Shortly after I upgraded to OS X 10.9.2, I was connecting to battle.net, and I got an SSL error. At the time, I didn't think anything of it (after all, sites have bad SSL certificates all the time). However, I noticed it again today when looking at the page for Reaper of Souls, and decided to look into it again. When I did, I found something very unusual: my system has a second copy of the DigiCert root CA certificate in the "login" keychain. For those of you who aren't familiar, OS X uses a hierarchy of binary key/password databases called "keychains" to store sensitive materials. Generally, Root CA certificates are only found in the Trusted Roots keychain; the "login" keychain (which is a per-user keychain writable without root privileges) is only used to store passwords and other application-level data.
So, as you might imagine, I was pretty nervous when I saw this. If I were writing malware and I wanted to increase the amount that I could screw with people, installing a malicious root CA certificate would be a great way to do it. All SSL would be man-in-the-middleable unless the target application was using certificate pinning1!
For posterity, I've exported both of the unusual certificates:
- DigiCert-High-Assurance-CA-3.pem (fingerprint:
A2:E3:2A:1A:2E:9F:AB:6E:AD:6B:05:F6:4E:A0:64:13:39:E1:00:112) - DigiCert-High-Assurance-EV-Root-CA.pem (fingerprint:
91:8D:A5:E4:99:C1:5F:7C:62:75:B1:24:FE:DE:53:35:7C:34:BD:36)
(note that the "Root CA" here has an Issuer field of C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp.)
Compare these to the real certificates (DER encoded, sorry):
- DigiCert High Assurance CA-3 (fingerprint:
42:85:78:55:FB:0E:A4:3F:54:C9:91:1E:30:E7:79:1D:8C:E8:27:05) - DigiCert High Assurance EV Root CA (fingerprint
5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25)
Now, I'm not the first person to notice this. DigiCert posted about it on their twitter feed last month, and there are a couple of references online; however, nobody seems to have tracked down anything useful.
Here are my questions:
- What is this certificate?
- Why did 10.9.2 install it?
- Why has Apple not released a subsequent update to remove it?
- Why does OS X even support trusting root CAs that aren't in a system-protected keychain?
This could be totally innocuous; DigiCert could be rekeying or updating their intermediate hierarchy. Although both the "good" and the "bad" certs have issue dates in 2006, so that seems moderately unlikely. It could also be a bug on Apple's part, an accidental inclusion of some testing data. But if it was, I'd expect to have seen a subsequent update by now.
I'd like to think that this is a bug... but damn if this isn't suspicious behavior. So far, I haven't been able to find any evidence of active man-in-the-middling, but I'm a might bit suspicious, to say the least.
If you're on OS X, I recommend that you check in Keychain Access (/Applications/Utilities/Keychain Access.app) and see if your login keychain
also contains these mysterious DigiCert root CA certificates; if you're half as suspicious as I am, I'd recommend deleting them. And if you happen
to be enough of a PKI nerd to explain what the heck's going on here, I'm all ears. Feel free to comment below or on Twitter
or whatever.
Incidentally, Blizzard seems to use certificate pinning in Battle.net. I'm sure it's an anti-cheating thing, but it's also a nice security bonus.
Collect fingerprints with openssl x509 -in <filename> -text -fingerprint ; add -inform der for DER-encoded certs
Want to comment on this? How about we talk on Mastodon instead?
Share on Mastodon