Re: Certificate Hijacking

[Ronda Brown]

Fair enough Peter,

As I mentioned in my previous email, 
> I'm only posting to inform WAMUG members of the implications of turning off 
> this security setting. If people feel ok doing this, that's fine by me, it is 
> their decision.

You are quite prepared to take the risk and that is your decision, which is 
fine by me.
I am not prepared to take the risk and that is my decision, which is fine with 
me ;-)

There are so many risks & dangers when connected to the Internet, I try to be 
as secure & safe as I possibly can be. We can never be completely secure!

Cheers,
Ronni
Sent from Ronni's iPad

On 19/04/2011, at 8:35 AM, Peter Hinchliffe  wrote:

> 
> On 18/04/2011, at 11:54 AM, Ronda Brown wrote:
> 
>> Hi Tim & WAMUG Members,
>> 
>> So you have to chose between Security and the Mac App Store?
>> 
>> By turning off that list you are opening up your system to software that 
>> could pose a threat to your machine and data. 
> 
> Well, given the inconvenience I was experiencing by having CRL turned on, 
> measured against the convenience of the App Store, with my own web-surfing 
> behaviour thrown into the mix, not to mention the extremely low likelihood 
> (at the moment, anyway) of rogue software invading my computer, it's a risk 
> I'm quite prepared to take. I did also mention that I left OSCP turned on, 
> which seems to be the more modern and less troublesome form of protection 
> anyway, according to SearchSecurity.com 
> (http://searchsecurity.techtarget.com/definition/Certificate-Revocation-List):
> 
> "Certificate Revocation List (CRL) is one of two common methods when using a 
> public key infrastructure for maintaining access to servers in a network. The 
> other, newer method, which has superseded CRL in some cases, is Online 
> Certificate Status Protocol (OCSP).
> The CRL is exactly what its name implies: a list of subscribers paired with 
> digital certificate status. The list enumerates revoked certificates along 
> with the reason(s) for revocation. The dates of certificate issue, and the 
> entities that issued them, are also included. In addition, each list contains 
> a proposed date for the next release. When a potential user attempts to 
> access a server, the server allows or denies access based on the CRL entry 
> for that particular user.
> 
> The main limitation of CRL is the fact that updates must be frequently 
> downloaded to keep the list current. OCSP overcomes this limitation by 
> checking certificate status in real time."  
> 
> Leaving OSCP turned on has not affected the performance of the App Store in 
> any way. It's entirely possible that it was not CRL per se that was causing 
> the problem, but having both tuned on at the same time. Whatever it was, the 
> problem is fixed for now.
> 
>> 
>> Supposedly using CRL and OCSP does have the cost of extra bandwidth and 
>> slower speed when making secure connections. I would imagine it depends on 
>> the number of machines on the network and the speed of the connection.
>> I don't imagine it would make much difference on a small home network.
>> 
>> Apple needs to heighten it's security, not have users needing to make it 
>> even less secure!
> 
> Couldn't agree more. If and when they do address the problem, I'll have 
> another look at it. In the meantime I'm a happy camper once again...
> 
>> 
>> I'm only posting to inform WAMUG members of the implications of turning off 
>> this security setting. If people feel ok doing this, that's fine by me, it 
>> is their decision.
>> 
>> Cheers,
>> Ronni
>> 
>> Sent from Ronni's iPad
> 
> Peter HinchliffeApwin Computer Services
> FileMaker Pro Solutions Developer
> Perth, Western Australia
> Phone (618) 9332 6482Mob 0403 046 948
> 
> Mac because I prefer it -- Windows because I have to.
> 
> 
> 
> 
> -- The WA Macintosh User Group Mailing List --
> Archives - 
> Guidelines - 
> Unsubscribe - 



-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Unsubscribe - 

Re: Certificate Hijacking

[Peter Hinchliffe]

On 18/04/2011, at 11:54 AM, Ronda Brown wrote:

> Hi Tim & WAMUG Members,
> 
> So you have to chose between Security and the Mac App Store?
> 
> By turning off that list you are opening up your system to software that 
> could pose a threat to your machine and data. 

Well, given the inconvenience I was experiencing by having CRL turned on, 
measured against the convenience of the App Store, with my own web-surfing 
behaviour thrown into the mix, not to mention the extremely low likelihood (at 
the moment, anyway) of rogue software invading my computer, it's a risk I'm 
quite prepared to take. I did also mention that I left OSCP turned on, which 
seems to be the more modern and less troublesome form of protection anyway, 
according to SearchSecurity.com 
(http://searchsecurity.techtarget.com/definition/Certificate-Revocation-List):

"Certificate Revocation List (CRL) is one of two common methods when using a 
public key infrastructure for maintaining access to servers in a network. The 
other, newer method, which has superseded CRL in some cases, is Online 
Certificate Status Protocol (OCSP).
The CRL is exactly what its name implies: a list of subscribers paired with 
digital certificate status. The list enumerates revoked certificates along with 
the reason(s) for revocation. The dates of certificate issue, and the entities 
that issued them, are also included. In addition, each list contains a proposed 
date for the next release. When a potential user attempts to access a server, 
the server allows or denies access based on the CRL entry for that particular 
user.

