificate.
 Because of the above bugs are Mac users can now protect only the use of an alternative browser from man-in-the-middle attack with abusive signed certificates. A short test of security has shown that Chrome is relying on the certificate management of the operating system and thus the locked root certificate also ignored. Even with Opera, we were able to replicate the problem. Firefox only when you visit the test page has a warning.

This requires the root certificate in Firefox it's own Certificate Manager "Settings, Advanced, View Certificates, Certification Authorities," "avoid deleting or trust" button and take away all rights. When Apple fixes the bug or at least promoted the root CA certificate of the compromised by updates from the system, is currently unclear.


If you use the search box, Keychain Access, you can delete the compromised root certificate too.
  Security Update:
In a roundabout way, you can delete root certificates from Mac OS X, Safari and Co. which also output the expected warning. For this one opens from Spotlight Keychain Access and enter in the search field, type the name of the certificate to be deleted. By right clicking you can delete the root certificate now. Will you protect yourself from attacks with the DigiNotar certificates, so you have to delete "DigiNotar Root CA" from the system. Navigates you directly about the keychains to the certificate, the delete option is not offered. The TrustCenter certificate on the screenshots served only for testing purposes and is not dangerous.