Previous 1 2 Next 23 Replies Latest reply: Jun 24, 2011 10:37 AM by gioros Go to original post
  • flookoco Level 1 Level 1 (0 points)

    Yes, that definitely put the App Store back to full speed. Thank you.

     

    I am however reluctant to leave my system in this condition, primarily because I do not understand the implications. Could someone please explain if leaving this setting to 'off' would be a security threat to my iMac?

  • lastefan Level 1 Level 1 (15 points)

    That fixed the problem for me too. But what did I do and will this risk my computer to a greater extent than before?

  • Matthew Barker Level 1 Level 1 (90 points)

    Background

    The CRL is a "Certificate Revocation List" which is maintained by the CA ("Certificate Authority") that issued the certificate.  This can be a multi-layer thing, starting with the "Root CA" and through successive "CA's" until you get to the server in question.  The client can also have a certificate chain attached that the server verifies, but we'll keep it simpler by deferring that. 

     

    You can see a graphic depiction of a certificate chain by logging into the apple discussions using Safari and then clicking on the little padlock symbol on the right end of the Safari window. 

    You'll see something like:

    "GTE CyberTrust Global Root"

    -> "Akamai Subordinate CA 3"

    -> "discussions.apple.com"

    This is a certificate chain.  The very first certifier, who has taken responsibility to verify the next certificate Authority is "GTE CyberTrust Global Root".  If you highlight that line at the top of the window, you'll see that you can expand the window and see information about the certifier, their certificate, and often links to further information.  You'll see that the certificate says it is "self-signed".  This means that GTE created the certificate themselves and they are (hopefully) a trusted Certificate Authority.  Note that if it's not a server inside your house or your company, this is not OK unless it is a genuine Root CA.

    Now, if you highlight "Akamai Subordinate CA 3" and look through the fields, you can see a field called "Usage" which says "Verification".  That certificate is valid for verifying subordinate certificates, like "discussions.apple.com". 

     

    Poke around in the certificates and you'll see a bunch of gobbledygook, but also some intelligible information.   If you look through the GTE root certificate, you'll see a link to information on the Verizon web site, some of which may be of interest (or not). 

     

    If you're wondering how you know that GTE can be trusted, open up the Keychain Access application (it's in /Applications/Utilities or Cmd+Shift+U from Finder) and look at the list for "System Roots".  If you search the list, you'll find the GTE root CA certificate.  Apple has preloaded the certificates for all of the trusted root CAs here.

     

    And the point...

    Each CA has a Certificate Revocation List which can be consulted by any party wanting to know if the certificate is still good.  Each time a certificate exchange happens, then each CRL for each CA in the change is queried (I don't think a local copy is saved for consultation).

     

    If someone has a revoked certificate, either it's been revoked because there was a problem discovered with their identity or because the certificate expired as all certificates have an expiry date. 

     

    In practice, some of the intermediate Certificate Authorities do not meticulously update their Revocation Lists, so it may not be a problem.  If there is no chain to the root authority or any of the certificates in the chain are expired, you should see a notation next to the certificate to show that it is no longer valid.  In the case where Safari put's the site name in the right end of the address bar (usually in green), I think the site name will show in red to indicate an invalid certificate or certificate chain, thus a possibly risky situation.

     

    So if you want simplicity, look for red and green.  If you want meticulous validation of each site (which is only as good as the most weakly maintained CRL list in the certificate chain), then turn on CRL checking for those times. 

     

    As a safety measure, you can, perhaps, just specifically turn off the checklist when you are using AppStore.

     

    I hope this helps a little.

    Kind regards,

    Matthew

  • gioros Level 1 Level 1 (15 points)

    For a brief note on the security aspect, see this page:

    <http://securityskeptic.typepad.com/the-security-skeptic/2011/04/mac-users-listen -up-enable-certificate-checking.html>

    Pls also read the last paragraph of the article and consider that both "Online Certificate Status Protocol (OCSP) and "Certificate Revocation List (CRL)" are disabled (off) by default in Mac OS X.

    Anyway, you could always disable/re-enable the settings in question when you need to have a decent use of MAS.

  • flookoco Level 1 Level 1 (0 points)

    Thanks Matthew, I don't know how you guys know what you know, but I'm glad you do.

  • flookoco Level 1 Level 1 (0 points)

    Thanks gioros. It's a workaround that works, but somehow I expect more from Apple.

  • Montana Level 1 Level 1 (105 points)

    I've had (have) this problems and tried all the suggestions - the only thing that works is turning CRL to "Off." This seems really unacceptable.

  • drakomad Level 1 Level 1 (0 points)

    Thanks from Spain gioros. Your answer works fine. That fixed the problem. I was crazy to figure out the problem.

    THX

  • gioros Level 1 Level 1 (15 points)

    IMPORTANT UPDATE

    =================

     

    Hi All,

     

    The upgrade to SL 10.6.8, and consequently of the associated Mac App Store (1.0.2), has cured the problem.

    Therefore, if you have previously disabled the CRL check in the Keychain Access/Preferences, you can

    enable it again.

    When you launch Mac App Store with the CRL on, it will take a while to connect (spinning beachball) on the first run and then it will operate normally. From the second launch, it will run at normal speed.

     

    Thanks Apple (finally)

Previous 1 2 Next