The main limitation of CRL is the fact that updates must be frequently 
downloaded to keep the list current. OCSP overcomes this limitation by checking 
certificate status in real time."  

Leaving OSCP turned on has not affected the performance of the App Store in any 
way. It's entirely possible that it was not CRL per se that was causing the 
problem, but having both tuned on at the same time. Whatever it was, the 
problem is fixed for now.

> 
> Supposedly using CRL and OCSP does have the cost of extra bandwidth and 
> slower speed when making secure connections. I would imagine it depends on 
> the number of machines on the network and the speed of the connection.
> I don't imagine it would make much difference on a small home network.
> 
> Apple needs to heighten it's security, not have users needing to make it even 
> less secure!

Couldn't agree more. If and when they do address the problem, I'll have another 
look at it. In the meantime I'm a happy camper once again...

> 
> I'm only posting to inform WAMUG members of the implications of turning off 
> this security setting. If people feel ok doing this, that's fine by me, it is 
> their decision.
> 
> Cheers,
> Ronni
> 
> Sent from Ronni's iPad

Peter HinchliffeApwin Computer Services
FileMaker Pro Solutions Developer
Perth, Western Australia
Phone (618) 9332 6482Mob 0403 046 948

Mac because I prefer it -- Windows because I have to.




-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Unsubscribe - 

Re: Certificate Hijacking

[Tim Law]

Cautionary note taken Ronni.
CRL back on. 

Tim




On 18/04/2011, at 11:54 AM, Ronda Brown wrote:

> 
> Hi Tim & WAMUG Members,
> 
> So you have to chose between Security and the Mac App Store?
> 
> By turning off that list you are opening up your system to software that 
> could pose a threat to your machine and data. 
> 
> Supposedly using CRL and OCSP does have the cost of extra bandwidth and 
> slower speed when making secure connections. I would imagine it depends on 
> the number of machines on the network and the speed of the connection.
> I don't imagine it would make much difference on a small home network.
> 
> Apple needs to heighten it's security, not have users needing to make it even 
> less secure!
> 
> I'm only posting to inform WAMUG members of the implications of turning off 
> this security setting. If people feel ok doing this, that's fine by me, it is 
> their decision.
> 
> Cheers,
> Ronni
> 
> Sent from Ronni's iPad
> 
> On 18/04/2011, at 10:44 AM, Tim Law  wrote:
> 
>> 
>> The app store was also not loading quickly for me, so I returned the setting 
>> to the default and it has resolved. It never got to the same point as Peter 
>> as I reverted the setting.  
>> 
>> Tim
>> 
>> Sent from my iPhone
>> 
>> On 18/04/2011, at 8:49 AM, Peter Hinchliffe  
>> wrote:
>> 
>>> 
>>> 
>>> On 18/04/2011, at 8:23 AM, Ronda Brown wrote:
>>> 
> 
> I've had to set CRL (Certificate Revocation List) back to Off on my 
> system. Having it turned on was slowing the performance of the Mac Store 
> app to the point of complete uselessness. I've left OSCP on without 
> detrimental effect.
 
 
 Hi Peter,
 
 Why do you think it is because CRL is turned ON?
 Are you unable to connect to the Mac App Store, or does it take a long 
 time verifying your account, or a long time downloading an App?
 
 Cheers,
 Ronni
 
 17" MacBook Pro 2.3GHz Quad-Core i7
 2.3GHz / 8GB / 750GB @ 7200rpm HD
 
 OS X 10.6.7 Snow Leopard
 Windows 7 Ultimate (under sufferance)
 
>>> 
>>> Well, mainly because turning off CRL has fixed the problems I was having, 
>>> but also because it came from a suggestion I found from someone else who 
>>> was experiencing the same issues as me. 
>>> 
>>> Using the App Store app was becoming extremely exasperating. It was 
>>> launching more and more slowly, and, having launched would take longer and 
>>> longer to render the home page, especially the banner graphic at the top of 
>>> the window. Navigating to an app's page within the App Store had similar 
>>> problems, but returning to the home page each time was even worse. 
>>> Eventually, it got to the point where I was having to force quit just to 
>>> get work done, since the CPU was thrashing. Turning off CRL was one 
>>> suggestion I read somewhere (didn't keep the reference, unfortunately) but 
>>> it had an immediate effect. The App Store now performs beautifully for me.  
>>> 
>>> Peter HinchliffeApwin Computer Services
>>> FileMaker Pro Solutions Developer
>>> Perth, Western Australia
>>> Phone (618) 9332 6482Mob 0403 046 948
>>> 
>>> Mac because I prefer it -- Windows because I have to.
>>> 
>>> 
>>> 
>>> 
>>> -- The WA Macintosh User Group Mailing List --
>>> Archives - 
>>> Guidelines - 
>>> Unsubscribe - 
>>> 
>> 
>> 
>> 
>> -- The WA Macintosh User Group Mailing List --
>> Archives - 
>> Guidelines - 
>> Unsubscribe - 
>> 
> 
> 
> 
> 
> -- The WA Macintosh User Group Mailing List --
> Archives - 
> Guidelines - 
> Unsubscribe - 
> 




-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Unsubscribe - 

Re: Certificate Hijacking

[Ronda Brown]

Hi Tim & WAMUG Members,

So you have to chose between Security and the Mac App Store?

