Skip to main content

Transport Layer Security

Five 'Transport Layer Security' stories February 2014 - April 2014
See All Stories
Site default logo image

Strange bug has stopped some streaming video apps from playing content

Avatar for Benjamin Mayo Apr 17 2014 - 5:14 am PT
2 Comments

IMG_2526

As noted by the BBC, some video apps on iOS have inexplicably stopped working today. Videos simply fail to stream, resulting in error messages like the one shown above. The cause of the issue is still unclear, but the bug is affecting multiple high-profile apps in the UK such as BBC iPlayer and Sky Go. Whether the issue is more widespread is not yet known.

It is unknown whether the bug is an issue with Apple’s software or with the third-party app developers. However, as both independent services have failed on the same day it seems like the problem lies with iOS itself. Setting the date on your iPhone or iPad to the past will make videos play again, which suggests the error may be related to expired digital certificates.


Expand
Expanding
Close

Apple says Heartbleed security flaw did not affect its software or services

Avatar for Mike Beasley Apr 10 2014 - 2:11 pm PT
5 Comments
Site default logo image

heartbleed

With an estimated half a million sites vulnerable to the “Heartbleed” vulnerability revealed earlier this week, which allows an attacker to access user details of websites previously believed to be secured by industry-standard SSL/TLS, your favorite social networks, stores, and other services around the web could potentially be handing out your password or other personal information to anyone who exploits the issue.

The bug exists in a library called OpenSSL, which is an open-source SSL implementation that many—but not all—web services use to secure sensitive traffic. If a website you use is affected by the bug, your personal data could be given to just about anyone. Unfortunately, changing your password on an unsecure site won’t even help unless the site’s owners have installed a fix (because the attackers can simply exploit the bug again to get your new password).

This serious issue affects a number of high-profile sites, but it seems your Apple ID is safe. Today, Apple gave the following statement to Re/code:


Expand
Expanding
Close

Site default logo image

Apple releases iTunes 11.1.5 w/ compatibility improvements & crash fix

Avatar for Zac Hall Feb 26 2014 - 10:47 am PT
1 Comment

Apple has released today a minor update to iTunes on OS X with a fix for a nasty bug that could cause iTunes to crash. The update also includes compatibility improvements with iBooks, Apple says.

The software update follows yesterday’s release of the highly critical OS X 10.9.2 release which filled an existing SSL bug that left users vulnerable to malicious attackers. Apple also introduced FaceTime Audio calling and contact blocking which debuted on iOS 7 last fall.

The update should be rolling out to OS X users through the Mac App Store.

Security consultant takes less than a day to exploit OS X bug to capture all SSL traffic

Avatar for Ben Lovejoy Feb 25 2014 - 3:58 am PT
6 Comments
Site default logo image

ssl

Update: The bug has been fixed in OS X 10.9.2

Security consultant Aldo Cortesi said in a blog post (via ZDNet) that it took him less than a day to exploit the goto fail bug in OS X to capture all SSL traffic, and that there’s a good chance he isn’t the first to have done so – an implicit suggestion that the vulnerability may already be being used in man-in-the-middle attacks.

I’ve confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks. Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured. This includes:

  • App store and software update traffic
  • iCloud data, including KeyChain enrollment and updates
  • Data from the Calendar and Reminders
  • Find My Mac updates
  • Traffic for applications that use certificate pinning, like Twitter … 
    Expand
    Expanding
    Close

Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible

Avatar for Ben Lovejoy Feb 24 2014 - 4:23 am PT
26 Comments
Site default logo image

update

Update: Apple issued OS X 10.9.2 the following day, which included a fix for the SSL bug.

After Apple fixed the SSL bug in iOS, it’s unclear why three days have passed without an OS X fix after it was revealed by Reuters that the vulnerability was created by an error in a single line of code.

The problem lies in the way the software recognizes the digital certificates used by banking sites, Google’s Gmail service, Facebook and others to establish encrypted connections. A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site.

As the bug is in Apple’s SSL authentication code, it leaves a whole range of apps vulnerable, not just Safari … 
Expand
Expanding
Close

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
Please wait...processing
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
Please wait...processing