Apple SSL Vulnerability Explained

67 %
33 %
Information about Apple SSL Vulnerability Explained

Published on February 25, 2014

Author: MikeChapple



Understand the coding error behind Apple's #gotofail. How one line of code undermined the use of SSL/TLS to secure iOS and Mac OS X communications.

Inside Apple’s SSL Vulnerability Mike Chapple @mchapple

Digital Certificates • Digital Certificates use asymmetric cryptography to facilitate the secure exchange of public keys. • Rely upon the use of trusted Certificate Authorities – Certificate Authorities responsible for vouching for identity of certificate “subjects”. – Usually used for servers, can also be used by individuals. – Organization proves its identity to the CA and the CA provides a signed certificate that can be used to prove identity to others. • To a CA, trust is essential!

What’s in a Digital Certificate? • • • • • • • Name of the certificate subject Subject’s public key Name of the CA Serial number Signature algorithm Validity period CA’s digital signature Source: Apple Computer 3

Using Certificates in HTTPS • HTTPS uses digital certificates to ensure secure web communications • It supplements the standard HTTP protocol with SSL/TLS encryption 1. 2. You access a secure site using your web browser Your browser retrieves the site certificate and verifies it • 3. Your browser then chooses a symmetric key, encrypts it with the server’s public key and sends it to the server • 4. 4 What does a certificate error mean? Why don’t they just communicate using the server’s public key? Everything from that point forward is encrypted with the symmetric key

Apple’s Code The repeated “goto fail;” is the #fail Source: The Guardian

Apple’s Code Because it is always executed, bypassing this check Source: The Guardian

Simpler Version of the Same Flaw Default return value set to 1 Goto bypasses attempt to change return value Source: Default value (1) always returned by function

Impact • Digital signatures on ephemeral keys not verified • Certificate itself is verified • Link between certificate and key not checked • Clients always trust presented ephemeral keys because the certificate checked out OK

Fixes • For iOS, upgrade to 7.0.6 • No fix yet available for OS X • In the meantime, use Chrome for partial fix

Questions? Mike Chapple @mchapple

#fail presentations

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

What you need to know about Apple's SSL bug | Macworld

Update: Apple has released 10.9.2, which patches the SSL vulnerability discussed in this article. News of a serious vulnerability within Apple’s ...
Read more

Anatomy of a “goto fail” – Apple’s SSL bug ...

Anatomy of a “goto fail” – Apple’s SSL bug explained, plus an unofficial patch for OS X!
Read more

Apple SSL Vulnerability Explained

Explanation of the Apple SSL Vulnerability ... Gareth Owen, University of Portsmouth. Have a look at the following snippet of source code from the SSL ...
Read more

Apple's SSL iPhone vulnerability: how did it happen, and ...

Apple's SSL iPhone vulnerability: how did it happen, and what next? SSL vulnerability in iPhone, iPad and on Mac OS X appeared in September 2012 ...
Read more

Apple's security flaw SSL vulnerability: How do I protect ...

Over the weekend you may have heard some stuff about Apple software and a vulnerability that would allow hackers to see into your online soul.
Read more

'FREAK' — New SSL/TLS Vulnerability Explained

'FREAK' - New SSL/TLS Vulnerability leaves Google and Apple Device Users Vulnerable
Read more

Apple Issues Patch For OS X SSL Security Vulnerability ...

Apple faced a considerable security threat with its SSL flaw, present in both iOS and OS X devices over the past few days. The iOS bug was ...
Read more

ImperialViolet - Apple's SSL/TLS bug

Yesterday, Apple pushed a rather spooky security update for iOS that suggested that something was horribly wrong with SSL/TLS in iOS but gave no details.
Read more

Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular ... Is this a MITM bug like Apple's goto ... " bug in Apple's TLS/SSL implementation ...
Read more