MobileRead Forums - View Single Post

ne0rmatrix · 03-09-2014, 03:32 AM

Ya this update is in regards to bad code found in open source ssl implementation used by Apple. It had an extra line of code that allowed for a man in the middle attack. Google goto fail and you can find ranting by security experts and paranoid conspiracy theorists. It's rather elegant if it's been done deliberately. Flaw was introduced in September 2012 during a standard update in an obscure ssl authentication module found in open source code. If done with malicious intent it was pure genius as it allowed plausible deniability and it completely disabled SSL security with less than 10 characters. It was a second line of code that returned error message silently failing module and allowing improper SSL certificates to pass as valid. Only worked with apple browsers and software that authenticated using affected library. Anyone using chrome or Firefox were unaffected.

03-09-2014, 03:32 AM	#12
ne0rmatrix Enthusiast Posts: 48 Karma: 16347 Join Date: Oct 2011 Location: Delta, B.C. Device: kobo Aura HD,Apple Ipad Mini,Samsung Galaxy Tab S 8.4,LG G4	Ya this update is in regards to bad code found in open source ssl implementation used by Apple. It had an extra line of code that allowed for a man in the middle attack. Google goto fail and you can find ranting by security experts and paranoid conspiracy theorists. It's rather elegant if it's been done deliberately. Flaw was introduced in September 2012 during a standard update in an obscure ssl authentication module found in open source code. If done with malicious intent it was pure genius as it allowed plausible deniability and it completely disabled SSL security with less than 10 characters. It was a second line of code that returned error message silently failing module and allowing improper SSL certificates to pass as valid. Only worked with apple browsers and software that authenticated using affected library. Anyone using chrome or Firefox were unaffected.