Sign in / up

back to article iOS, Mac, Android users still vulnerable to bogus certs

Eight days after the discovery that a fraudulently issued web credential actively targeted Iranians as they accessed their Gmail accounts, millions of people who rely on Google and Apple products remain vulnerable to similar attacks. The inaction of Google in updating its Android operating system and Apple in making changes to …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Volker Hett

    Not hat easy.

    Switching to chrome on OS X won't help, it uses the OS X keychain.

    If Diginotars Certificates are revoked, which they should be by now, then users of a recent OS X should be safe since keychain checks OCSP and CRL since the Comodo hack.

    If those certificates are NOT revoked, I consider the whole SSL system broken and not trustable.

    I haven't checked on windows, the Win2K8 servers I maintain have a keychain manager and I don't have any other browsers on my servers :)

    0 0
    1. Robert Carnegie Silver badge
      Reply Icon

      Is Opera safe? On Mac? (Although I don't have one.)

      According to http://my.opera.com/securitygroup/blog/2011/08/30/when-certificate-authorities-are-hacked-2

      Opera verifies certificate validity with Opera's server, but I don't know if that applies to every Opera platform including OS X.

      The mobile browser that does the rendering on an Internet server and sends you the result is probably okay, too. If you consider that secure in the first place...

      0 0
      1. Volker Hett
        Reply Icon

        Certificates seem to be a real mess.

        I've been informed that man in the middle attacks on OCSP and CRL are trivial :(

        Certificates aren't used for webservers only, "secure" E-Mail depends on them as does Software signing.

        IMHO some sort of keychain management in the OS for all the Software makes sense, but when OCSP and CRL can't be trusted we need updates for almost anything anytime a CA has been hacked.

        Back to letters and fax, or teletype :(

        0 0
  2. Phil 54
    Meh

    CACertMan

    is what it's called

    Sorry, I forgot to give the name...

    0 0
  3. Steve Evans

    I bet...

    And I bet users of HTC phones will have to wait at least another 6 months after Google release the change... That's assuming they have a phone from 2011... If they have anything "ancient" like a Desire HD, a Desire Z, or God forbid, a Desire, they're likely screwed.

    /me wonders how long it'll be before Cyanogen patch this? Do they need to wait for Google?

    0 0
    1. ross 15
      Reply Icon
      Linux

      CyanogenMod

      I believe that call has already been taken, and CM nightlies are now excluding Diginotar certificates. Of course no idea when it'll be pushed to the next beta...

      1 0
      1. Steve Evans
        Reply Icon

        Re: CyanogenMod

        Yup, I just saw that in the change requests. They're pulling them in advance of upstream, and even knocked up a little app to allow you to pull your own certs in future.

        Nice one guys.

        1 0
  4. -tim
    FAIL

    Would Safari care anyway?

    I get a bad SSL cert for any page that wants to link to https... facebook and told it "never trust the cert" so now I have to click cancel every time I hit a page that wants to use face book to track me. The core concept of SSL is once I say "no don't use that", it should never ask again and not use anything signed by that cert ever again.

    0 0
  5. I ain't Spartacus Gold badge
    Unhappy

    Is this the first?

    Is this the first major Android security vulnerability to get publicity? I can't remember any others...

    Anyway, it could be interesting. My poor HTC Wildfire probably isn't in line for any updates soon / ever, so I suppose I'd better not go to Iran... This could be where the fragmentation, and piss-poor customer service that comes with Android starts to have an effect. I notice Samsung's new budget phones are still selling with 2.2, which is heading for a year old - and they're by no means the only ones guilty of this. Does Froyo even get updates for security anymore? They're unlikely to get upgraded to 2.3, or Samsung would be shipping them that way. So have Google abandoned a hundred million users to their fate? Along with the OEMs and networks of course, it's not their fault entirely.

    I've had a feeling for a while that the gloss is going to come off Android sometime soon. Not that I'm saying it's doomed or anything, just that there are quite a few major issues, and I don't see a lot being done to address them, or even acknowledge they exist. The Motorola deal may be part of Google's answer, or may add to them. Who knows? I still think there's a chance for Android to get knocked off the top spot, though it's got a lot in its favour.

    I'm sure Apple will release an update. Eventually... I wonder if they'll extend that to the old kit that's not on iOS4?

    0 0
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Android update

      I guess Google will silently push out an update to all versions like they occasionally do with the market. Be nice to have some notification though.

      Cant comment for IOS..

      1 0
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      lack of updates

      I'm sure you're right that older Android phones won't get any updates for security issues like these. But at least it's possible that others can provide them - and indeed it seems several already have.

      It's likely the phone would have to be rooted and a new rom image installed which many people would not be willing or able to do, but for those that care, they can. For everyone else it would be nice to have an auto-updating app that could load and install low-level security patches from a trusted source.

      With iOS you are reliant on Apple. If an update comes out for an older device, great, but if not then you're pretty much stuffed.

      2 1
      1. Volker Hett
        Reply Icon

        It's easier with Android

        I don't think Samsung can be bothered to update my SGH-F480, haven't seen an update since I got it some three years ago.

        0 0
  6. Phil 54
    Happy

    For Android owners

    There's an app to manage and delete certificates available at the guardianproject.info site. Obviously you have to be rooted to use it.

    1 0
  7. Anonymous Coward
    Anonymous Coward

    What about my nokia and blackberry?

    or are you just writing articles about top market percentages to attract more click-ad revenue?

    I'd like to know if my mobiles are threatened by this.

    0 0
  8. Phil 54
    WTF?

    Strange..

    I wrote my two comments within a minute of each other but they showed up as having been posted more than 8 hours apart, and with the first comment last.

    To reiterate: for android users use the CACertMan app available at guardianproject.info

    0 0
  9. Anonymous Coward
    Stop

    Opera

    Just use Opera Mobile or Opera Mini, both available for Android, problem solved, they check their certificates correctly and have protection against blocked revocation lists, and support a dynamically updated trusted CA list.

    In short, you don't need to do anything, you are protected.

    0 0
This topic is closed for new posts.

Other stories you might like