Fed-Talk folks unhappy with 10.5.3+/Safari/Cert scenario.....
I am quite aware that many of you are unhappy with the 10.5.3+/Safari/Cert scenario, and the first point made by just about everyone is "yeah, but it worked in 10.5.2 and before".
Some may consider the following helpful and informative and others may toss it aside as adding to their frustration because it doesn't do what their favorite third-party product does. I hope it does help you all at least understand the situation.
Background:
Mac OS X 10.5.2 and earlier behavior: Safari 3 automatically sends the first available client certificate in your keychain to the website.
Many of you liked that process, but it was ultimately deemed to be a potential vulnerability:
CVE-2008-1580 http://web.nvd.nist.gov/view/vuln/search?execution=e1s2
CVE-2008-1580Summary: CFNetwork in Safari in Apple Mac OS X before 10.5.3 automatically sends an SSL client certificate in response to a web server's certificate request, which allows remote web sites to obtain sensitive information (Subject data) from personally identifiable certificates, and use arbitrary certificates to track user activities across domains, a related issue to CVE-2007-4879. Published: 06/02/2008 CVSS Severity: 4.3 (MEDIUM)
Addressing the CVE Apple addressed this in the Security Update 2008-003 / Mac OS X v10.5.3....
Security Update 2008-003 / Mac OS X v10.5.3 http://support.apple.com/kb/HT1897
CFNetwork CVE-ID: CVE-2008-1580 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An information disclosure issue exists in Safari's SSL client certificate handling. When a web server issues a client certificate request, the first client certificate found in the keychain is automatically sent, which may lead to the disclosure of the information contained in the certificate. This update addresses the issue by prompting the user before sending the certificate.
Client Certificate Authentication
- Mac OS X 10.5.3 and later behavior: No client certificate is sent until you have the opportunity to select the appropriate one to use for that site. You will be prompted by Safari 3 to select a client certificate at the point where the server requests client authentication. After selecting a client certificate, the decision is remembered in your keychain as an "identity preference item", and you will not be prompted again when returning to the same site.
Note: Safari may not prompt you to select a client certificate if a server is configured to optionally accept (rather than require) client authentication. In this case you can force a particular client certificate to be sent by creating an identity preference item for that server.
Moving Forward Apple resolved the identified CVE, but there still remains some ways we can and are working to improve this process for everyone and not just for those using a CAC within DoD.
Suggested workaround to make your life easier I am suggesting the following as something that DoD folks can do right now to mitigate the impact of this until a seamless solution is integrated into a future release of Mac OS X / Safari.
If you or a colleague is involved with the management of any of the Web Servers that are posing a challenge to users, I would like to suggest a very simple step you can take to make things "Just Work" right now no matter what platform you are using. I understand that this is one more step, but a single step without requiring each user to make an adjustment.
Create a Virtual Host on the Server which both points to the original directory as well as requires Client X.509 Certs for authentication. This would work for everyone and allow for separation of PKI / Password based authentication access to content -- even simplifying the ultimate transition.
There is precedence for this of course, consider
and..
- Shawn _____________________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise |