Currently Being ModeratedAug 31, 2011 1:06 PM (in response to John Simpson)
Currently Being ModeratedAug 31, 2011 5:22 PM (in response to John Simpson)
The best place to post your concerns is in the channel Apple has set up for that (rather than these user to user help forums where they are most unlikely to see them):
Currently Being ModeratedSep 1, 2011 4:59 AM (in response to Tom Gewecke)
I have already done this. I was hoping somebody here might know of a way to edit the built-in CA keychain, maybe a third-party app or something.
Basically, until Apple either releases a security update with this CA cert removed, or adds a way for me to remove it myself, nobody is allowed to use iPads or iPhones for any company-related purpose at work. They rely on Google for email, shared documents, and calendars, and they don't want anybody using any devices on the network unless we know that the DigiNotar cert has been disabled or removed. In fact, yesterday I was told to block the MAC addresses of the iOS devices from the wireless routers until this is done.
Currently Being ModeratedSep 1, 2011 5:30 AM (in response to John Simpson)
There certainly doesn't seem to be anything in the app store that does what you need, and that is the only place to look. There is a forum for enterprise issues here:
Have you tried contacting AppleCare directly?
Currently Being ModeratedSep 1, 2011 11:07 AM (in response to John Simpson)
Currently Being ModeratedSep 5, 2011 5:03 PM (in response to The_Patcher)
I'm guessing that the "Fraud Warning" feature in mobile safari can automatically update the list of trusted CAs. It's fixed for me too, running iOS5 beta.
Currently Being ModeratedSep 6, 2011 4:16 PM (in response to The_Patcher)
Hmmmm... My iPhone 4 and iPad 2 both go right to those Diginotar sites, even though I am also running 4.3.5, and have Fraud Detection set to "on". So it is not some universal fix, or at least having the latest iOS and Fraud Detection On is not enough to trigger it.
Does anyone have an idea how to protect iOS devices in this regard?
Currently Being ModeratedSep 7, 2011 11:50 AM (in response to Suzanne S)
Diginotar has probably replaced the certificates they are using for their own site at this point, so you probably would not see an error for their own sites. The issue is that whoever has these certificates is able to perform a man in the middle attack against users of the 531 sites for which certificates have been issued until everyone updates to the latest security updates for their devices.
So far, the only active use of the bogus certificates is in Iran. If you are not using an Iranian based DNS server (which is needed to redirect you to the "middleman" server) you are probably safe from most of these certificates. Of course, there are ways to attack the DNS system too, so no one is entirely safe until all systems have been updated to not trust any of the Diginotar certificates compromised.
It appears based on the above that fraud warning can also detect this, in which case most iOS devices users are already covered.
Still, I will be happier when I see the security updates from Apple. It may take a while due to the testing as apparently they found a bug in the certificate validation process. Better to test it and get it right than have to reissue a fix.