Categories

Online Security

UPDATE: Apple in hot water after SSL/TLS validation fiasco

Update (Feb 25):

More info on the update can be found here.

Original story:

Releasing a software update right before the weekend is something that software vendors tend to stay away from because of its inherent risks. And yet this is precisely what Apple did last Friday when they pushed a security update which immediately prompted many people to dissect it.

update

An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS“.

The flaw (CVE-2014-1266) affects certain versions of iOS (iPod, iPad and iPhone) and OS X (laptop / desktop).

In layman’s terms, if you are connected to a public WiFi, an attacker could eavesdrop on all your HTTPS encrypted traffic by creating a fake digital certificate.

Normally, a fake digital certificate would throw a warning such as this:

SSL

The problem lies with failing to check a digital certificate in what has been called the “gotofail“. This bug is very serious because that validation check no longer happens:

code

For some yet undetermined (but yet very controversial) reason, a redundant “goto fail;” (in red) statement was inserted in the code bypassing a critical check (in green).

As such, the user would no longer see any error and could potentially be connected through a rogue certificate, allowing the attacker to play man-in-the-middle and intercept/inject data.

You can check if your Apple device is vulnerable to this bug by visiting gotofail.com:

iOS_fail

safari_fail

Apple provided a fix for iOS which you can download from Settings> General > Software Update but has yet to release one for OS X. While waiting for an official patch, you should not connect to any public WiFi without at least:

  • using a VPN to encrypt your communications within the access point
  • using an alternate browser (Chrome or Firefox) not affected by this bug

Please note that other programs such as Mail, iMessage, Facetime are affected and should not be used on insecure networks.

Update: Security researcher ashk4n highlighted that even with VPN the risk may still exist unless you use a different protocol such as OpenSSL.

@jeromesegura 


One thought on “UPDATE: Apple in hot water after SSL/TLS validation fiasco

  1. Susan van Bebber says on February 26, 2014 at 4:33 am :

    The gotofail web page links to the iOS update, but only to the iOS 7 update. (The gotofail web page also now says that there is an update for OS X Mavericks as well.) I have an iPod touch 4th generation, which is not eligible for iOS 7, but the Settings app on my iPod had an update for iOS 6 available which is supposed to fix the problem. Thanks for the info!

Leave a Reply

Subscribe to our YouTube Channel