or Connect
AppleInsider › Forums › General › General Discussion › Apple confirms OS X contains same SSL security flaw patched with iOS 7.0.6, says fix coming 'very soon'
New Posts  All Forums:Forum Nav:

Apple confirms OS X contains same SSL security flaw patched with iOS 7.0.6, says fix coming 'very... - Page 2

post #41 of 67
Quote:
Originally Posted by ItsTheInternet View Post

It means that if an application used Apple's secure framework for HTTPS connections, that someone with access to your network or any network inbetween could have replaced the certificate with one they control, seeing the plain text of your communications.

However, 1Password could also encrypt their data on top of this, which would frustrate any analysis, and being in a position to do this would normally be something like the NSA or a poisoned open wifi AP.

That's my thinking but I've reached out to 1Password to get something more definitive. It turns out they were already working on an answer: http://blog.agilebits.com/2014/02/23/1password-security-doesnt-depend-on-ssl/

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #42 of 67
Regardless of any known security bugs one should always assume they exist and do everything they can to reasonably protect themselves from a would-be attacker.

To me, this means using a program like 1Password* so I can have unique and complex passwords for each and every site. You can also then start using unique usernames for more sensitive sites, like you bank, and making your answers to the personal questions unique so in case someone tries to reset your password remotely.

These steps won't protect you from attackers exploiting this bug but it would protect all your other accounts if, for instance, you signed on to AI with your username and password but had a different username and password for bank.

In reality you're not likely to be be victimized locally by sitting in a coffee shop but rather as a result of focused teams of hackers half a world away stealing a company's user data. This makes having individual passwords, as a bare minimum, even more important to your longterm safety on the Internet.

1Password also has a nifty feature called Security Audit which details which accounts have weak passwords, duplicate passwords, and have been using the same password for 6-12 months, 1-3 years, and 3+ years to help you better manage your accounts.

For me, this means I have to remember just 4 passwords. One to log into my Mac, one to log into my iPhone (with Touch ID I no longer use a 4-digit PIN but a proper password), one to log into 1Password, and one to log into the iCloud account I use for Find My iPhone. I'm not sure how others create passwords but I like using phrases to create long unique passwords that are easy to remember. This is an example of something longI can remember as well as type in quickly: $0methingINTHEWaySheMo\/es


PS: I'd like to here "best practice" ideas that others utilize.



* ...or LastPass or Apple's new password manager, but I think 1Password is worth paying for.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #43 of 67
Quote:
Originally Posted by NelsonX View Post

Really? I didn't know that! So, I guess they don't all work for Apple. Probably the iOS code is some kind of external OS and Apple has nothing to do with it. I that case I have no complains at all. It's not Apple fault. Not their OS, sorry! Please Apple, please, concentrate all of your resources to make the next iPhone 0.00000001 mm thinner! That's what I really want!

They were busy making the world's first 64-bit smartphone, adding Touch ID, and adding multitasking to iOS, so sorry they didn't get around to making it thinner this time.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #44 of 67
Quote:
Originally Posted by NelsonX View Post

Really? I didn't know that! So, I guess they don't all work for Apple. Probably the iOS code is some kind of external OS and Apple has nothing to do with it. I that case I have no complains at all. It's not Apple fault. Not their OS, sorry! Please Apple, please, concentrate all of your resources to make the next iPhone 0.00000001 mm thinner! That's what I really want!

It's hard to see how you could be aware of that based on your previous, idiotic comment regarding thinness.
Edited by SolipsismX - 2/23/14 at 11:57am

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #45 of 67
Quote:
Originally Posted by Rogifan View Post


Um, the people involved with the thickness of iPhone are not the same employees involved with source code. Last time I checked mechanical engineers are not software engineers. 1rolleyes.gif

Wow that went right over your head Rogifan.

post #46 of 67
Quote:
Originally Posted by Noliving View Post

Wow that went right over your head Rogifan.
Not really. Apple can and does have multiple priorities. They can walk and chew gum at the same time.
post #47 of 67
Quote:
Originally Posted by asdasd View Post

The tin foil hat brigade which suggests that Apple ( or an employee) added the encryption to the source file, should go onto explain why it was then published in open source.

We don't know if that was the actual bug, either.
hey there's people who think Apple did this on purpose to force more iOS 6 holdouts to update to iOS 7.
post #48 of 67
Quote:
Originally Posted by Rogifan View Post

hey there's people who think Apple did this on purpose to force more iOS 6 holdouts to update to iOS 7.

How would that work since the bug was introduced in iOS 7?

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #49 of 67
Quote:
Originally Posted by SolipsismX View Post

How would that work since the bug was introduced in iOS 7?

Researchers said it first appeared in iOS6.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #50 of 67
Quote:
Originally Posted by Gatorguy View Post

Researchers said it first appeared in iOS6.

Ah, I thought it was 7.0. Mea culpa. Speed reading has it's faults.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #51 of 67

My phone was bricked after the "small" update.

 

Luckily, I was at home and connected to iTunes. Sucks.

post #52 of 67
Quote:
Originally Posted by SolipsismX View Post

Ah, I thought it was 7.0. Mea culpa. Speed reading has it's faults.
Yes it apparently affects iOS 6 too but shock! for those phones capable of running iOS 7 Apple is only providing an update to iOS 7.
post #53 of 67
This is yet ANOTHER excuse for 10.9.2 taking so long to get released.

10.9.1 is the buggiest Mac OS release I've seen in a very very long time. I can't believe all of the crap I've had to put up with since it came installed on my new MBPro.

I think its time to adopt some of the techniques they use in China to assure product quality, like a firing squad in the parking lot. LOL
post #54 of 67

Forbes is reporting that privacy researcher Ashkan Soltani has determined that the SSL security flaw extends to Mail, iMessages, Calendar, FaceTime, and Software Update, among others.

post #55 of 67

censored

Reply

censored

Reply
post #56 of 67
Quote:
Originally Posted by Crowley View Post

Also via Forbes, Kristen Paget (ex-Apple security) is not happy.

This woman worked on security. When a bug was found with security, she bitches about it in such a negative way that will attract attention. I wonder what part of security she worked on. She is a known hacker and she missed this. Or she introduced it.
post #57 of 67

It has already attracted attention, and she is bitching about Apple's lack of care in fixing an issue with iOS7, and thereby drawing attention to it, but leaving it open on OS X.

 

She didn't join Apple until late 2012, after iOS6 was released, so no, the flaw was not introduced by her.

censored

Reply

censored

Reply
post #58 of 67
What I find amusing is we often make fun of Android and how the latest and greatest version is only running on a small percentage of devices, and how many Android phones aren't supported by the latest software. And yet I see people complaining that there is no iOS 6 fix for phones that can run iOS 7. One could argue the fix should be based on whatever software is currently running on the device but obviously Apple wants as many people running their most current software as possible. I'm curious exactly how it would work. If you had a notification in your settings telling you a software update was available would Apple just replace that with an iOS 6 notification? And once the user updated replace it back with another iOS 7 notification?
post #59 of 67

Several of my friends using iphone had their email compromised in the last 6 months.  I'm paranoid and had to setup some fake emails to use on my iphone to avoid my real emails got hacked.  What a pain.  Maybe smart phone is not for me, or I'm just too paranoid...

post #60 of 67
Quote:
Originally Posted by Rogifan View Post


Not really. Apple can and does have multiple priorities. They can walk and chew gum at the same time.

Ya actually it did because his/her argument was that the executives made the decision to focus on the design way too much and neglected the software quality side.  Kind of like how the executives of Microsoft focused way too much on Security in Windows Vista and really neglected the user experience side of the coin when it came to the release of Windows Vista.

post #61 of 67
Quote:
Originally Posted by Rogifan View Post


Just exactly how serious is this? The threads at Mac Rumors make it seem like the biggest breach in the history of software.

 

Major.  This is almost as bad as you can get. 

[Forum Signature]  I have no signature.  [Forum Signature]

Reply

[Forum Signature]  I have no signature.  [Forum Signature]

Reply
post #62 of 67
Quote:
Originally Posted by Crowley View Post
 

Also via Forbes, Kristen Paget (ex-Apple security) is not happy.

Originally Posted by leavingthebigG View Post


This woman worked on security. When a bug was found with security, she bitches about it in such a negative way that will attract attention. I wonder what part of security she worked on. She is a known hacker and she missed this. Or she introduced it.

