Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.

Schneier Speculates on Apple's SSL Flaw

posted by girlwhowaspluggedout on Sunday March 02 2014, @12:01AM   Printer-friendly
from the one-bad-apple-spoils-the-whole-bunch dept.

Papas Fritas writes:

"Last October, Bruce Schneier speculated that the three characteristics of a good backdoor are a low chance of discovery, high deniability if discovered, and minimal conspiracy to implement. He now says that the critical iOS and OSX vulnerability that Apple patched last week meets these criteria, and could be an example of a deliberate change by a bad actor:

Look at the code. What caused the vulnerability is a single line of code: a second "goto fail;" statement. Since that statement isn't a conditional, it causes the whole procedure to terminate ... Was this done on purpose? I have no idea. But if I wanted to do something like this on purpose, this is exactly how I would do it.

He later added that 'if the Apple auditing system is any good, they will be able to trace this errant goto line to the specific login that made the change.'

Steve Bellovin, professor of Computer Science in Columbia University and Chief Technologist of the Federal Trade Commission, has another take on the vulnerability: 'It may have been an accident; If it was enemy action, it was fairly clumsy.'"

 
This discussion has been archived. No new comments can be posted.
Schneier Speculates on Apple's SSL Flaw | Log In/Create an Account | Top | 25 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by frojack on Sunday March 02 2014, @04:22AM

    by frojack (1554) on Sunday March 02 2014, @04:22AM (#9394) Journal

    But, AS I understand the bug, that line of code was meant to detect a bad cert, or man in the middle attack.

    Even in wide scale testing, you are not likely to encounter that in the real world. And in this case, it would just allow the site to load as normal. You'd be owned, but none the wiser. The code would pass the test.

    Adam Langley on his Blog [imperialviolet.org] coded up a cute harmless little demonstrator for this bug.
    This is the direct URL https://www.imperialviolet.org:1266/ [imperialviolet.org]

    Chrome just says No Way.
    Firefox spits confusing jargon that translates to No Way.
    Even cursty old Kong catches this.

    So unless you has a deliberately created bad web site to test with, you would never see this bug. Seems accidental that it was found at all.

    --
    No, you are mistaken. I've always had this sig.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 4, Insightful) by forsythe on Sunday March 02 2014, @05:07AM

    by forsythe (831) on Sunday March 02 2014, @05:07AM (#9406)

    Sure, in the real world this bug would be hard to detect. But I find it hard to believe that anyone at Apple would approve a function for detecting bad certs that didn't even have a test record including data that [should have] failed sslRawVerify (which, as I understand it, is the key step that the goto skips). That's the sort of thing big, professional software companies are supposed to do, isn't it? That leaves a few possibilities: either the test record was doctored, the test cases were carefully constructed not to expose this bug, or there simply weren't any tests intended to cover this case.

    Hanlon's Razor says the third case is most likely, but I'm not so sure I should trust it in this case.