RE: [Fed-Talk] Apple's Rogue DigiNotar CA mitigation?
RE: [Fed-Talk] Apple's Rogue DigiNotar CA mitigation?
- Subject: RE: [Fed-Talk] Apple's Rogue DigiNotar CA mitigation?
- From: "Fairbanks, Lee (contr-its)" <email@hidden>
- Date: Wed, 31 Aug 2011 14:16:24 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Apple's Rogue DigiNotar CA mitigation?
If you want, you can also delete the cert entirely:
sudo /usr/bin/security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain
(credit to http://www.radiotope.com/content/remove-certificate)
Lee Fairbanks
CISSP, ITIL-F, MCTS
Professional Services Engineering Manager
Support Contractor for DARPA
Information Technology Services,
Support Services Office
Phone: (703) 562-4427
-----Original Message-----
From: fed-talk-bounces+lee.fairbanks.ctr=email@hidden [mailto:fed-talk-bounces+lee.fairbanks.ctr=email@hidden] On Behalf Of David Mueller
Sent: Wednesday, August 31, 2011 12:13 PM
To: Fed-talk
Subject: Re: [Fed-Talk] Apple's Rogue DigiNotar CA mitigation?
Yes, you can disable DigiNotar via Keychain Access. Open the app, click on the System Roots keychain, double-click on "DigiNotar Root CA", expand the Trust section of the window, and set "When using this certificate" to "Never Trust".
This post has a slightly different method (with pictures), and suggests that it may be better to delete the cert rather than not trusting it:
http://www.coriolis-systems.com/blog/2011/08/diginotar-certificate-security.
php
- David
On 8/31/11 9:08 AM, "William Cerniuk" <email@hidden> wrote:
> Unless you have a jailbroken phone, hard to determine if the cert is
> on the iOS device.
>
> Trust this is visible in the keychain access app? Most Mac owners are
> not going to use a old style terminal app.
>
> Best Regards,
> Wm. Cerniuk
>
>
>
>
> On Aug 31, 2011, at 11:51, Joel Esler <email@hidden> wrote:
>
>> Apple has not handled it yet.
>>
>> On Aug 31, 2011, at 11:50 AM, Disiena, Ridley J. (GRC-VO00)[DB
>> Consulting Group, Inc.] wrote:
>>
>>>
>>> Has anyone seen any Apple notification with regards to actions to be
>>> taken on iOS and OS X to mitigate the rogue DigiNotar CA incident this week?
>>>
>>> Others companies have been quick to respond:
>>> Mozilla Notice -
>>> http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-ce
>>> r
>>> Google Notice -
>>> http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted
>>> -man-in-
>>> middle.html
>>> Microsoft Notice -
>>> http://www.microsoft.com/technet/security/advisory/2607712.mspx
>>> Chromium Code added to address this:
>>>
http://codereview.chromium.org/7791032/diff/2001/net/base/x509_certificate.c>>>
c
>>>
>>>
>>> FYI: Command to remove the rogue DigiNotar Root CA certificate from
>>> OS-X System Roots via its SHA1 hash value:
>>> sudo security delete-certificate -Z
>>> C060ED44CBD881BD0EF86C0BA287DDCF8167478C
>>> "/System/Library/Keychains/SystemRootCertificates.keychain"
>>>
>>> Note: I believe IOS also has this Root CA included by defult as well
>>>
>>>
>>> - Ridley DiSiena CISSP
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden