Online: | |
Visits: | |
Stories: |
Story Views | |
Now: | |
Last Hour: | |
Last 24 Hours: | |
Total: |
Remember how the NSA was saying they had “unfettered” access to IOS communications — and Apple claimed they had never given it to them?
They didn't have to — Apple didn't bother checking the certificates.
SAN FRANCISCO (Reuters) – A major flaw in Apple Inc software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said in a Friday afternoon announcement.
If attackers have access to a user's network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook, experts said.
At issue is that when you connect to a “SSL” server the certificate in use has a “chain” back through the CA, or Certificate Authority, that “vouches” for it being the real certificate for the entity being claimed.
This is necessary otherwise you have an encrypted connection but it may be to someone other than who you think you're talking to.
It appears that Apple has long (back to at least the iPhone 4!) simply not checked.
Isn't that nice?
How does a company the size and stature of Apple “miss” something like this for that long? Where are the code review processes that should have prevented that from happening? And further, is anyone actually so daft as to suggest that nobody knew about it and it hasn't been exploited?
Why do you want to use IOS devices again?
PS: BlackBerry BB10 devices do check.