20140222-AppleSSLTLS

In English

The Secure Sockets Layer (SSL) helps to ensure that communication between your browser and a website server remains secure. Transport Layer Security (TLS), is a more recent protocol doing essentially the same thing. Together SSL/TLS is a cryptographic key allowing you and your browser to trust that is really YourBank.Com at the other end. To the end user it is all automatic and it works when the icon shows a closed padlock.

Apple’s implementation of the a two part security system was flawed allowing a miscreant pretend to be you to the secure service and pretend to be the secure service to you. This is a man-in-the-middle attack. In techno-speak:

“an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.”

http://www.reuters.com/article/2014/02/22/us-apple-flaw-idUSBREA1L01Y20140222
see also
http://gizmodo.com/why-apples-huge-security-flaw-is-so-scary-1529041062

How long has this been vulnerable?

A researcher reports the bug did not exist in version 5.1.1 and did exist in version 6.0 meaning the security has been compromised since about September of 2012.

https://twitter.com/Jeffrey903/status/437273379855667201

How could this have happened?

One extra line of code, a slip of the fingers

The error is a simple one that’s easy to see when you look right at it, but perhaps hard to see when you’re looking at the whole 1,970 line file. The error is on line 632. It’s an extra “goto fail;” statement that causes SSL signature verification to succeed always (in certain very common configurations). For more detail on all this, read Langley’s post. It has the look of a thoughtless editing bug — a slip of the fingers — rather than an error in logic.

http://www.zdnet.com/apple-and-the-ssltls-bug-open-questions-7000026628/

To Fix it

For the Apple iPhone operating system – Friday 2/21/2014 Apple released iOS 7.0.6. Update recommended.

For the Apple operating system – Tuesday 2/25/2014 Apple released OS X 10.9.2. Update recommended.

 
 

The 2014 Unknown page
The References page

Visit Us On FacebookVisit Us On Twitter