THE

Unpatched iPhones/iPads secure connections not so secure

In Tech on July 28, 2011 at 1:22 am

By Chester Wisniewski

Yesterday I wrote about Apple’s latest fixes for iWork and iOS and encouraged folks to update. Now that more information is available it is clearly critical that all users update as soon as possible, unless they only use their device for telephone calls.

Moxie Marlinspike posted a message on his blog yesterday announcing an update to a tool called sslsniff. The sslsniff tool has been around for quite some time (nine years!) and allows users to easily perform man-in-the-middle attacks against SSL/TLS connections. The new version of sslsniff knows how to identify vulnerable Apple devices and allows anyone to snoop on secure communications.

WHAT? Yes, you read that correctly. The flaws in iOS 4.3.4, 4.2.9 and 5.0b3 and lower are a lot more serious than Apple’s description of their fix: “This issue is addressed through improved validation of X.509 certificate chains.”

Oddly the flaw in iOS was a widespread flaw in WebKit and Microsoft’s CryptoAPI nine years ago. It allows any valid certificate purchased from a Certificate Authority to sign any other certificate, which the client device will then consider valid.

This allows anyone who can capture traffic from your iPhone, iPad or iPod Touch with man-in-the-middle techniques to…

Full article…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: