Apple's SSL Screw-Up: Fix "Coming Soon"

Apple currently is under pressure to fix a serious flaw that can render it's implementation of SSL encryption essentially useless under some conditions. This problem affects both mobile devices such as the iPhone and iPad, as well as Mac computers and laptops running OS X. The best thing for most users to do for now is to avoid using public WiFi networks at all (Starbucks, McDonalds, the local library), as that is where the real potential for serious problems lurks. The effect is that "secure" connections to websites - using https:// in the address - may be rendered insecure by this bug.

Update 2/23/14 - a patch is out for later versions of iOS mobile devices, but not yet for Mac OS X

The intruders do need to have access to the victim's network, either through a relationship with the telecom carrier or through a WiFi wireless setup common in public places. Industry veterans warned users to avoid unsecured WiFi until the software patch is available and installed.
The bug has been present for months, according to researchers who tested earlier versions of Apple's software. No one had publicly reported it before, which means that any knowledge of it was tightly held and that there is a chance it hadn't been used.

But documents leaked by former U.S. intelligence contractor Edward Snowden showed agents boasting that they could break into any iPhone, and that hadn't been public knowledge either.

No comments :