Apple Delays DigiNotar SSL Update, Partners 'Not Surprised'
More than a week after a DigiNotar hack that prompted Google, Mozilla and Microsoft to blacklist hundreds of fraudulent secure socket layer certificates, Apple users are still without a security update protecting them from spoofs and man-in-the-middle attacks stemming from the bogus certificates.
But while alarming, Apple’s failure to issue an update protecting its customers from hundreds of compromised SSL certificates issued by Dutch certificate authority DigiNotar is not entirely surprising given the company’s longstanding history regarding security, security solution providers said Thursday.
Last week, DigiNotar rocked the security community when it revealed that it had been the victim of a massive SSL hack occurring July 19, and had issued compromised certificates for a wide swath of domains issued to Google.com, Mozilla and Microsoft, among others. The discovery of the SSL hack prompted DigiNotar to indefinitely suspend its sale of SSL and EVSSL certificates.
Since then, Google, Mozilla and Microsoft all released updates blocking the bogus DigiNotar certificates, while Microsoft deemed the DigiNotar certificates ’untrustworthy’ by migrating them into its ’Untrusted Certificate Store.’
However, Apple has yet to follow suit.
’I’m not entirely surprised,’ said Daniel Duffy, CEO of Valley Network Solutions , a Fresno, Calif.-based security solution provider. ’They’re great innovators, but they’re not a technology company. I see them more as a sales and marketing company.’
Apple did not immediately respond to a request for comment by CRN.
Meanwhile, security solution providers said Apple’s resistance to issuing a timely update blocking the fraudulent SSL certificates opened the company’s platform up for a spate of inevitable attacks.
’As more and more companies are allowing Apple devices, it’s going to be pretty critical sooner than later. Hopefully they won’t be caught behind the eight-ball,’ said Sean Stenovitch, partner at M&S Technologies, M&S Technologies , a Dallas, Tex.-based security solution provider. ’You don’t have to be security expert to know that at some point, there’s going to be a problem.’
Duffy said that he ’wouldn’t be surprised if script kiddies started exploiting that vulnerability’ down the road, adding that up until now, Apple users were relatively impervious to attacks due to the platform’s single digit marketshare.
’They’ve been fortunate not to have been exposed to attacks to the degree that Microsoft has been,’ Duffy said. ’A big part of that was they didn’t have as much marketshare. Now that they’ve become more popular, they have a bigger target on their backs.’
Paul Henry, security analyst with security firm Lumension, said that Apple’s lack of response regarding an SSL update was reminiscent of how it handled a previous hack against resellers of SSL provider Comodo earlier this year.
Apple issued a security update a month following the Comodo hack in March, which compromised a total of nine SSL certificates across seven domains, representing a fraction of DigiNotar’s reported 531 compromised certificates across hundreds of domains.
Even still, the absence of a response was somewhat of a jolt given that the company seemed to be intent on making an enterprise push, especially as users’ personal iOS devices, such as the iPad and iPhone, become more ubiquitous in the workplace, Henry said.
Next: Apple's Update Delay Could Thwart Enterprise Plans
’Mozilla, Google Chrome and Microsoft have all responded fast, yet we’re not hearing a word from Apple,’ Henry said. ’It’s a serious, serious issue. I would have hoped Apple, in their quest to become an enterprise player, would have addressed it quicker.’
Looking ahead, Stenovitch said that he saw Apple’s stymied security stance regarding the SSL hack as one that could potentially be ’a big hindrance’ for the company when attempting to make inroads in the enterprise.
’If your corporate environment is going to allow everything but Apple, that’s going to force Apple to either update or realize that they’re keeping themselves from getting deeper in the enterprise,’ he said. ’Common sense tells you that it would be a matter of time before something does happen if they continue to go down that road and not conform to the security practices of the enterprise customer.’
Meanwhile, security experts contend that the lack of an Apple update doesn’t bode well for the company’s millions customers, both enterprise and consumer.
Henry said that while he was able to find a workaround for his Apple devices, the average computer user would likely not have many tools to defend themselves from potential man-in-the-middle attacks targeting Apple Mac OS X and iOS devices.
’But if you bought a Mac for your mom, is she going to be capable of doing that?’ he said. ’I don’t think so.’