Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
Economy
Related: About this forumSecurity flaw in Apple mobile software could allow hackers to beat encryption
http://www.rawstory.com/rs/2014/02/22/security-flaw-in-apple-mobile-software-could-allow-hackers-to-beat-encryption/Security flaw in Apple mobile software could allow hackers to beat encryption
By Reuters
Saturday, February 22, 2014 8:21 EST
A major flaw in Apple Inc software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed.
If attackers have access to a mobile users network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook. Governments with access to telecom carrier data could do the same.
Its as bad as you could imagine, thats all I can say, said Johns Hopkins University cryptography professor Matthew Green.
Apple did not say when or how it learned about the flaw in the way iOS handles sessions in what are known as secure sockets layer or transport layer security, nor did it say whether the flaw was being exploited.
--
Welcome to the Windoze world.
InfoView thread info, including edit history
TrashPut this thread in your Trash Can (My DU » Trash Can)
BookmarkAdd this thread to your Bookmarks (My DU » Bookmarks)
4 replies, 1052 views
ShareGet links to this post and/or share on social media
AlertAlert this post for a rule violation
PowersThere are no powers you can use on this post
EditCannot edit other people's posts
ReplyReply to this post
EditCannot edit other people's posts
Rec (4)
ReplyReply to this post
4 replies
= new reply since forum marked as read
Highlight:
NoneDon't highlight anything
5 newestHighlight 5 most recent replies
Security flaw in Apple mobile software could allow hackers to beat encryption (Original Post)
unhappycamper
Feb 2014
OP
They coding error has been tracked back to the same year that the NSA said in
LiberalArkie
Feb 2014
#1
LiberalArkie
(15,686 posts)1. They coding error has been tracked back to the same year that the NSA said in
their slides is said to have "man-in'the-middle" access to Apple. Some of the tech sites believe that it was possible that a person working at Apple who took money from the NSA did it. The coding error was such that the compilers and error checking programs did not even catch it.
bemildred
(90,061 posts)2. Obscuring code is quite easy in most modern languages. nt
LiberalArkie
(15,686 posts)3. For sure. It took coders a while to even see the error.
http://arstechnica.com/security/2014/02/extremely-critical-crypto-flaw-in-ios-may-also-affect-fully-patched-macs/
static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
...
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
...
fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
...
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
...
fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
bemildred
(90,061 posts)4. Tsk. Then they are not good at all at reading code. That is not obscure.
But it's does look like the sort of editing error one might make in a hurry, or through fatigue.