Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: romko23
romko23 Author
User level: Level 2
408 points

DigiNotar CA Root - Now we can't use PPC macs anymore?

Hello,


To anyone who can respond to my question.. I just found out that Apple is no longer going to provide security updates to those running Leopard or even Tiger. Its regarding this Digitar CA Root certificate which can have disasterous consequences for us who still use and or enjoy PPC macs. Is there really a need to panic here or is it just me?


I use my Power Mac G5 for everyday stuff while my Mac Pro lies on the floor, dismanteled as I don't know as of yet what to use it for. I am really concerned for my G5 and my information as I heavily use my G5 for everyday tasks. Should I be wary of this certificate in keychain? I followed all the instructions I foind out about this certificate on www.lowendmac.com, but I wonder if my system is still safe now that Apple won't provide security updates anymore to those who still use Leopard?


I set my browsing to Private browsing in Safari 5.0.6, and also deleted the DigiNotar certificate in the keychain manager..


Someone please shed some light on this..


Thanks.


Romko.


Message was edited by: romko23

Mid-2010 Mac Pro W3580, 5770 Radeon, G5 Quad, G4 PB 1.67 DL/HD, G4 Pismo 550, Mac OS X (10.6.6), 8GB DDR3 1333 Memory, dual superdrive, OS 9.2.2, OS X Public Be

Posted on Sep 18, 2011 5:28 PM

Reply
26 replies
User profile for user: romko23
romko23 Author
User level: Level 2
408 points

Sep 18, 2011 8:04 PM in response to BDAqua

Hey BDAqua!


So, what do I do??? Do I stop using Safari or my G5 all together?? Granted, I do have my 6-core mac pro, but I love my G5 more though.. Advise on what I should do. Here is what I did to further protect myself:


First, I deleted the DigiNortar CA Root certificate from my keychain.

Secondly, I set my browsing on my safari browser to private

Thirdly, I did not delete flash or java as of yet.


Are we up the creek??? What do I do? What do we do if we still use our PowerPC macs? Certainly, the other web browsers still will protect us, right? The other ones I use are: Camino, Roccat browser, Omiweb, TenFourFox, Stainless.


Tell me we are not done for?

Reply
User profile for user: BDAqua
BDAqua
User level: Level 10
240,533 points

Sep 18, 2011 9:06 PM in response to romko23

Well, Flash will never be safe on PPC macs antmore, Adobe patched some 200-400 Swcurity problems a month or so ago, but we can't use that version. 😟


I think Safest is Firefox with No-Script, Ad Block, Ghostery, Beef Taco, Certificate Patrol, SSLPersonas, Conspiracy, CreditCardNanny, WOT, & Tracker Block, as well as Little Snitch.

Reply
User profile for user: BDAqua
BDAqua
User level: Level 10
240,533 points

Sep 18, 2011 9:45 PM in response to romko23

Well, I don't know the chances, but I consider online Banking the biggest target of hackers, of course Financial institutions don't like to advertize the fact & seem to go out of their way to keep it out of the news.


If I had to do online banking it'd have to be with FireFox, or Safari's update 6 months from now for banking a year ago. 😉


Google online banking hacked for one.

Reply
User profile for user: romko23
romko23 Author
User level: Level 2
408 points

Sep 18, 2011 10:45 PM in response to BDAqua

BDAqua,


Ok, I decided to hook up my Mac Pro instead for the time being.. until someone can tell me that I will be safe when I browse the internet on my Power Mac G5 Quad. I know I might be getting carried away here, but I did not know this until yesterday morning that Apple pulled the plug on Leopard updates and this DigiNortar certificate stuff.


If I provide you the links to all this, can you assure me that I will be fine on my G5?


Here are the links:


http://www.lowendmac.com/newsrev/11mnr/0916.html - I believe its the 1st two entries.

Reply
User profile for user: BDAqua
BDAqua
User level: Level 10
240,533 points

Sep 18, 2011 11:51 PM in response to romko23

Well, this is how I see it, I really don't think you can rely on anybody else for security, no matter who it is, or what OS you use...


In this Internet age I picture living on a street where most anybody in the world can knock on your door... do I want to open the door & see who it is, or do I want to check first & have a sidearm ready?


Worse, I could just open my door to go to work, play, what have you & be accosted... should I cal 911, the FBI, the CIA, KGB, Victims rights associations, my cungressmen/women, Apple, Microsoft, Google, or be prepared to protect myself... these Certificate Barn Door things were closed very quickly months after the Cows escsaped, would you feel safe with any protection in place by somebody else, when that situation didn't matter how old or new of OS you were using had no matter/effect, other than any attack was more likely in my opinion to target latter OSes?


I feel safe using any OS I have on the Internet, I just don't count on others finding out who murdered me, I'd rather not be murdered by going the extra mile or two to be NOT murdered in the first place to the best of my ability. 🙂

Reply
User profile for user: romko23
romko23 Author
User level: Level 2
408 points

Sep 19, 2011 4:39 PM in response to BDAqua

BD,


Until further notice and until further investigation and research is being done about this situation, I have decided to take my G5 off line for now and use my Mac Pro. I love my Mac Pro, yes... but I prefer my G5 and my PowerPC macs over my Intel ones, but if this problem with no more security updates is really huge, then we need to do something to protect our selves..


Maybe Japamac can chime in on this as this is VERY SERIOUS..

Reply
User profile for user: BDAqua
BDAqua
User level: Level 10
240,533 points

Sep 19, 2011 5:12 PM in response to romko23

Open Keychain Access

  1. Search for diginotar
  2. Inspect each DigiNotar Root CA certificate (right click > Get Info)
    1. Expand Trust
    2. Set When using this certificate: to Never Trust

Not trusting a certificate should invalidate the complete subsequent keychain of trust but because of the bug in Safari/Mac EV SSL certificates still validate even if signed by an untrusted CA. Until this bug has been confirmed and fixed by Apple the only way to circumvent this problem is to delete all DigiNotar certificates from your keychain.

http://www.io101.org/blog/howto/check-untrust-disable-diginotar-https-ssl-root-c a-certificate-mac-os/

Download a package that will delete the DigiNotar Root CA certificates and will revoke the trust on the two root certificates and the four DigiNotar intermediate certificates. The package is now at version 2.1. Please use this version instead of versions 1.0 and 2.0.

Update (11-Sep-2011 9:35 PM EDT): Apple has finally released an official fix for Snow Leopard and Lion. If you are running Leopard on PPC machines, the version 2.1 package has been tested and works with Leopard. Still no sign of an update for iOS, unfortunately.

http://ps-enable.com/articles/diginotar-revoke-trust


But why use Safari?

Reply
User profile for user: romko23
romko23 Author
User level: Level 2
408 points

Sep 19, 2011 8:47 PM in response to BDAqua

Ok, I did better than that.. I deleted the entire certificate and all of its associated components. Now I should be safe, right? Now its a choice between continuing to use Safari or maybe some of my other web browsers. I like TenFourFox, but I do notice it is kind of slow even on my G5 Quad, but omniweb works just as well.

Reply
User profile for user: BDAqua
BDAqua
User level: Level 10
240,533 points

Sep 19, 2011 9:26 PM in response to romko23

I deleted the entire certificate and all of its associated components. Now I should be safe, right?

Yes.

I deleted the entire certificate and all of its associated components. Now I should be safe, right?

You hve choices, I like Slow/more secure over fast/less secure, don't know about OmniWeb, could never take a liking to it though I tried, still... I'd choose just about any 3rd party anything over the choices Apple provides.

Reply
User profile for user: Dave Hamilton
Dave Hamilton
User level: Level 5
6,834 points

Sep 20, 2011 9:28 AM in response to BDAqua

This seems to work in OS 10.4.11 also. It installed without any issues.

BDAqua wrote:

Download a package that will delete the DigiNotar Root CA certificates and will revoke the trust on the two root certificates and the four DigiNotar intermediate certificates. The package is now at version 2.1. Please use this version instead of versions 1.0 and 2.0.

Update (11-Sep-2011 9:35 PM EDT): Apple has finally released an official fix for Snow Leopard and Lion. If you are running Leopard on PPC machines, the version 2.1 package has been tested and works with Leopard. Still no sign of an update for iOS, unfortunately.

http://ps-enable.com/articles/diginotar-revoke-trust


But why use Safari?

Reply
User profile for user: Mrs H
Mrs H
User level: Level 2
231 points

Sep 20, 2011 2:39 PM in response to BDAqua

Hi BDA,.


Always one to worry, me!


Remember I'm using Intel Macs - 10.4.11 on MBP and 10.6.6 on iMac. Still using Firefox until Mozilla stops doing security updates for Tiger and then - well you've read my other thread on this and know I'm shopping for a new browser...


This discussion here panicked me nonetheless because I don't understand it.


I went to Keychain access -> system roots on the iMac and found this (I assume a similar thing shows up on Mr H's MBP):


User uploaded file

Is this second line what you are talking about here?


Do I need to worry about this on our Intels? Even on Intels running Tiger?


I just did a never trust for it on the iMac and the MBP - is that sufficient?? or do I need to dig deeper?


Mrs H

Reply

DigiNotar CA Root - Now we can't use PPC macs anymore?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up