DigiNotar is a Dutch certificate authority that has been a trusted source of computer and web security certificates for several years; but they have issued several fraudulent certificates including certificates for the domains of Google, GMail, Yahoo!, Mozilla, WordPress. Pretty much all the web browser companies and operating systems providers are scrambling to revoke the fraudulent certificates which can be used for man-in-the-middle attacks on GMail, Google Apps, WordPress and the like.
I strongly urge you to update your Operating System to the latest patched version and to update each and every web browser you use to the latest patched version and to take additional steps to search for and invalidate DigiNotar certificates that are on pretty much every computer on the planet because they have been trusted for so long.
WikiPedia has an excellent description of the issue here:
DigiNotar in WikiPedia
AFP548 has a really good description also, and it is here:
AFP548 Alert about Diginotar
Some of the best instructions are here, including command line for those who must do this on many computers:
Protecting Your Mac From the DigiNotar.nl Certificate Compromise
For Mac OS X users of Leopard (10.5) and newer, this is pretty easy:
- Go to the Applications folder, then the Utilities folder and open Keychain Access.
- While in Keychain Access, click in the search box in the upper right-hand corner of the window and type “Diginotar”.
- If there are any items found, select the All Items category in the sidebar on the left.
- Select the certificate named “DigiNotar Root CA”.
- Go to the Edit menu and select Delete.
- Enter your admin authentication when the Authorization Services dialog box pops up.
- NOTE: The certificate may not disappear from the Keychain access window immediately. It is in fact deleted from the system, however. To refresh the view, re-type “diginotar†into the search field at the top of the window.
I do not yet have instructions for doing this in Windows nor Linux, but they should be available through a google search soon. Also, most vendors are making patches and certificate removal of the fraudulent certificates a priority, and eventually there will be patches or updates available for all systems.
Update: Here is one set of instructions for Firefox on Linux, BSD, or even Windows: How to delete DigiNotar CA Certificate. I am sure there are similar steps for any other web browser on any operating system.
Update2: Apple has released Security Update 2011-005 to address this issue now.
Post a Comment