Paget left Apple in February for Tesla (interesting since Apple has been talking to Tesla). iOS 7 received its NIST FIPS 140-2 validation in November while Paget was still at Apple. The interesting thing is the iOS CoreCrypto Module more than likely contains the SSL coding and the NIST test lab didn't find it. They also didn't find the error in iOS 6, which was approved awhile ago. If you feel like this is an NSA conspiracy, it would make sense, since the NIST test lab (private lab not operated by our government) could have been persuaded by the NSA to skip over this error and not report it. If you believe it was a simple error, then why didn't the test lab find it, why didn't all the government entities responsible for testing their iOS and OSX implementations not find it, and why didn't Apple's security Q&A team find it? We're not just talking about Apple missing it, we're also talking about every vendor that makes use of the SSL encryption process missing it since it's also their responsibility to test how it works within their environment. In other words, everybody missed it and everybody is at fault for not identifying it earlier.

post #63 of 67
I don't understand why I have seen safari challenge me about self signed certs etc. it looks from the bug that any cert could spoof any client. It is strange it was missed.
I wanted dsadsa bit it was taken.
Reply
I wanted dsadsa bit it was taken.
Reply
post #64 of 67
Quote:
Originally Posted by konqerror View Post
 

 

The worst part about it is it's a simple, fairly obvious typo (presumably). It shows poor software engineering practices at Apple all around: a coding style that's inconsistently applied throughout the file, poor code review, and poor software testing. And the worst part of it is that it's on a security critical piece of software which should have been third-party audited. If they can't get this right, what else is wrong?

Yes it was a bug, but as I read it was only one duplicated line of code.

Yes it was a serious bug, but to take advantage of it, required someone very knowledgeable  setup in a public WiFi area trying to intercept others data.

 

Apple fixed the problem within a few days of the problem going public, amazing response by Apple.

Not waiting for patch Tuesday on patch month and not ignoring the problem as other SW developers have done.

post #65 of 67
Quote:
Originally Posted by ipen View Post
 

Several of my friends using iphone had their email compromised in the last 6 months.  I'm paranoid and had to setup some fake emails to use on my iphone to avoid my real emails got hacked.  What a pain.  Maybe smart phone is not for me, or I'm just too paranoid...


What makes you think your Email  was compromised on or because of the iPhone?

I suggest you look into your Email provider.

 

BTW all Gmail is compromised by Google, they don't respect anyones privacy.

post #66 of 67
Quote:
Originally Posted by rob53 View Post
 

Paget left Apple in February for Tesla (interesting since Apple has been talking to Tesla). iOS 7 received its NIST FIPS 140-2 validation in November while Paget was still at Apple. The interesting thing is the iOS CoreCrypto Module more than likely contains the SSL coding and the NIST test lab didn't find it. They also didn't find the error in iOS 6, which was approved awhile ago. If you feel like this is an NSA conspiracy, it would make sense, since the NIST test lab (private lab not operated by our government) could have been persuaded by the NSA to skip over this error and not report it. If you believe it was a simple error, then why didn't the test lab find it, why didn't all the government entities responsible for testing their iOS and OSX implementations not find it, and why didn't Apple's security Q&A team find it? We're not just talking about Apple missing it, we're also talking about every vendor that makes use of the SSL encryption process missing it since it's also their responsibility to test how it works within their environment. In other words, everybody missed it and everybody is at fault for not identifying it earlier.


Interesting points.  An inside job to create and passover this bug is certainly a possibility.

 

BTW anyone going from very profitable Apple to welfare company Telsa must have had a grudge against Apple.

post #67 of 67
Quote:
Originally Posted by JoshA View Post

Yes it was a bug, but as I read it was only one duplicated line of code.
Yes it was a serious bug, but to take advantage of it, required someone very knowledgeable  setup in a public WiFi area trying to intercept others data.

Apple fixed the problem within a few days of the problem going public, amazing response by Apple.
Not waiting for patch Tuesday on patch month and not ignoring the problem as other SW developers have done.

Except on the Mac
I wanted dsadsa bit it was taken.
Reply
I wanted dsadsa bit it was taken.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Apple confirms OS X contains same SSL security flaw patched with iOS 7.0.6, says fix coming 'very soon'