The jokes write themselves. Apparently this line was duplicated in Apple's SSL/TLS implementation on iOS and OS X, leading to vulnerability:
Linky.
Naturally, iOS has gotten the patch before OS X.
Quote:
For the time being, people using Macs should avoid using public networks, a step that can thwart many criminal eavesdroppers but will do little to prevent surveillance by the National Security Agency and other state-sponsored spies. Because the Google Chrome and Mozilla Firefox browsers appear to be unaffected by the flaw, people should also consider using those browsers when possible, although they shouldn't be considered a panacea. The flaw, according to researchers, causes most iOS and Mac applications to skip a crucial verification check that's supposed to happen when many transport layer security (TLS) and secure sockets layer (SSL) connections are being negotiated. Specifically, affected apps fail to check that the ephemeral public key presented by servers offering Diffie Hellman-supported encryption is actually signed by the site's private key. Attackers with the ability to monitor the connection between the end-user and the server can exploit this failure to completely decrypt and manipulate the traffic by presenting the app with a counterfeit key. An attacker "can basically set up a connection and pretend to be Google.com," Matt Green, a Johns Hopkins University professor specializing in encryption, told Ars. The attacker "can basically say: 'Hey I'm Google, here's my signature. And since nobody is actually going to check the signature, [the attacker] just puts nonsense in there." Independent security researcher Ashkan Soltani has confirmed that Safari and Mail.app, the default browser and e-mail client in OS X, suffer from the verification error in version 10.9.1. He and other researchers say virtually all applications that rely on the SecureTransport TLS layer are susceptible to the attack, regardless of whether they use a technique known as certificate pinning designed to block counterfeit encryption certificates. The bug, according to this analysis by encryption expert and security engineer Adam Langley, is the result of a single line of misplaced code that instructs apps to skip the verification check of the ephemeral key. "This sort of subtle bug deep in the code is a nightmare," Langley, who is also a Google employee, wrote. "I believe that it's just a mistake and I feel very bad for whomever might have slipped in an editor and created it." |
Linky.
Naturally, iOS has gotten the patch before OS X.
via JREF Forum http://ift.tt/1dqCnou
Aucun commentaire:
Enregistrer un commentaire