RE: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
RE: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
- Subject: RE: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
- From: "Mueller, David S CIV SSC San Diego, 2872" <email@hidden>
- Date: Wed, 17 Dec 2008 14:02:47 -0800
- Thread-topic: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
Shawn,
I can understand not wanting to automatically select and send a certificate, like Safari used to and Firefox does (it's actually user configurable whether to automatically select a cert or prompt for the user). IE never automatically selects and always prompts. The new Safari method of prompting for a cert and creating an identify preference so that the cert is automatically selected for that site is a nice compromise, as IE and Firefox when configured for manual cert selection can get irritating for the user and sometimes you end up having to select a cert more than once to load a single page. The problem comes with these "optional" servers where users have to go through a relatively complicated process, in another application that they probably never use, in order to get the site to work.
I think a good solution that still addresses the reported vulnerability would be to simply change it to eliminate this case:
"Note: Safari may not prompt you to select a client certificate if a server is configured to optionally accept (rather than require) client authentication. In this case you can force a particular client certificate to be sent by creating an identity preference item for that server."
In other words, if the server requests a certificate and no existing identity preference exists, always prompt the user, regardless of the server's configuration to accept them "optionally" or "required", perhaps with the option of sending no certificate.
- David
-----Original Message-----
From: Shawn A. Geddis
Sent: Wednesday, December 17, 2008 1:16 PM
To: Fed Talk
Subject: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
Fed-Talk folks unhappy with 10.5.3+/Safari/Cert scenario.....
I am quite aware that many of you are unhappy with the 10.5.3+/Safari/Cert scenario, and the first point made by just about everyone is "yeah, but it worked in 10.5.2 and before".
Some may consider the following helpful and informative and others may toss it aside as adding to their frustration because it doesn't do what their favorite third-party product does. I hope it does help you all at least understand the situation.
Background:
Mac OS X 10.5.2 and earlier behavior:
Safari 3 automatically sends the first available client certificate in your keychain to the website.
Many of you liked that process, but it was ultimately deemed to be a potential vulnerability:
CVE-2008-1580
http://web.nvd.nist.gov/view/vuln/search?execution=e1s2
CVE-2008-1580
TA08-150ASummary: CFNetwork in Safari in Apple Mac OS X before 10.5.3 automatically sends an SSL client certificate in response to a web server's certificate request, which allows remote web sites to obtain sensitive information (Subject data) from personally identifiable certificates, and use arbitrary certificates to track user activities across domains, a related issue to CVE-2007-4879.
Published: 06/02/2008
CVSS Severity: 4.3 (MEDIUM)
Addressing the CVE
Apple addressed this in the Security Update 2008-003 / Mac OS X v10.5.3....
Security Update 2008-003 / Mac OS X v10.5.3
http://support.apple.com/kb/HT1897
CFNetwork
CVE-ID: CVE-2008-1580
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2
Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information
Description: An information disclosure issue exists in Safari's SSL client certificate handling. When a web server issues a client certificate request, the first client certificate found in the keychain is automatically sent, which may lead to the disclosure of the information contained in the certificate. This update addresses the issue by prompting the user before sending the certificate.
Client Certificate Authentication
Safari, Mac OS X 10.5.3: Changes in client certificate authentication
http://support.apple.com/kb/HT1679
Mac OS X 10.5.3 and later behavior: No client certificate is sent until you have the opportunity to select the appropriate one to use for that site. You will be prompted by Safari 3 to select a client certificate at the point where the server requests client authentication. After selecting a client certificate, the decision is remembered in your keychain as an "identity preference item", and you will not be prompted again when returning to the same site.
Note: Safari may not prompt you to select a client certificate if a server is configured to optionally accept (rather than require) client authentication. In this case you can force a particular client certificate to be sent by creating an identity preference item for that server.
Moving Forward
Apple resolved the identified CVE, but there still remains some ways we can and are working to improve this process for everyone and not just for those using a CAC within DoD.
Suggested workaround to make your life easier
I am suggesting the following as something that DoD folks can do right now to mitigate the impact of this until a seamless solution is integrated into a future release of Mac OS X / Safari.
If you or a colleague is involved with the management of any of the Web Servers that are posing a challenge to users, I would like to suggest a very simple step you can take to make things "Just Work" right now no matter what platform you are using. I understand that this is one more step, but a single step without requiring each user to make an adjustment.
Create a Virtual Host on the Server which both points to the original directory as well as requires Client X.509 Certs for authentication. This would work for everyone and allow for separation of PKI / Password based authentication access to content -- even simplifying the ultimate transition.
There is precedence for this of course, consider
https://www.us.army.mil/
and..
https://akocac.us.army.mil/
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden