Apple patches iOS security certificate flaw
Apple last week patched a security certificate flaw in iOS that could let hackers with a "privileged network position" crack an encrypted session and capture data, without the enduser realizing anything is wrong.
The weakness lies in the way iOS validates
The weakness lies in the way iOS validates, or doesn't, the chain of trusted interactions involved in issuing and managing X.509 certificates in public key infrastructure systems. The certificates are used in encrypting a user's data session. Apple's fix is available now in iOS 4.3.5, an update exactly to address this flaw.
One corporate iOS user is Needham Bank, a community bank in Needham, Mass. Near one-third of the bank's 100 or so employees have an iOS device, many of them iPads. The bank relies on SSL certificates to secure iOS communications. Nevertheless the bank's vice president of IT, James Gordon, isn't sweating the update.
Way to sign an SSL certificate that iOS
Kehrer hit upon a way to sign an SSL certificate that iOS would see as a valid signature. If he could intercept traffic from an iOS device, say one connected to a Wi-Fi network, he could create his own SSL certificate, and at that time capture and decrypt the traffic packets. Ideally, for the attacker, the victim is not alerted to any problem so the attack goes undetected.
"This method allows for transparent man-in-the-middle attacks against encrypted iOS communications," according to TrustWave's security advisory.
Apple's bland official description of the flaw doesn't quite do justice to the certificate flaw, and until further notice some users are stumbling on its potential seriousness nearly accidentally.
"At issue was Apple's 'core code' that checks certificate chain validation," he writes. "It was based on a 9-year old code base that had never been updated. And until now, no one had actually worried about it."
Today, users are the content. Driving the growth, and together being driven by it, the explosion in mobile computing is expanding the impact of the social web.
- ·
Security Ssl Certificate Ios
- · Rackspace debuts OpenStack cloud servers
- · America's broadband adoption challenges
- · EPAM Systems Leverages the Cloud to Enhance Its Global Delivery Model With Nimbula Director
- · Telcom & Data intros emergency VOIP phones
- · Lorton Data Announces Partnership with Krengeltech Through A-Qua⢠Integration into DocuMailer