Security Update 2006-007 Special Report: Login to secure sites fails

CNET staff

Sept. 2, 2009 12:38 a.m. PT

3 min read

A surprisingly high number of users are reporting problems logging into secure (https) Web sites in Safari and other WebKit-based applications after applying Security Update 2006-007. Firefox and other non-WebKit-based browser generally are not affected b this issue.

Since this update makes modifications to WebKit, it's logically implicated in the difficulties.

Even more telling than the WebKit changes, however, is the resolution (in this security update) of a vulnerability where "certain revoked certificates may be erroneously honored." It appears Safari is -- instead of erroneously honoring bad certificates -- erroneously rejecting some certificates.

There's one more change in Security Update 2006-007 that could be implicated in this problem: a fix for a vulnerability where it may be possible to create an X.509 certificate containing a public key that "could consume a significant amount of system resources during signature verification. An attacker may cause a system to process such a certificate, leading to a denial of service."

In at least some cases, the issue appears to be tied to certificates issued by VeriSign. Safari is incorrectly interpreting some of these certificates as invalid -- with a mismatch in the certificate-listed host name and host name of the visited URL.

As such, one potential fix involves deleting certificate entries using Keychain Access, as follows:

Launch Keychain Access (located in Applications/Utilities)
Click on "Certificates" in the left-hand pane
Delete any entries from VeriSign, or any certificates with a red cross next to them
Re-attempt access to the problematic secure site

The most successful fix, however, involves deleting the file com.apple.security.revocation.plist from the following directory:

~/Library/Preferences

You can replicate this workaround to some extent without deleting any files by opening Keychain Access (as mentioned above) then navigating to its Preferences (under the Keychain Access menu), clicking on the "Certificates" tab and making sure that both "Online Certificate Status Protocol (OCSP)" and "Certificate Revocation List (CRL)" are turned off. However, some users have found that only deleting the aforementioned file works.

Unfortunately, in some cases, it may be up to certificate providers to update their certification methods for compliance with Apple's new, more stringent security standards.

Other less successful solutions for this issue include:

Temporarily disabling JavaScript JavaScript can be disabled by opening Safari's preferences (under the "Safari" menu) then clicking the "Security" tab and de-selecting the option "Enable JavaScript."

Empty cache In other cases, this problem can be solved by simply emptying the cache (Safari menu > Empty Cache). In other cases, the solution is to open Safari's preferences, then click on the Security tab, then "Show cookies" and deleting all cookies.

Delete .plist file Some users have found success with deleting the file com.apple.Safari.plist from ~/Library/Preferences.

Reset Safari Finally, resetting Safari (via the "Reset Safari" command, accessible under the "Safari" menu) can resolve site access/login issues in some cases. Note that this will delete your browser history, cache, cookies, and other stored data.

Double-click login.keychain In some cases, the solution is easy as navigating to ~/Library/Keychains/ (this is the Library folder inside your user home folder), then finding the file named "login.keychain" and double-clicking it.

MacFixIt reader Booker writes:

"Since the security update safari no longer is able to log-in to secure sites. I have a Mac Mini PPC. Tiger. I tried resetting safari and nothing happens."

Another reader writes: "It may be totally unrelated but I just applied the update, rebooted and my Google Notifier application (Gmail and Gcal) seems unable to log in properly, asking me for credentials every 30 seconds."

Index: