page 1 of 2
Apple just released the iOS 7.0.6 update to address a serious security issue. SSL encryption keys are not being verified, which could theoretically pose a security threat. It’s worth upgrading to iOS 7.0.6, as it patches a security flaw that could compromise private data. This issue also affects Mac OS X 10.9 Mavericks and Apple TV (2nd and 3rd generation models), in addition to the iPhone, iPad and iPod touch.
What does “SSL Connection Verification” Mean?
Secure Sockets Layer (SSL) encryption keeps the exchange of data between your browser or app (the client) and an internet entity (a server) secure. For example, when you log in to a web-based email provider, your authentication is passed using SSL encryption. This encryption makes it virtually impossible for a malicious user sniffing the network to intercept your data.
The issue with iOS and OS X Mavericks is that this secure connection is not verified. The data are still encrypted for any site using SSL. This means that only a malicious user in a privileged network position could possibly intercept your data. Additionally, a malicious site could use an SSL certificate issued by themselves instead of a valid certificate authority. They could possibly pose as a bank’s website, for example, and seem to have a legitimate, secure connection.
Adam Langley, a software engineer at Google, specializes in security. He wrote a very detailed article about this issue. The issue surfaced in open source code released by Apple, as part of OpenSSL. The problem is in the error handling code. If the SSL connection experiences an error verifying the certificate, and extra goto statement allows the connection to be established without proper verification. This could allow a malicious user in a privileged network position to access a user’s data. This is highly unlikely, but the flaw is still unacceptable.
SSL certificates are typically issued by a trusted authority, however, anyone can create their own. Developers often do this for the purpose of internal use. It is costly and time-consuming to obtain a proper SSL certificate. The server has to be vetted and the certificate must be purchased. This ensures that no malicious users can get an SSL certificate. The flaw in Apple’s code could allow any SSL certificate to be accepted as coming from a trusted authority.
There’s a few ways this vulnerability could result in a security breach. If you are on a shared WiFi network, someone on the network could perform a “man in the middle” attack. The malicious user could potentially get between you and a legitimate website, grabbing your login information or other sensitive data. For this to happen, you would have to be using a public WiFi network (at a coffee shop, for example) and the malicious user would need to be on this same network.
Another possibility is that a hacker sets up a malicious site that has a similar URL to a site that you use. If you type in the incorrect URL and it looks like the site you use, the user could intercept your information. You could also be drawn to this site by a link, email or a text message, which is known as phishing. On rare occasions, malicious sites can even appear in search results. This can happen regardless of the flaw, because malicious sites are able to get SSL certificates, but not from trusted authorities. SSL verification would protect you from these vulnerabilities. You wouldn’t be able to connect to a site with a bad SSL certificate. This doesn’t mean that SSL encryption doesn’t work for legitimate sites — it’s just not verified. This makes it easier for a hacker to pose as a legitimate website.
It’s highly improbable that anyone would be affected by this flaw, but it is theoretically possible. A lot of bad things would have to line up neatly for this to happen. Adam Langley has a server you can use to test this issue. It uses an SSL certificate with an invalid key. If your can see this site in your browser, you are affected by this bug. (continue…)