dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1192
share rss forum feed


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

2 recommendations

Understanding Apple's SSL/TLS Bug

quote:
Yesterday Apple released updates for iOS 6, iOS 7, and Apple TV to squash a security bug that affected SSL/TLS connections. Often times, security patches can fix obscure bugs that could only occur under the strangest of circumstances, and they get rolled in to larger updates that address many other issues. However, this fix warranted its own updates, both for iOS 7 and for iOS 6. So what kind of bug calls for such a response? Fortunately for those of us curious enough to wonder, Adam Langley has the answer.

First of all, any time you have a bug that affects SSL/TLS you should pay close attention. As a quick refresher, SSL/TLS refers to encryption protocols that are widely and commonly used to encrypt the transmission of sensitive data. Any bug affecting SSL/TLS has the ability to undermine many, if not all, of the secure transmissions made from your devices.
»www.imore.com/understanding-appl···-tls-bug

Simple test site for Apple SSL bug: »gotofail.com/ Will print "vulnerable" or "not vulnerable." Chrome & Firefox OK; Safari not.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 recommendation

From antdude See Profile's post:
»Apple security updates for February 2014..
About the security content of iOS 7.0.6
»support.apple.com/kb/HT6147


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

4 recommendations

reply to Link Logger

   if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
        goto fail;
        goto fail;
 

Snarky comment #1 - no code reviews at Apple, huh?

Snarky comment #2 - Edsger told you they were harmful!


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 recommendation

said by dave:

Snarky comment #2 - Edsger told you they were harmful!

I don't know what the busting my gut rolling around on the floor laughing my ass off until I p*ssed my pants acronym is, but really it is tragically unfortunate that programmers today likely don't know who Edsger is and so this would be a post child example of those who don't learn from history are due to repeat it.

To bad I never had a chance to show Edsger my 'Come From' language.

Blake
Considered harmful
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

4 edits

1 recommendation

reply to dave

Evidently Apple employs "real programmers".

quote:
* Real Programmers aren't afraid to use GOTO's.

* Real Programmers can write five-page-long DO loops without getting confused.

* Real Programmers like Arithmetic IF statements -- they make the code more interesting.

:D

    if (a = b) goto epic_fail;
 
...
 
epic_fail:
    printf("Obviously programming isn't my forte. Time for a career change!\n");
 

PS:
--
Don't feed trolls--it only makes them grow!


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
reply to Link Logger

Mac OS X too?

»apple.slashdot.org/story/14/02/2···cts-os-x



Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

Also serious vuln.found in OS X Mavericks, here we go : [ »www.neowin.net/news/serious-vuln···loitable ]



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to dave

Re: Understanding Apple's SSL/TLS Bug

If you try compiling this in VC++ you will get a warning about unreachable code, but compile it in gcc and you won't get a warning using gcc's default settings. Good tools are essential, even for good coders as we all know about and have likely experienced 4AM code for example.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool



planet

join:2001-11-05
Oz
kudos:1
Reviews:
·Cox HSI
reply to Link Logger

Taken from article Link Logger's post:
»www.imore.com/understanding-appl···-tls-bug

quote:
The result of this code is that an attacker on the same network as you could perform a man-in-the-middle attack where they fake a certificate keychain to a secure site, like your bank.
Question:
I am running a vulnerable version of iOS on my iPad. I haven't updated due to reported battery issues and OS slow downs on iPad 3 and earlier. The above quote states, "on the same network as you", are they referring to your LAN? I could see an issue here for public wifi spots and organizations. If you trust your LAN, would this mitigate things?

propcgamer

join:2001-10-10
011010101

said by planet See Profile
Question:
I am running a vulnerable version of iOS on my iPad. I haven't updated due to reported battery issues and OS slow downs on iPad 3 and earlier. The above quote states, "on the same network as you", are they referring to your LAN? I could see an issue here for public wifi spots and organizations. If you trust your LAN, would this mitigate things?

Correct, its basically a MITM attack on a public wifi.

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS

said by propcgamer:

Correct, its basically a MITM attack on a public wifi.

Or DNS, or routers, or proxies, or. . .

The vulnerability essentially is that with this bug, iOS (and MacOS apparently) blindly trust that the "other end" is whomever they say they are. It effectively negates any form of end-to-end security provided by SSL and allows anyone to intercept the "conversation" between your device and whomever you think you are communicating with.

It is far more reaching than public wifi - although that is probably the most exposed starting point. The entire path and its dependencies (such as DNS) provides opportunities to exploit this vulnerability.


TAZ

join:2014-01-03
Tucson, AZ
kudos:3
reply to Link Logger

said by Link Logger:

If you try compiling this in VC++ you will get a warning about unreachable code, but compile it in gcc and you won't get a warning using gcc's default settings. Good tools are essential, even for good coders as we all know about and have likely experienced 4AM code for example.

Apple uses Clang, FWIW.


planet

join:2001-11-05
Oz
kudos:1
Reviews:
·Cox HSI
reply to Shady Bimmer

said by Shady Bimmer:

It is far more reaching than public wifi - although that is probably the most exposed starting point. The entire path and its dependencies (such as DNS) provides opportunities to exploit this vulnerability.

I don't like the sound of this. So, basically, if I want to be reasonably assured that my iTune's PW or using a CC # anywhere on the net isn't compromised, I will need to update to iOS 7.0.6. BAH!!

I guess this would be far reaching too for iPhone users on a cellular network.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to Link Logger

Apple promises SSL snooping fix for Mac OS X 10.9 users 'very soon'


Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to planet

said by planet:

I will need to update to iOS 7.0.6. BAH!!

