In association with heise online

25 March 2011, 14:10

Tip: Activating certificate checks in Safari

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Safari Logo While third-party browser vendors Google (Chrome) and Mozilla (Firefox) have already reacted to the attack on SSL service provider Comodo and provided updates for their Mac versions, Apple's Safari browser remains potentially vulnerable to the falsified certificates that criminals are using. Crucial domains are affected and there could be further manipulation to come – and Safari users might not notice anything. The attackers have so far targetted searches at Google, Gmail, Mozilla's add-on site and the login servers for Windows Live, Yahoo and Skype.

Safari can, however, be made safer simply by changing the preferences. As Mac security specialist Intego demonstrates on its blog, you don't make the changes in Safari, but rather in Mac OS X's keychain management, as the operating system handles SSL checks centrally. Here, you can check the Certificates tab under Preferences to see whether certificates should be checked against recall lists. Comodo has put the domains onto these blacklists, making this a good way to stay safe.

Intego recommends the settings "best attempt" for both the OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) options. OCSP should have priority. However, this workaround is problematic because it can slow you down while surfing. What's worse, the checks may not always be reliable. For these reasons, Apple will have to react soon by blocking the falsified certificates within the operating system. And you can only do that with an update.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit