Solved

Apple SSL bug: WiFi risk only?

Posted on 2014-02-25
11
648 Views
Last Modified: 2014-03-02
After reading the description of this dramatic SSL bug affecting iphones, ipads & macs, I remain confused:

Is this only relevant if you are on a shared wifi network?

If you are on cellular 3G,LTE or on your private wifi at home, how is this relevant?

I have several ipad users (IOS6) who have refused to upgrade to IOS7.

Is this SSL issue a compelling reason to do so? (A patch is not available on IOS6 for iPad2 / iphone 4).

Thanks,
Mike
0
Comment
Question by:mike2401
  • 5
  • 5
11 Comments
 
LVL 53

Accepted Solution

by:
strung earned 125 total points
ID: 39887196
There is a pretty comprehensive article on the SSL bug here:  http://www.theguardian.com/technology/2014/feb/25/apples-ssl-iphone-vulnerability-how-did-it-happen-and-what-next

My impression is that it is not only a wireless problem, but also a 3G problem.

Apparently there is an upgrade to IOS 6.1.6 which will patch the bug on IOS 6 devices, but it is apparently only available for devices which will not run IOS 7.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 375 total points
ID: 39887234
It is an anything problem, sadly.

If your device can be induced to connect via a MitM attack (so a gimmicked "signal booster" box for mobile phone service, wifi, even a box looked to a router between your mobile phone company's internet access provider and the server) then the security of the link can be removed.

the chances of it happening other than on untrusted wifi are remote, but there is a non-zero chance it could happen regardless of how you connect.
0
 

Author Comment

by:mike2401
ID: 39887494
This is the answer I got elsewhere which makes the most sense:

I got my answer.  Bottom line: Tim is right, it's not about the wifi.

"It matters anywhere. This isn't someone being able to "snoop" on your communications and hence be an issue on public WiFi but not via cell. It's a flaw that could allow a hacker to trick your system into visiting and accepting as valid an imposter site that looks like a secure (i.e. HTTPS) web site should the attacker be able in some way to misdirect your connection, such as through a fake email or other fake web site.
 
If you want a more complete explanation without getting too far into the code, see:
 
http://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug -explained-plus-an-unofficial-patch/"
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 375 total points
ID: 39887528
Yup. but bear in mind, this requires that one of two things happen.

1) you connect to a site that isn't the site you thought you were connecting to
This is a problem that isn't caused by the SSL bug - if you connect to a different site, it may well have a completely valid SSL certificate, as the validation is based on site name, and SSL providers will often issue certificates to domain owners with little or no further validation.

2) your communications are intercepted (a Man in the Middle attack) in such a way the attacker can modify the data in transit
This is where the bug is required - by forcing specific SSL/TLS modes, the attacker can manipulate the value of the actual encryption key and decrypt the traffic, re-encrypting it before passing it on so that you see encrypted traffic, and the site sees encrypted traffic, but the attacker has full access to the plain-text in transit.
While there are other scenarios where this could be true, it is only really likely in a untrusted wifi scenario; anything else is likely to require much more infrastructural assistance than any attacker is likely to muster (of course, if the NSA are interested in you, that's different, but I suspect you then have bigger problems than this iOS bug :)
0
 

Author Comment

by:mike2401
ID: 39887538
If the victim user gets a faked email from citibank (with genuine graphics copied from their site, a fake from), and clicks the link.

It takes the victim to ci1ibank.com (1 not t).

Could the SSL bug be relevant then?

Mike
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 375 total points
ID: 39887550
No, not really. odds are good that the domain owner of ci1ibank.com could get a valid SSL certificate if he wanted one - some SSL CAs won't issue to obvious "typo" domains of banks or large companies, some will (and they only need to find one).

It has long been said that the requirement for a valid certificate from a CA only protects you against someone whose money no CA will accept...

Amusingly, I note that the certificate for https://citibank.com/ is not, in fact, valid for that domain :)
0
 

Author Closing Comment

by:mike2401
ID: 39898004
Thanks!  I got all my IOS 4.x ipad2 users to upgrade to IOS 7.  (no small task!   exec's don't like change!)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39898880
pity you couldn't get budget to buy them newer already-ios-7 iThingies - they would have jumped at that instead of bitching about upgrading software :)
0
 

Author Comment

by:mike2401
ID: 39898924
money aside, I really don't want to fuss with them (when everything is working fine) :-)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39899145
meh. from experience, toys in the hands of execs are never *less* work, no matter what release they are :)
0
 

Author Comment

by:mike2401
ID: 39899156
I nearly lost everything on one exec's ipad (upgrading from ios 4 to ios7).  The trick was after the upgrade, I had to pick 'setup as new ipad' (which I didn't want to do because I thought it would erase everything).  Turns out ios4 was pre icloud, so it totally confused the upgrade.

I guess no apple engineer thought anyone would ever upgrade from something that old?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let Bitmoji into your life. Now is the time to learn a new language of smartphone messaging with this brief introduction.
You should read OS supplied guidelines before developing. I can't stress that enough. The guidelines will help you understand the reasons mobile app developers do what they do.  Apple is very particular when they review appstore submissions.
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now