Apple and Smartphones Still Not Blocking Stolen SSL Certificates

Recently the tech world has been buzzing about SSL certificates stolen by hackers after Digitar (a Dutch company that issues digital certificates) was hacked – over 500 certificates were stolen.

What Are SSL certificates? Little talked about but they are a cornerstone of world wide web security. Essentially, they prove that a secure website is in fact secure – so when you go to your bank’s https website and see a padlock sign in your browser, it is the website’s digital certificate that is confirming the site is secure and that it is owned by your bank.

Obviously such certificates are closely guarded and not issued to just anybody. So when hackers steal hundreds of digital certificates you can imagine the potential danger – a fake site using a stolen certificate could be shown in your web browser as secure, even though it is not. Bad news all round if you innocently log in with your password or use your credit card to buy stuff on the site…

What Has To Be Fixed? All digital certificates issued by Digitar (the company which was hacked) have to be blocked – so they will no longer be trusted and cannot be used to fool people into thinking an insecure website is secure.

The response for most web browsers has been swift – less than a week after the breach was first publicized:

Internet Explorer – done. Microsoft issued a Windows update earlier this week which blocks Digitar.
Firefox – done. Mozilla too issued a quick update.
Chrome – done. Google also were quick off the mark.
Safari in Windows – done. But only because Safari uses Windows certificates rather than its own i.e. Microsoft’s update fixed it for Safari too…
Safari in Mac OS X – nope, still a wide open goal :-(

Why Is Safari Still At Risk? Safari doesn’t store its own digital certificates like the other web browsers – it has to rely on the operating system to tell it which certificates are valid or blocked. Because MS updated Windows within a week, Safari on Windows is now ok.

However, Apple haven’t bothered updating their own Mac operating system so Mac OS X users of Safari are left completely unprotected from the threat of these stolen certificates. Apple are remaining tight lipped as to when (or indeed if) they plan to block Digitar – and they are quite rightly being hammered by security experts for their inaction.

Perhaps Apple’s slow response is not too surprising – earlier this year there was a similar (but less serious) breach at another digital certificate company and, again, all the other browsers fixed the issue within a week – except Apple. They took a month to finally roll out a fix for Mac…

Considering that any discussion of computer security invariably leads to Apple users squealing about moving to Mac OS because it is ‘so safe’ compared to Windows – Apple’s failure to close another serious security loophole in their own OS and web browser is poetic justice for us Windows users, non?

The best security advice we can give a Mac OS X user right now is to use an alternative web browser like Firefox or Chrome – at least until Apple release an update to make Safari safe.

What About Smartphones?

A similar story for Apple’s iOS but this time Google is also at fault for Android as the web browsers on smartphones have not been updated either. It is admittedly more difficult as they have to rely on the mobile phone companies to roll out updates.

However, considering the amount of profits scalped from users, a greater degree of urgency from mobile phone companies could reasonably be expected.

2 Responses to: "Apple and Smartphones Still Not Blocking Stolen SSL Certificates"

  1. AppleAday says:

    Apple have now updated OS X so they were only a week behind the others – isn’t as bad as you make out?

    • admin says:

      But Mac OS X 10.5 (Leopard) has NOT been updated and it looks like it never will be – even though it is only 3 years old!

      About one in four Macs run Leopard or the older Tiger. That’s an awful lot of un-patched systems – users that Apple have left hanging in the wind.

      And they have still not updated iOS either…