Yes. For what it is worth I do not notice any slowdowns on my iPad 3. With the original release of 7 there was sluggishness with the virtual keyboard but that was all that was noticed. This was a known issue and has long since been fixed. Others may differ in their experiences.

I guess this would be far reaching too for iPhone users on a cellular network.

Any network connectivity of any form. SSL is meant to provide end-to-end security and validation and without this anything between your device and the site you are using is a potential point of interception.

Yes this one is a nasty one


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET
reply to dave

I didn't recognize the first name, the last name is more familiar to me.

For everybody else that has an IDGI moment, this should help: (wikiquote) Edsger W. Dijkstra .

P.S.: dave See Profile might find the "Misattributed" section at the above link interesting
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8

2 recommendations

Then my joke was not in fact wirthless.



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to StuartMW

said by StuartMW:

Evidently Apple employs "real programmers".

quote:
* Real Programmers aren't afraid to use GOTO's.

* Real Programmers can write five-page-long DO loops without getting confused.

* Real Programmers like Arithmetic IF statements -- they make the code more interesting.

...

My personal favorite from that same source:
quote:
Real Programmers write self-modifying code...
Many years ago, in a period of coding arrogance, I constructed a Lotus Symphony program for special-purpose data archiving, analysis, and forecasting that contains a 975-line macro with 155 lengthy lines of self-modifying code, which I've run monthly since 1986. Each time it's run, it analyzes the entire data and forecast histories, performs computations, and accordingly modifies various lines within the macro code (both limits and instructions) for the next run. It has worked beautifully for its intended purpose over all those years. But, if my life depended on it, I could never reconstruct the values it's created along the way unless I re-started it from the documented initial state (the only documentation) and manually re-ran it for each set of monthly inputs. But real programmers never look back, and they never apologize...
--
The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money. -- A. de Tocqueville


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

said by Blackbird:

But real programmers never look back, and they never apologize...

Well fortunately the software engineers/computer scientists of today probably don't know what assembler language is let alone write any software in it. It is very difficult, if not impossible (by design), to write self-modifying code in high level languages. In assembler you can do what you want barring hardware restrictions.

The people that write ("good") malware do know assembler and how to do stuff at the hardware (CPU) level. I find it amusing that some 15-yr old hacker in Russia can write better code, in many respects, than a college educated software "professional".

To me software engineering is like any other engineering and requires discipline and a methodical approach. I know, however, that many in the industry don't believe that. Writing and building code is very easy unlike creating a building, bridge or a car. The latter require lots of planning and sometimes experimentation, before construction ever starts. Programs not so much.
--
Don't feed trolls--it only makes them grow!


Ctrl Alt Del
Premium
join:2002-02-18
kudos:1

1 edit

1 recommendation

reply to Link Logger

Some have said that -Wunreachable-code will cause gcc to catch it, but according to »gcc.gnu.org/ml/gcc-help/2011-05/···360.html this flag has been silently ignored.

But Apple now uses clang, which has -Weverything »clang.llvm.org/docs/UsersManual.···erything which no one has conclusively said will catch this.

In fact, the code style appears like it was a switch statement in a previous life, and was changed to if statements. Or this was a git merge that no one caught. And that there's no unit testing for this method, apparently.

All around fail.

EDIT: According to »twitter.com/_peterdn/status/4372···30523648 clang (not gcc) with the flag -Wunreachable-code will correctly label the code as unreachable.

Here's a great writeup: »www.imperialviolet.org/2014/02/2···bug.html
--
less talk, more music



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

Doesn't sound like that flag is enabled by default and not included in -wall which is interesting.



Ctrl Alt Del
Premium
join:2002-02-18
kudos:1

My mind boggles at the amount of fail involved in this bug.

The source file has all kinds of different indentation styles, different methods mix switch statements and chained if statements, apparently there's no corresponding unit tests, and the default build environment doesn't catch this.

At least we can all see the bug as it's open source.
--
less talk, more music



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

I'm not sure that the fail is what people think it is. I'm thinking copy/paste error or one person suggested a possible merge problem, but certainly there are a couple of different ways to have found this and apparently none of them did, but I wouldn't be in a rush to hang anyone over this, but review the process and figure out what happened and how to prevent it in the future, but I doubt I'd be hanging anyone as I don't think it was a single person point of failure and process and tools are likely part of the problem.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

2 recommendations

reply to Link Logger

Apple's 'Gotofail' Security Mess Extends To Mail, Twitter, iMessage, Facetime And More
»www.forbes.com/sites/andygreenbe···nd-more/



antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

said by siljaline:

Apple's 'Gotofail' Security Mess Extends To Mail, Twitter, iMessage, Facetime And More
»www.forbes.com/sites/andygreenbe···nd-more/

Also on »www.macworld.com/article/2100680···isk.html ...
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable
reply to Link Logger

»www.forbes.com/sites/andygreenbe···ur-sh-t/ from »www.hardocp.com/news/2014/02/24/···your_sht



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17

1 recommendation

reply to Link Logger

New iOS flaw makes devices susceptible to covert keylogging, researchers say



antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

Oh boy. More problems. Proof of concept at the moment.
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

1 edit
reply to Link Logger

i saw this related article, which suggest that the problem was caused by an NSA-hack:

»www.rawstory.com/rs/2014/02/24/s···-spying/



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

Not even close to how the NSA works, but should drive my tin foil stocks up.