Cert-ifiable: How my Mac didn’t trust a new secure site from the Feds

For about three minutes on Monday, I thought I’d uncovered a gigantic security flaw in a new government site set up to push other .gov sites towards secure browsing: When I tried visiting The HTTPS-Only Standard, my iMac’s copy of Safari reported that it couldn’t verify that site’s identity and its copy of Chrome said my connection wasn’t private.

https.cio.gov cert errorBut when you think you’ve uncovered an obvious error in a site that’s been out for over a week, it’s usually your own setup at fault. And within minutes of my tweeting about those warnings, I got a reply from the guy who configured the site saying he couldn’t reproduce the problem.

After some quick testing on this computer, my MacBook Air, my iPad and my phone (during which I silently congratulated myself for editing some accusatory sarcasm out of that tweet before posting it), I realized this fault was confined to Safari and Chrome on my two Macs. Every other browser, including Firefox on my iMac, got through to that HTTPS-Only site normally.

Further Twitter conversations pointed me to each Mac’s store of saved site certificates, accessible in the Keychain Access app. For Safari and Chrome to encrypt a connection to that government site, OS X needed to match its digital certificate against a sort of master key, a “root certificate” stored in the system.

old Comodo certificate(For a better description of how the mathematical magic of encrypted browsing happens, consult my friend Glenn Fleishman’s 2011 explainer for the Economist.)

Both Macs had an old copy of Comodo Group’s root certificate, one not listed on Apple’s inventory of trusted root certs. I tried deleting that certificate, figuring it probably wouldn’t make things worse–and that was all it took for the HTTPS-Only site to work as advertised and for one or two other sites to stop coughing up security warnings.

With my encrypted browsing back to normal, I’m left to wonder how my system keychains got tangled up like that. Any theories? Before you ask: Yes, I’ve done a full scan with the ClamXav malware scanner and haven’t found any issues.

Weekly output: e-mail security (x2), MacBook webcam

This week’s work involved the Virginia countryside, a space capsule, robots playing soccer, and some quality time with drones. And yet none of those things showed up in this week’s articles. But there’s always next week…

Yahoo Tech TLS post6/10/2014: Explained: How ‘TLS’ Keeps Your Email Secure, Yahoo Tech

I enjoyed crafting the photo for this, and not just because it gave me an excuse to flip through old postcards. I did not enjoy reading the comments as much: the repeated assertion there that nothing online can be made secure is both incorrect on a technical level and fundamentally defeatist.

6/10/2014: 4 Ways Your Email Provider Can Encrypt Your Messages, Yahoo Tech

I wrote a short sidebar–something we’ve taken to doing more often at Yahoo Tech–outlining how e-mail encryption has advanced over the last decade or so… at least at some providers.

6/15/2014: Revisiting a fix for your MacBook webcam, USA Today

Yes, you read about this topic earlier this year in my USAT column. But this time around the remedy may work a little more reliably. There’s also a tip about watching Netflix on a computer without Microsoft’s Silverlight plug-in–if you’re running Windows 8.1.

Weekly output: CNET and CBS, Internet Freedom Day, Tech Night Owl, Java, Yahoo Mail

For once, I did not come home from CES with a cold. Instead, I picked up one from our toddler a few days later.

CBS CNET post1/15/2013: CBS, CNET And How To Kill Tech Journalism Through Big-Media Denial, Disruptive Competition Project

This is a story I kind of missed during the show, but it also took me a day or two to realize how dangerous CBS’s rationales for interfering with CNET’s editorial decisions would be for tech journalism in the traditional (read: media conglomerate-owned) media. I was glad this little rant got as much attention as it did; I wish that had been followed by accountability for the twit or twits in CBS’s executive suite who thought this stunt would work.

1/18/2013: Internet Freedom Day’s Unfinished Business, Disruptive Competition Project

Friday marked the first anniversary of the Internet rearing up and kicking Big Copyright in the hindquarters during the battle to quash the Stop Online Piracy Act. That’s worth celebrating, but a week after the death of net-freedom advocate Aaron Swartz I also thought it necessary to point out all the items remaining on the tech-policy to-do list if you value a more open Internet and technology economy. I hope the results doesn’t make me sound like a total Eeyore.

1/19/2013: January 19, 2013 – Kirk McElhearn and Rob Pegoraro, Tech Night Owl Live

I discussed the things I saw at CES, Apple’s stock price and other tech-news topics on Gene Steinberg’s podcast. I haven’t heard Kirk McElhearn‘s segment yet, but I’m sure that Macworld and TidBITS contributor had insightful things to say too.

1/20/2013: Q&A: Is Java safe to use?, USA Today

I returned to the topic I covered in my USAT column last spring, this time with more context about what Java was supposed to do and how it became the nuisance it is–plus a few remaining, non-Web uses for this software I hadn’t addressed in detail in that earlier piece. There’s also a tip about enabling a security feature Yahoo finally added to its Yahoo Mail service, some five years after Google had provided the same option to Gmail users.

I also held forth on the mini-blogging site Sulia, as my experiment with that site continues. Among this week’s posts: a review of Facebook’s new, airtime-free voice-calling service (and one of an Android app that does the same thing through Google Voice); documentation of some new Twitter features; a call for editors and publishers to post those newsroom-wide memos that always wind up getting published elsewhere.