By turning off that list you are opening up your system to software that could 
pose a threat to your machine and data. 

Supposedly using CRL and OCSP does have the cost of extra bandwidth and slower 
speed when making secure connections. I would imagine it depends on the number 
of machines on the network and the speed of the connection.
I don't imagine it would make much difference on a small home network.

Apple needs to heighten it's security, not have users needing to make it even 
less secure!

I'm only posting to inform WAMUG members of the implications of turning off 
this security setting. If people feel ok doing this, that's fine by me, it is 
their decision.

Cheers,
Ronni

Sent from Ronni's iPad

On 18/04/2011, at 10:44 AM, Tim Law  wrote:

> 
> The app store was also not loading quickly for me, so I returned the setting 
> to the default and it has resolved. It never got to the same point as Peter 
> as I reverted the setting.  
> 
> Tim
> 
> Sent from my iPhone
> 
> On 18/04/2011, at 8:49 AM, Peter Hinchliffe  wrote:
> 
>> 
>> 
>> On 18/04/2011, at 8:23 AM, Ronda Brown wrote:
>> 
 
 I've had to set CRL (Certificate Revocation List) back to Off on my 
 system. Having it turned on was slowing the performance of the Mac Store 
 app to the point of complete uselessness. I've left OSCP on without 
 detrimental effect.
>>> 
>>> 
>>> Hi Peter,
>>> 
>>> Why do you think it is because CRL is turned ON?
>>> Are you unable to connect to the Mac App Store, or does it take a long time 
>>> verifying your account, or a long time downloading an App?
>>> 
>>> Cheers,
>>> Ronni
>>> 
>>> 17" MacBook Pro 2.3GHz Quad-Core i7
>>> 2.3GHz / 8GB / 750GB @ 7200rpm HD
>>> 
>>> OS X 10.6.7 Snow Leopard
>>> Windows 7 Ultimate (under sufferance)
>>> 
>> 
>> Well, mainly because turning off CRL has fixed the problems I was having, 
>> but also because it came from a suggestion I found from someone else who was 
>> experiencing the same issues as me. 
>> 
>> Using the App Store app was becoming extremely exasperating. It was 
>> launching more and more slowly, and, having launched would take longer and 
>> longer to render the home page, especially the banner graphic at the top of 
>> the window. Navigating to an app's page within the App Store had similar 
>> problems, but returning to the home page each time was even worse. 
>> Eventually, it got to the point where I was having to force quit just to get 
>> work done, since the CPU was thrashing. Turning off CRL was one suggestion I 
>> read somewhere (didn't keep the reference, unfortunately) but it had an 
>> immediate effect. The App Store now performs beautifully for me.  
>> 
>> Peter HinchliffeApwin Computer Services
>> FileMaker Pro Solutions Developer
>> Perth, Western Australia
>> Phone (618) 9332 6482Mob 0403 046 948
>> 
>> Mac because I prefer it -- Windows because I have to.
>> 
>> 
>> 
>> 
>> -- The WA Macintosh User Group Mailing List --
>> Archives - 
>> Guidelines - 
>> Unsubscribe - 
>> 
> 
> 
> 
> -- The WA Macintosh User Group Mailing List --
> Archives - 
> Guidelines - 
> Unsubscribe - 
> 




-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Unsubscribe - 

Re: Certificate Hijacking

[Tim Law]

The app store was also not loading quickly for me, so I returned the setting to 
the default and it has resolved. It never got to the same point as Peter as I 
reverted the setting.  

Tim

Sent from my iPhone

On 18/04/2011, at 8:49 AM, Peter Hinchliffe  wrote:

> 
> 
> On 18/04/2011, at 8:23 AM, Ronda Brown wrote:
> 
>>> 
>>> I've had to set CRL (Certificate Revocation List) back to Off on my system. 
>>> Having it turned on was slowing the performance of the Mac Store app to the 
>>> point of complete uselessness. I've left OSCP on without detrimental effect.
>> 
>> 
>> Hi Peter,
>> 
>> Why do you think it is because CRL is turned ON?
>> Are you unable to connect to the Mac App Store, or does it take a long time 
>> verifying your account, or a long time downloading an App?
>> 
>> Cheers,
>> Ronni
>> 
>> 17" MacBook Pro 2.3GHz Quad-Core i7
>> 2.3GHz / 8GB / 750GB @ 7200rpm HD
>> 
>> OS X 10.6.7 Snow Leopard
>> Windows 7 Ultimate (under sufferance)
>> 
> 
> Well, mainly because turning off CRL has fixed the problems I was having, but 
> also because it came from a suggestion I found from someone else who was 
> experiencing the same issues as me. 
> 
> Using the App Store app was becoming extremely exasperating. It was launching 
> more and more slowly, and, having launched would take longer and longer to 
> render the home page, especially the banner graphic at the top of the window. 
> Navigating to an app's page within the App Store had similar problems, but 
> returning to the home page each time was even worse. Eventually, it got to 
> the point where I was having to force quit just to get work done, since the 
> CPU was thrashing. Turning off CRL was one suggestion I read somewhere 
> (didn't keep the reference, unfortunately) but it had an immediate effect. 
> The App Store now performs beautifully for me.  
> 
> Peter HinchliffeApwin Computer Services
> FileMaker Pro Solutions Developer
> Perth, Western Australia
> Phone (618) 9332 6482Mob 0403 046 948
> 
> Mac because I prefer it -- Windows because I have to.
> 
> 
> 
> 
> -- The WA Macintosh User Group Mailing List --
> Archives - 
> Guidelines - 
> Unsubscribe - 
> 



