September 09, 2011

Apple revokes DigitNotar certs, Mozilla asks CAs to audit

Apple is the last of the major web browser makers to revoke certificates issued by embattled Dutch-based certificate authority DigiNotar.

In a security advisory released Friday, the Cupertino, Calif.-based computing giant updated Mac OS X 10.6.8 and 10.7.1 to remove DigiNotar from its list of trusted root and extended-validation (EV) SSL certificates. In addition, the patch from Apple configures the Mac platform's default system settings to not trust DigiNotar certificates issued by DigiNotar or any of its partners.

Apple did not, however, release updates for iOS, which powers its iPad and iPhone devices.

Microsoft, Mozilla, Google and Opera already have released updates revoking the DigiNotar certs.

Meanwhile, Adobe said Thursday that it was "in the process of removing the DigiNotar Qualified CA certificate from the Adobe Approved Trust List (AATL)."

And Mozilla, maker of the Firefox browser, is asking all CAs that participate in its root program to audit its PKI infrastructure and systems "to check for intrusion or compromise." In addition, the request, sent Thursday from Kathleen Wilson, owner of Mozilla's CA Certificates Module, asks respondents to ensure that multifactor authentication is in place for all accounts that can issue certificates, as well as confirming that other security controls are deployed.

"Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe," the note said. "Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve."

CAs DigiNotar, which is owned by U.S.-based VASCO, and Jersey City, N.J.-based Comodo have fallen victim this year to hacker attacks. The breaches have resulted in the issuance of counterfeit certificates for such high-profile websites as Google.

Almost all of the victims in both incidents appear to live in Iran.

Related Articles
Related Topics
Related Links

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.