Configuring Safari to revoke compromised certificates

http://blog.intego.com/2011/03/24/protect-safari-from-fraudulent-digital...

There has been a recent compromise of a major registration authority
(RA) at Comodo.

https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-...

A group of Iranian hackers were able to compromise an account and issue
certificates signed by a trusted RA. If they are able to poison DNS,
they could spoof SSL connections to the following domains and it will
appear to be trusted by the end user.

Domain: www.google.com [NOT seen live on the internet]
Domain: login.yahoo.com [Seen live on the internet]
Domain: login.yahoo.com [NOT seen live on the internet]
Domain: login.yahoo.com [NOT seen live on the internet]
Domain: login.skype.com [NOT seen live on the internet]
Domain: addons.mozilla.org [NOT seen live on the internet]
Domain: login.live.com [NOT seen live on the internet]
Domain: global trustee [NOT seen live on the internet]

Comodo has since revoked the certificates in question. Major browsers
such as Mozilla's Firefox and Google's Chrome have issued updates to
their browsers to block these compromised certificates. Apple's Safari
browser does not do so, though.

It turns out, that Apple's Mac OS X operating system uses the global
Keychain Access preferences for turning on Online Certificate Status
Protocol (OCSP) and Certificate Revocation List (CRL), two protocols
used for identifying compromised certificates.

These settings are turned off by default in Mac OS X. It is recommended
that users turn this setting on (instructions in the first link above).
It should be noted that this setting will add an additional step to the
process for browsing to SSL encrypted sites. It may or may not be
perceivable to the user. It should also be noted that this does not
solve problems for all Mac OS X software as some do not use Keychain
Access for their OSCP/CRL settings.

Thanks,
ep