-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Unsubscribe - 

Re: Certificate Hijacking

[Ronda Brown]

On 18/04/2011, at 8:49 AM, Peter Hinchliffe wrote:

> 
> 
> On 18/04/2011, at 8:23 AM, Ronda Brown wrote:
> 
>>> 
>>> I've had to set CRL (Certificate Revocation List) back to Off on my system. 
>>> Having it turned on was slowing the performance of the Mac Store app to the 
>>> point of complete uselessness. I've left OSCP on without detrimental effect.
>> 
>> 
>> Hi Peter,
>> 
>> Why do you think it is because CRL is turned ON?
>> Are you unable to connect to the Mac App Store, or does it take a long time 
>> verifying your account, or a long time downloading an App?
>> 
>> Cheers,
>> Ronni
>> 
>> 17" MacBook Pro 2.3GHz Quad-Core i7
>> 2.3GHz / 8GB / 750GB @ 7200rpm HD
>> 
>> OS X 10.6.7 Snow Leopard
>> Windows 7 Ultimate (under sufferance)
>> 
> 
> Well, mainly because turning off CRL has fixed the problems I was having, but 
> also because it came from a suggestion I found from someone else who was 
> experiencing the same issues as me. 
> 
> Using the App Store app was becoming extremely exasperating. It was launching 
> more and more slowly, and, having launched would take longer and longer to 
> render the home page, especially the banner graphic at the top of the window. 
> Navigating to an app's page within the App Store had similar problems, but 
> returning to the home page each time was even worse. Eventually, it got to 
> the point where I was having to force quit just to get work done, since the 
> CPU was thrashing. Turning off CRL was one suggestion I read somewhere 
> (didn't keep the reference, unfortunately) but it had an immediate effect. 
> The App Store now performs beautifully for me.  

Interesting Peter,
I have CRL & OCSP set to “Best Attempt” & Priority OCSP and have not 
experienced the problems you have.
Weird, but if doing this has fixed your problems, I guess you are ok with it.

Can’t have you not being able to purchase Apps :-)

Cheers,
Ronni















-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Unsubscribe - 

Re: Certificate Hijacking

[Peter Hinchliffe]

On 18/04/2011, at 8:23 AM, Ronda Brown wrote:

>> 
>> I've had to set CRL (Certificate Revocation List) back to Off on my system. 
>> Having it turned on was slowing the performance of the Mac Store app to the 
>> point of complete uselessness. I've left OSCP on without detrimental effect.
> 
> 
> Hi Peter,
> 
> Why do you think it is because CRL is turned ON?
> Are you unable to connect to the Mac App Store, or does it take a long time 
> verifying your account, or a long time downloading an App?
> 
> Cheers,
> Ronni
> 
> 17" MacBook Pro 2.3GHz Quad-Core i7
> 2.3GHz / 8GB / 750GB @ 7200rpm HD
> 
> OS X 10.6.7 Snow Leopard
> Windows 7 Ultimate (under sufferance)
> 

Well, mainly because turning off CRL has fixed the problems I was having, but 
also because it came from a suggestion I found from someone else who was 
experiencing the same issues as me. 

Using the App Store app was becoming extremely exasperating. It was launching 
more and more slowly, and, having launched would take longer and longer to 
render the home page, especially the banner graphic at the top of the window. 
Navigating to an app's page within the App Store had similar problems, but 
returning to the home page each time was even worse. Eventually, it got to the 
point where I was having to force quit just to get work done, since the CPU was 
thrashing. Turning off CRL was one suggestion I read somewhere (didn't keep the 
reference, unfortunately) but it had an immediate effect. The App Store now 
performs beautifully for me.  

Peter HinchliffeApwin Computer Services
FileMaker Pro Solutions Developer
Perth, Western Australia
Phone (618) 9332 6482Mob 0403 046 948

Mac because I prefer it -- Windows because I have to.




-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Unsubscribe - 

Re: Certificate Hijacking

[Ronda Brown]

On 18/04/2011, at 8:04 AM, Peter Hinchliffe wrote:

