RE: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
RE: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
- Subject: RE: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
- From: "Zinnato, Ronald NAVAIR" <email@hidden>
- Date: Thu, 18 Dec 2008 10:39:40 -0500
- Thread-topic: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
I've piped in occasionally on this, but this is getting ridiculous. I am not a security expert, and I don't understand most of what gets discussed on this list. All I know is this:
Under Tiger, I plug in my CAC reader (an SMC 331), go to Safari, type in the URL for OWA, type in my PIN, and it works. Yes, I did have to update the firmware on the reader... at least that much I understand.
Under Leopard, it doesn't work. I updated the firmware to 5.25, and it still doesn't work. And from reading this list, I know I am not the only one having problems. Many, MANY of you have been having problems. And these people know a whole lot more about this stuff than I do.
If it were just confined to this community, that might be one thing. But I know a few people with whom I work who have just given up trying to use their mac with their CAC to access OWA. They all say the same thing... "It USED to work, now it doesn't". These people don't know enough to run commands in the terminal, or edit files buried deep within the OS. The reason they bought a mac in the first place is because things are supposed to just work. And it's REALLY frustrating when something used to "just work", and now it doesn't.
My wife will probably never upgrade to Leopard or beyond because of this. And I am reduced to booting into Tiger off of a USB drive every time I want to work from home.
The funny thing is, I know several people who own PC laptops, and they have had no such problems.
-----Original Message-----
From: Shawn A. Geddis [mailto:email@hidden]
Sent: Wed 12/17/2008 4:16 PM
To: Fed Talk
Subject: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
Fed-Talk folks unhappy with 10.5.3+/Safari/Cert scenario.....
I am quite aware that many of you are unhappy with the 10.5.3+/Safari/
Cert scenario, and the first point made by just about everyone is
"yeah, but it worked in 10.5.2 and before".
Some may consider the following helpful and informative and others may
toss it aside as adding to their frustration because it doesn't do
what their favorite third-party product does. I hope it does help you
all at least understand the situation.
Background:
Mac OS X 10.5.2 and earlier behavior:
Safari 3 automatically sends the first available client certificate in
your keychain to the website.
Many of you liked that process, but it was ultimately deemed to be a
potential vulnerability:
CVE-2008-1580
http://web.nvd.nist.gov/view/vuln/search?execution=e1s2
CVE-2008-1580
TA08-150A
Summary: CFNetwork in Safari in Apple Mac OS X before 10.5.3
automatically sends an SSL client certificate in response to a web
server's certificate request, which allows remote web sites to obtain
sensitive information (Subject data) from personally identifiable
certificates, and use arbitrary certificates to track user activities
across domains, a related issue to CVE-2007-4879.
Published: 06/02/2008
CVSS Severity: 4.3 (MEDIUM)
Addressing the CVE
Apple addressed this in the Security Update 2008-003 / Mac OS X
v10.5.3....
Security Update 2008-003 / Mac OS X v10.5.3
http://support.apple.com/kb/HT1897
CFNetwork
CVE-ID: CVE-2008-1580
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X
v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An information disclosure issue exists in Safari's SSL
client certificate handling. When a web server issues a client
certificate request, the first client certificate found in the
keychain is automatically sent, which may lead to the disclosure of
the information contained in the certificate. This update addresses
the issue by prompting the user before sending the certificate.
Client Certificate Authentication
Safari, Mac OS X 10.5.3: Changes in client certificate authentication
http://support.apple.com/kb/HT1679
Mac OS X 10.5.3 and later behavior: No client certificate is sent
until you have the opportunity to select the appropriate one to use
for that site. You will be prompted by Safari 3 to select a client
certificate at the point where the server requests client
authentication. After selecting a client certificate, the decision is
remembered in your keychain as an "identity preference item", and you
will not be prompted again when returning to the same site.
Note: Safari may not prompt you to select a client certificate if a
server is configured to optionally accept (rather than require) client
authentication. In this case you can force a particular client
certificate to be sent by creating an identity preference item for
that server.
Moving Forward
Apple resolved the identified CVE, but there still remains some ways
we can and are working to improve this process for everyone and not
just for those using a CAC within DoD.
Suggested workaround to make your life easier
I am suggesting the following as something that DoD folks can do right
now to mitigate the impact of this until a seamless solution is
integrated into a future release of Mac OS X / Safari.
If you or a colleague is involved with the management of any of the
Web Servers that are posing a challenge to users, I would like to
suggest a very simple step you can take to make things "Just Work"
right now no matter what platform you are using. I understand that
this is one more step, but a single step without requiring each user
to make an adjustment.
Create a Virtual Host on the Server which both points to the original
directory as well as requires Client X.509 Certs for authentication.
This would work for everyone and allow for separation of PKI /
Password based authentication access to content -- even simplifying
the ultimate transition.
There is precedence for this of course, consider
https://www.us.army.mil/
and..
https://akocac.us.army.mil/
- Shawn
_____________________________________________________
Shawn Geddis ? Security Consulting Engineer ? Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden