To be more accurate, it appears as if this update installed an invalid/wrong/outdated VeriSign root CA, which prevents me from security using a good chunk of the web - including Apple's own App Store.
I could just add the online certificate as trusted, but shrugging it off and proceeding without caution is the worst thing you can do for secure browsing. If I'm visiting a small, specific website that I know and I encounter a self-issued cert it's a one thing, but this is a very different story.
I only I'm not the last person in the world using 10.8.5 (yet), so if my theory is correct, others must be seeing this too. And if I'm wrong... what the hell is going on?
- After installing the 2015-004 update on my 10.8.5, I realized I couldn't connect to many HTTPS sites including twitter.com, apple.com, and bankofamerica.com without getting certificate warnings. Chrome, for example says ERR_CERT_AUTHORITY_INVALID, "the certificate is not trusted" and "your connection is encrypted with obsolete cryptography".
- Chrome and Safari rely on the OS for trusted root CAs.
- The mistrust starts with the root CA, "VeriSign Class 3 Public Primary Certification Authority - G5". I can see that a CA with this exact name appears in Keychain as a valid and trusted cert, but its serial number (and therefore SHA-1 and MD5 fingerprints) are completely different form what the browsers see online.
- HTTPS connections to other sites (with GeoTrust, Google and other CAs) work fine.
I could just add the online certificate as trusted, but shrugging it off and proceeding without caution is the worst thing you can do for secure browsing. If I'm visiting a small, specific website that I know and I encounter a self-issued cert it's a one thing, but this is a very different story.
I only I'm not the last person in the world using 10.8.5 (yet), so if my theory is correct, others must be seeing this too. And if I'm wrong... what the hell is going on?