> 
> On 16/04/2011, at 2:22 PM, Stuart Breden wrote:
> 
>> Thanks Ronni.
>> 
>> Stuart Breden
>> PO Box 132
>> Kalamunda WA 6926
>> Ph: (08) 9257 1577
>> Mbl: 0417 053 266
>> 
>> 
>> 
>> On 25/03/2011, at 3:13 PM, Ronda Brown wrote:
>> 
>>> Hello WAMUGers,
>>> 
>>> Recently there was announced 'certificate hijacking' when using the web to 
>>> access SSL (Secure Sockets Layer) sites.
>>> 
>>> I checked my Keychain to see what was the ‘Default’ setting; to find that 
>>> OCSP is not enabled by Default.
>>> It is OFF.
>>> 
>>> To  Enable it:
>>> 1.  Open Keychain Access from Applications > Utilities. Choose Keychain 
>>> Access > Preferences.
>>> 2.  Click on the Certificates tab. 
>>> Set the first two options, for OCSP and CRL, to Best Attempt, 
>>> and leave priority set to  OCSP
>>> 
>>> This will tell Safari, or any other program that uses the built-in 
>>> certificates on Mac OS X, to check these servers before accepting any SSL 
>>> certificate on a web site.
>>> 
>>> Definitions:
>>>  “Online Certificate Status Protocol (OCSP)” 
>>>  “Certificate Revocation List (CRL)”
>>> 
> 
> I've had to set CRL (Certificate Revocation List) back to Off on my system. 
> Having it turned on was slowing the performance of the Mac Store app to the 
> point of complete uselessness. I've left OSCP on without detrimental effect.


Hi Peter,

Why do you think it is because CRL is turned ON?
Are you unable to connect to the Mac App Store, or does it take a long time 
verifying your account, or a long time downloading an App?

Cheers,
Ronni

17" MacBook Pro 2.3GHz Quad-Core i7
2.3GHz / 8GB / 750GB @ 7200rpm HD

OS X 10.6.7 Snow Leopard
Windows 7 Ultimate (under sufferance)













-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:wamug-unsubscr...@wamug.org.au>

Re: Certificate Hijacking

[Peter Hinchliffe]

On 16/04/2011, at 2:22 PM, Stuart Breden wrote:

> Thanks Ronni.
> 
> Stuart Breden
> PO Box 132
> Kalamunda WA 6926
> Ph: (08) 9257 1577
> Mbl: 0417 053 266
> 
> 
> 
> On 25/03/2011, at 3:13 PM, Ronda Brown wrote:
> 
>> Hello WAMUGers,
>> 
>> Recently there was announced 'certificate hijacking' when using the web to 
>> access SSL (Secure Sockets Layer) sites.
>> 
>> I checked my Keychain to see what was the ‘Default’ setting; to find that 
>> OCSP is not enabled by Default.
>> It is OFF.
>> 
>> To  Enable it:
>> 1.  Open Keychain Access from Applications > Utilities. Choose Keychain 
>> Access > Preferences.
>> 2.  Click on the Certificates tab. 
>> Set the first two options, for OCSP and CRL, to Best Attempt, 
>> and leave priority set to  OCSP
>> 
>> This will tell Safari, or any other program that uses the built-in 
>> certificates on Mac OS X, to check these servers before accepting any SSL 
>> certificate on a web site.
>> 
>> Definitions:
>>  “Online Certificate Status Protocol (OCSP)” 
>>  “Certificate Revocation List (CRL)”
>> 

I've had to set CRL (Certificate Revocation List) back to Off on my system. 
Having it turned on was slowing the performance of the Mac Store app to the 
point of complete uselessness. I've left OSCP on without detrimental effect.

Peter HinchliffeApwin Computer Services
FileMaker Pro Solutions Developer
Perth, Western Australia
Phone (618) 9332 6482Mob 0403 046 948

Mac because I prefer it -- Windows because I have to.




-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:wamug-unsubscr...@wamug.org.au>

Re: Certificate Hijacking

[Stuart Breden]

Thanks Ronni.

Stuart Breden
PO Box 132
Kalamunda WA 6926
Ph: (08) 9257 1577
Mbl: 0417 053 266



On 25/03/2011, at 3:13 PM, Ronda Brown wrote:


Hello WAMUGers,

Recently there was announced 'certificate hijacking' when using the  
web to access SSL (Secure Sockets Layer) sites.


I checked my Keychain to see what was the ‘Default’ setting; to find  
that OCSP is not enabled by Default.

It is OFF.

To  Enable it:
1.  Open Keychain Access from Applications > Utilities. Choose  
Keychain Access > Preferences.

2.  Click on the Certificates tab.
Set the first two options, for OCSP and CRL, to Best Attempt,
and leave priority set to  OCSP

This will tell Safari, or any other program that uses the built-in  
certificates on Mac OS X, to check these servers before accepting  
any SSL certificate on a web site.


Definitions:
 “Online Certificate Status Protocol (OCSP)”
 “Certificate Revocation List (CRL)”

Cheers,
Ronni

17" MacBook Pro  Intel Core i7
2.66GHz / 8GB / 1067 MHz DDR3 / 500GB Serial ATA Drive @ 7200rpm

OS X 10.6.6 Snow Leopard
Windows 7 Ultimate (under sufferance)











-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:wamug-unsubscr...@wamug.org.au>





-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:wamug-unsubscr...@wamug.org.au>

Re: Certificate Hijacking

[David Nicholas]

Thanks Ronni.

I now have a fairly good idea of what it is about.  I didn't notice any stories 
about the hijacking.

David


On 25/03/2011, at 4:16 PM, Ronda Brown wrote:

> Hi David,
> 
> On 25/03/2011, at 3:29 PM, David Nicholas wrote:
> 
>> Ronni 
>> 
>> Thanks for the advice which I have followed.
>> 
>> But I don't understand what 'certificate hijacking' is.  It sounds bad.
> 
> It is!
>> 
>> Can you explain it briefly?
> 
> Not really briefly, as I don’t know how much you understand about Secure 
> sites and Security.
> I’ll try to give a brief explanation.
> 
> The Security Part:
> When you surf the web, you trust certain web sites where you provide 
> confidential information, such as credit card numbers, or where you access 
> and send e-mail. 
> Certain applications that connect to remote servers also depend on this type 
> of trust. 
> A broad system based on the SSL (Secure Sockets Layer) protocol ensures that 
> when you visit a web site, such as Apple.com, Amazon.com or Google’s Gmail, 
> that the site is indeed what it pretends to be. 
> 
> Example: Google’s Mail:
> The HTTPS Communication Process
> 
> Basically works out as follows:
> 
> 1. The client browser connects to http://mail.google.com on port 80 using 
> HTTP.
> 2. The server redirects the client HTTPS version of this site using an HTTP 
> code 302 redirect.
> 3. The client connects to https://mail.google.com on port 443.
> 4. The server provides a certificate to the client containing its digital 
> signature. 
> This certificate is used to verify the identity of the site.
> 5. The client takes this certificate and verifies it against its list of 
> trusted certificate authorities.
> 6. Encrypted communication ensues.
> 
> If the certificate validation process fails then that means the website has 
> failed to verify its identity. At that point the user is typically presented 
> with a certificate validation error and they can choose to proceed at their 
> own risk, because they may or may not actually be communicating with the 
> website they think they are talking to.
> 
> Now the Hijacking part:
> 
> There are a limited number of companies authorised, and recognised, who issue 
> such certificates. One of these, Comodo,  was recently hacked, and certain 
> individuals were able to buy nine digital certificates for major web sites, 
> including mail.google.com, login.yahoo.com, login.skype.com and 
> addons.mozilla.org. 
> 
> This means that the malicious users who obtained these certificates will be 
> able to set up web sites that can spoof users who check for the visual signs 
> of trust shown above. They may be able to use these for phishing attacks as 
> well; when you click on a link, and go to a site, if you see these signs 
> indicating security, you’re likely to trust them.
> 
> In addition, this goes beyond just web usage. The same system is used when 
> you log into Gmail using an e-mail program, or when you log into Skype via 
> their application. When using public wifi networks, it’s possible that a 
> man-in-the-middle attack may be able to spoof local DNS resources and lead 
> you to a booby-trapped server.
> 
> Now Preventing a Hijacking Attack:
> Is to make sure that OCSP & the settings I mentioned below are ON to ensure 
> that your Mac is protected. 
> This affects not just Safari, but Mac OS X in general; certificate validation 
> is a system-wide API. 
> However, not all applications use this system
> 
> Note: Comodo has revoked these certificates, and they are listed in Comodo’s 
> current Certificate Revocation List (CRL).
> In addition, browsers which have enabled the Online Certificate Status 
> Protocol (OCSP) will interactively validate these certificates and block them 
> from being used.
> 
> Hope that helps explain a bit for you.
> 
> 
> Cheers,
> Ronni
> 
>> 
>> 
>> On 25/03/2011, at 3:13 PM, Ronda Brown wrote:
>> 
>>> Hello WAMUGers,
>>> 
>>> Recently there was announced 'certificate hijacking' when using the web to 
>>> access SSL (Secure Sockets Layer) sites.
>>> 
>>> I checked my Keychain to see what was the ‘Default’ setting; to find that 
>>> OCSP is not enabled by Default.
>>> It is OFF.
>>> 
>>> To  Enable it:
>>> 1.  Open Keychain Access from Applications > Utilities. Choose Keychain 
>>> Access > Preferences.
>>> 2.  Click on the Certificates tab. 
>>> Set the first two options, for OCSP and CRL, to Best Attempt, 
>>> and leave priority set to  OCSP
>>> 
>&g

Re: Certificate Hijacking

[cm]

Thanks Ronni for the sound advice and the clear explanation!

Cheers,
Carlo

On 2011-03-25, at 16:16, Ronda Brown wrote:

