The only one to blame...
Is you, yourself and YOU. ...and DigiNotar.
This is ridiculous IMO. No, I'm not an Apple fanboy; my personal stance on Apple is that its usually overpriced stuff and although I never owned an Apple product I still dare question some of it.
But that is not the frickin' point, yet that's what I think is driving people towards being so negative here.
If you care so much about security, at least some claim as much, then why do you even bother waiting for some big company to "fix your system" when all you had to do was telling your OS not to trust those certificates anymore ?
That's stupid! If you really think this to be that important then the first thing you should have done was opening up your certificate manager to revoke trust in these root certificates, it really is that simple. Security doesn't start with trust in your OS or the support you get for it; it starts with YOU understanding how your OS actually works. No, not in every detail; but the main aspects in the very least.
On Linux you either tell your browser to do this or you remove the stuff from /etc/ssl/certs. On Windows you simply open the system certificate manager (or through the Internet explorer) and either remove said certs or disable their functionality ('purposes'). Its not that hard, honest. On Apple; sorry, I don't know. And yes; despite my earlier stated opinion I'm still curious how that might work. You will never see me putting Apple or its products down in any way, that's stupid too.
Sure; I agree that the companies who support our OS or browser also have a responsibility here. But I don't think its fair to claim that stuff like this needs to be changed ASAP and to ridicule them when they took their time.
Because the REAL blame here isn't with the browsers but with the people behind said certificate. You see; browsers normally don't NEED to remove a certificate in order for it to get revoked, if you think so you have no clue how this thing even works. A CA normally also supplies a so called CRL location with its certificates. A so called Certificate Revocation List. Which can be used to revoke a certificate "just like that".
"But if the certificate itself got hacked like here you're screwed anyway!". Not true. The /certificate/ and the /certification process/ got compromised, yes. But I didn't read anything about the DigiNotar webservers (for example). Did you know that a certificate can contain "CRL distribution point" locations? Which can also be web based locations? Did you know that many certificate based software has been developed with the ability to check up on those locations ?
For the non techies: What this basically means is that with the distribution of a certificate you also maintain a revocation list which tells the world which certificates are no longer trusted by you. So in an incident like this all you had to do was revoke trust yourself and put that revocation online ASAP.
Funny how hardly anyone uses those revocation distribution points. Funny how MS even /enforced/ its usage on Windows server 2003 through its CA service (enforced and /fully/ supported it). Funny how some of their certificates do include this small tidbit.
My stance on all this; you're barking up the wrong tree, this is a goose chase. The only one to really blame here is Diginotar for not taking action and responsibility themselves. And all those naysayers who are now barking at Apple. If it was so bad then you should have those certs removed yourself, easy as that.
If you blindly trust a company or organization to keep you safe then you're deluding yourself IMO. Sometimes you have no choice, absolutely true, but that isn't the case here.
</rant>
Biting the hand that feeds IT
