Archive | 7:07 pm

Disabling certificate authorities on Mac OS X

2 Jan

After listening to Security Now! episode 177, and reading the notes that went with that episode, I wanted to know how to disable certificate authorities on my Mac OS X operating system. At the time I read the notes, Steve Gibson had not yet included instructions for Mac OS X (only for Windows).

So, Google being my friend, I found that in Mac OS X certificate authorities are accessed via an application called Keychain Access. Therein you will find a group called “System Roots”. Simply select all certificate authorities, press Cmd-I for info, and check for every info window if the authority uses SHA-1 or SHA-256 to digitally sign its certificate. If it doesn’t, but uses MD5 instead, you can change whether or not you trust it in the same info window (simply change into “Never Trust”). I had to give my administrative user name and password to confirm the changes, and restarted my Mac, just to be sure the changes were applies (not sure if that is necessary, but it doesn’t hurt either).

So this seems to be how to disable certificate authorities that still use MD5 on your Mac OS X operating system. Of the 147 certificate authorities on my copy of Mac OS X 10.5.6 Leopard, I disabled 27 that used MD5, which is no longer trustworthy, according to Steve Gibson’s sources.

Now, if you run into problems, you can simply change back the trust of the certificate authority when prompted with a untrusted certificated pop up window. I use Google imap, which uses a certificate authority which signs with MD5. I know Google, and trust Google enough as an e-mail provider. To be absolutely secure, I should revert from imap to pop3 e-mail, because some evil hacker could use Google’s root certificate authority to create a phony SSL certificate.

That is all.


Oops, that wasn’t all. Twitter uses yet another certificate authority which signs with MD5, so I had to trust Twitter’s root certificate authority as well. I’m afraid, it isn’t as easy as I initially thought to live without MD5 signing certificate authorities.

If I come across other issues, I will add those to this post as well.


January 7, 2009: iTunes uses an unknown (to me) root certificate authority, leading to a 9813 error when doing business (even subscribing to free podcasts) with the iTunes program. So, reluctantly, I have enabled the dubious root certificate authorities. This is going to be a big problem in months to come.