> Hi David,
> 
> On 25/03/2011, at 3:29 PM, David Nicholas wrote:
> 
>> Ronni 
>> 
>> Thanks for the advice which I have followed.
>> 
>> But I don't understand what 'certificate hijacking' is.  It sounds bad.
> 
> It is!
>> 
>> Can you explain it briefly?
> 
> Not really briefly, as I don’t know how much you understand about Secure 
> sites and Security.
> I’ll try to give a brief explanation.
> 
> The Security Part:
> When you surf the web, you trust certain web sites where you provide 
> confidential information, such as credit card numbers, or where you access 
> and send e-mail. 
> Certain applications that connect to remote servers also depend on this type 
> of trust. 
> A broad system based on the SSL (Secure Sockets Layer) protocol ensures that 
> when you visit a web site, such as Apple.com, Amazon.com or Google’s Gmail, 
> that the site is indeed what it pretends to be. 
> 
> Example: Google’s Mail:
> The HTTPS Communication Process
> 
> Basically works out as follows:
> 
> 1. The client browser connects to http://mail.google.com on port 80 using 
> HTTP.
> 2. The server redirects the client HTTPS version of this site using an HTTP 
> code 302 redirect.
> 3. The client connects to https://mail.google.com on port 443.
> 4. The server provides a certificate to the client containing its digital 
> signature. 
> This certificate is used to verify the identity of the site.
> 5. The client takes this certificate and verifies it against its list of 
> trusted certificate authorities.
> 6. Encrypted communication ensues.
> 
> If the certificate validation process fails then that means the website has 
> failed to verify its identity. At that point the user is typically presented 
> with a certificate validation error and they can choose to proceed at their 
> own risk, because they may or may not actually be communicating with the 
> website they think they are talking to.
> 
> Now the Hijacking part:
> 
> There are a limited number of companies authorised, and recognised, who issue 
> such certificates. One of these, Comodo,  was recently hacked, and certain 
> individuals were able to buy nine digital certificates for major web sites, 
> including mail.google.com, login.yahoo.com, login.skype.com and 
> addons.mozilla.org. 
> 
> This means that the malicious users who obtained these certificates will be 
> able to set up web sites that can spoof users who check for the visual signs 
> of trust shown above. They may be able to use these for phishing attacks as 
> well; when you click on a link, and go to a site, if you see these signs 
> indicating security, you’re likely to trust them.
> 
> In addition, this goes beyond just web usage. The same system is used when 
> you log into Gmail using an e-mail program, or when you log into Skype via 
> their application. When using public wifi networks, it’s possible that a 
> man-in-the-middle attack may be able to spoof local DNS resources and lead 
> you to a booby-trapped server.
> 
> Now Preventing a Hijacking Attack:
> Is to make sure that OCSP & the settings I mentioned below are ON to ensure 
> that your Mac is protected. 
> This affects not just Safari, but Mac OS X in general; certificate validation 
> is a system-wide API. 
> However, not all applications use this system
> 
> Note: Comodo has revoked these certificates, and they are listed in Comodo’s 
> current Certificate Revocation List (CRL).
> In addition, browsers which have enabled the Online Certificate Status 
> Protocol (OCSP) will interactively validate these certificates and block them 
> from being used.
> 
> Hope that helps explain a bit for you.
> 
> 
> Cheers,
> Ronni
> 
>> 
>> 
>> On 25/03/2011, at 3:13 PM, Ronda Brown wrote:
>> 
>>> Hello WAMUGers,
>>> 
>>> Recently there was announced 'certificate hijacking' when using the web to 
>>> access SSL (Secure Sockets Layer) sites.
>>> 
>>> I checked my Keychain to see what was the ‘Default’ setting; to find that 
>>> OCSP is not enabled by Default.
>>> It is OFF.
>>> 
>>> To  Enable it:
>>> 1.  Open Keychain Access from Applications > Utilities. Choose Keychain 
>>> Access > Preferences.
>>> 2.  Click on the Certificates tab. 
>>> Set the first two options, for OCSP and CRL, to Best Attempt, 
>>> and leave priority set to  OCSP
>>> 
>>> This will tell Safari, or any other program that uses the built-in 
>>> ce

Re: Certificate Hijacking

[Ronda Brown]

Hi David,

On 25/03/2011, at 3:29 PM, David Nicholas wrote:

> Ronni 
> 
> Thanks for the advice which I have followed.
> 
> But I don't understand what 'certificate hijacking' is.  It sounds bad.

It is!
> 
> Can you explain it briefly?

Not really briefly, as I don’t know how much you understand about Secure sites 
and Security.
I’ll try to give a brief explanation.

The Security Part:
When you surf the web, you trust certain web sites where you provide 
confidential information, such as credit card numbers, or where you access and 
send e-mail. 
Certain applications that connect to remote servers also depend on this type of 
trust. 
A broad system based on the SSL (Secure Sockets Layer) protocol ensures that 
when you visit a web site, such as Apple.com, Amazon.com or Google’s Gmail, 
that the site is indeed what it pretends to be. 

Example: Google’s Mail:
The HTTPS Communication Process

Basically works out as follows:

1. The client browser connects to http://mail.google.com on port 80 using HTTP.
2. The server redirects the client HTTPS version of this site using an HTTP 
code 302 redirect.
3. The client connects to https://mail.google.com on port 443.
4. The server provides a certificate to the client containing its digital 
signature. 
This certificate is used to verify the identity of the site.
5. The client takes this certificate and verifies it against its list of 
trusted certificate authorities.
6. Encrypted communication ensues.

If the certificate validation process fails then that means the website has 
failed to verify its identity. At that point the user is typically presented 
with a certificate validation error and they can choose to proceed at their own 
risk, because they may or may not actually be communicating with the website 
they think they are talking to.

Now the Hijacking part:

There are a limited number of companies authorised, and recognised, who issue 
such certificates. One of these, Comodo,  was recently hacked, and certain 
individuals were able to buy nine digital certificates for major web sites, 
including mail.google.com, login.yahoo.com, login.skype.com and 
addons.mozilla.org. 

This means that the malicious users who obtained these certificates will be 
able to set up web sites that can spoof users who check for the visual signs of 
trust shown above. They may be able to use these for phishing attacks as well; 
when you click on a link, and go to a site, if you see these signs indicating 
security, you’re likely to trust them.

In addition, this goes beyond just web usage. The same system is used when you 
log into Gmail using an e-mail program, or when you log into Skype via their 
application. When using public wifi networks, it’s possible that a 
man-in-the-middle attack may be able to spoof local DNS resources and lead you 
to a booby-trapped server.

Now Preventing a Hijacking Attack:
Is to make sure that OCSP & the settings I mentioned below are ON to ensure 
that your Mac is protected. 
This affects not just Safari, but Mac OS X in general; certificate validation 
is a system-wide API. 
However, not all applications use this system

Note: Comodo has revoked these certificates, and they are listed in Comodo’s 
current Certificate Revocation List (CRL).
In addition, browsers which have enabled the Online Certificate Status Protocol 
(OCSP) will interactively validate these certificates and block them from being 
used.

Hope that helps explain a bit for you.


Cheers,
Ronni

> 
> 
> On 25/03/2011, at 3:13 PM, Ronda Brown wrote:
> 
>> Hello WAMUGers,
>> 
>> Recently there was announced 'certificate hijacking' when using the web to 
>> access SSL (Secure Sockets Layer) sites.
>> 
>> I checked my Keychain to see what was the ‘Default’ setting; to find that 
>> OCSP is not enabled by Default.
>> It is OFF.
>> 
>> To  Enable it:
>> 1.  Open Keychain Access from Applications > Utilities. Choose Keychain 
>> Access > Preferences.
>> 2.  Click on the Certificates tab. 
>> Set the first two options, for OCSP and CRL, to Best Attempt, 
>> and leave priority set to  OCSP
>> 
>> This will tell Safari, or any other program that uses the built-in 
>> certificates on Mac OS X, to check these servers before accepting any SSL 
>> certificate on a web site.
>> 
>> Definitions:
>>  “Online Certificate Status Protocol (OCSP)” 
>>  “Certificate Revocation List (CRL)”
>> 
>> Cheers,
>> Ronni
>> 
>> 17" MacBook Pro  Intel Core i7
>> 2.66GHz / 8GB / 1067 MHz DDR3 / 500GB Serial ATA Drive @ 7200rpm
>> 
>> OS X 10.6.6 Snow Leopard
>> Windows 7 Ultimate (under sufferance)
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> -- The WA Macintosh User Group

Re: Certificate Hijacking

[David Nicholas]

Ronni 

Thanks for the advice which I have followed.

But I don't understand what 'certificate hijacking' is.  It sounds bad.

Can you explain it briefly?

David Nicholas


On 25/03/2011, at 3:13 PM, Ronda Brown wrote:

> Hello WAMUGers,
> 
> Recently there was announced 'certificate hijacking' when using the web to 
> access SSL (Secure Sockets Layer) sites.
> 
> I checked my Keychain to see what was the ‘Default’ setting; to find that 
> OCSP is not enabled by Default.
> It is OFF.
> 
> To  Enable it:
> 1.  Open Keychain Access from Applications > Utilities. Choose Keychain 
> Access > Preferences.
> 2.  Click on the Certificates tab. 
> Set the first two options, for OCSP and CRL, to Best Attempt, 
> and leave priority set to  OCSP
> 
> This will tell Safari, or any other program that uses the built-in 
> certificates on Mac OS X, to check these servers before accepting any SSL 
> certificate on a web site.
> 
> Definitions:
>  “Online Certificate Status Protocol (OCSP)” 
>  “Certificate Revocation List (CRL)”
> 
> Cheers,
> Ronni
> 
> 17" MacBook Pro  Intel Core i7
> 2.66GHz / 8GB / 1067 MHz DDR3 / 500GB Serial ATA Drive @ 7200rpm
> 
> OS X 10.6.6 Snow Leopard
> Windows 7 Ultimate (under sufferance)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- The WA Macintosh User Group Mailing List --
> Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
> Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
> Unsubscribe - <mailto:wamug-unsubscr...@wamug.org.au>




-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:wamug-unsubscr...@wamug.org.au>

Certificate Hijacking

[Ronda Brown]

Hello WAMUGers,

Recently there was announced 'certificate hijacking' when using the web to 
access SSL (Secure Sockets Layer) sites.

I checked my Keychain to see what was the ‘Default’ setting; to find that OCSP 
is not enabled by Default.
It is OFF.

To  Enable it:
1.  Open Keychain Access from Applications > Utilities. Choose Keychain Access 
> Preferences.
2.  Click on the Certificates tab. 
Set the first two options, for OCSP and CRL, to Best Attempt, 
and leave priority set to  OCSP

This will tell Safari, or any other program that uses the built-in certificates 
on Mac OS X, to check these servers before accepting any SSL certificate on a 
web site.

Definitions:
 “Online Certificate Status Protocol (OCSP)” 
 “Certificate Revocation List (CRL)”

Cheers,
Ronni

17" MacBook Pro  Intel Core i7
2.66GHz / 8GB / 1067 MHz DDR3 / 500GB Serial ATA Drive @ 7200rpm

OS X 10.6.6 Snow Leopard
Windows 7 Ultimate (under sufferance)











-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:wamug-unsubscr...@wamug.org.au>