Apple has finally enabled secure App Store logins for mobile users, months after the issue was first reported to the consumer electronics giant. Google researcher Elie Bursztein noticed that Apple's App Store protocols weren't secure back in July 2012, when he reported the issue to Cupertino. The App Store iOS app was running …
Yes, it's about time, but…
… SSL itself is susceptible to man-in-the-middle attacks, as demonstrated, for example, by those nice people in Iran — see http://www.theregister.co.uk/2011/09/09/gmail_diginotar_security_alert/.) You can even do it to yourself with the mitmproxy utility.
Re: Yes, it's about time, but…
Sure it is. Using it is still better than sending the data over the wire in plain text.
For DigiNotar to work, your victim would need to be using very old software. It's certificate as a root CA was revoked by pretty much everyone. As a cautionary tale for the whole CA system it is definitely a loud and clear example of what everyone knew was an issue. Unfortunately there is no panacea when it comes to security. You do what you can. The only true security is a one-time pad, but that is actually impossible to achieve in reality.
If you look at the mitmproxy tickets, you'd find out that Apple has pinned it's certificate (at least in iOS 6), which is exactly what should be done everywhere that it is possible. Since the certificate is not used over the wire, you'd need access to their device and the ability to change the certificate on it to your certificate.
So what's left? Well if you want to target specific sites that have mixed content (some SSL and some HTTP [preferably JS files, but CSS would also work]), you can proxy the traffic and inject your own JS code in the HTTP stream. SSL works by public/private keys to set up the connection. After that it is simple symmetric encryption. Your code would make repeated connections to the server with a block of text that you know. Known text attack is pretty simple for working out the symmetric key. If you've been caching the SSL packets, you can go back and decrypt that stream.
You've got good points, but just shouting the sky is falling on a forum is perhaps not the best thing to do. I mean, what if some PHB is reading the site and gets the idea that they can just stop using SSL on their services. ;)
It's better to point out that security is hard and SSL is not a panacea because it needs to be implemented correctly and carefully. When I was a SysAdmin, I used to tell my colleagues that if you wanted true security, you'd cut the cords off of your system, send it through an industrial wood chipper, embed that in a block of cement, and then drop that into the Marianas Trench. Then I'd be 99.999% sure you couldn't be hacked.
Cutting Edge Design?
More like the dull knife in the drawer.
Login credentials transmitted in the clear is really rather poor. Taking months to fix it after being told about it is absolutely pisspoor.
Doing it in the first place in this day and age is
Unfortunately, it still happens with alarming frequency.
>"<sigh>Login credentials transmitted in the clear is really rather poor. Taking months to fix it after being told about it is absolutely pisspoor."
Apple having to thank a Google researcher for bringing it to the public's attention? Priceless.
I would have figure it was already SSL.
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Special Report How Britain could have invented the iPhone: And how the Quangocracy cocked it up
- Analysis Microsoft's licence riddles give Linux and pals a free ride to virtual domination
- Massive! Yahoo! Mail! outage! going! on! FOURTH! straight! day!
- Bring it on, stream biz Aereo tells TV barons – see you in Supreme Court