Apple SSL flaw

The place for what's new and going on in the tech, innovation, and science world.

Apple SSL flaw

Postby rapier57 » Mon Feb 24, 2014 6:27 am

Friday we got the notification that Apple released an update to iOS, so I ran the update on the devices we have that run 7.x iOS. I then found out that it addressed a code issue in the SSL code, called "goto fail" and that is also exists in OSX.

The flaw affects SSL when the device or OSX system communicates on the Internet via an unsecured wireless network, and only if you are using Safari (in the case of OSX).

Here's some detail from a Network World article:

http://www.networkworld.com/news/2014/0 ... ce=nww_rss

I was a bit worried, until I got more detail, then I quit worrying. My home network uses a secured wireless, and I use Firefox with a number of add-on tools on my laptop, especially when traveling or accessing open wireless at Starbucks. While this is a critical issue regarding SSL, it isn't world-ending and only really affects iOS and OSX users accessing open, unsecured wireless.

The flaw, it turns out, is an extra code line in an if-statement containing the "goto fail" that causes the if-statement to fail all conditions. Somehow, the errant line was overlooked in code review and wasn't caught in compile.

It looked something like this:

Code: Select all
   ...
if something-or-other then do-something-or-other else
   goto fail;
   goto fail:

if something-or-other-more then do-something-more else
   ...



It's been an interesting weekend keeping up with this one.
Rapier57.

Jayne: Testing. Testing. Captain, can you hear me?
Mal: I'm standing right here.
Jayne: You're coming through good and loud.
Mal: 'Cause I'm standing right here.


@rapier57
User avatar
rapier57
I've posted HOW many
 
Posts: 3113
Joined: Thu Mar 02, 2006 10:43 pm
Location: Spokane, WA USA

Re: Apple SSL flaw

Postby DaFoxx » Mon Feb 24, 2014 8:02 pm

it's all over the web, and I suppose this is Android fanbois fantasy, but reality is that someone didn't check their code, and neither did anyone else
it could happen - probably HAS - anywhere else, just took SO long to find it
but even I, and my TOTAL lack of coding skillz could understand what was required v what they actually had :P
Beware of Geeks bearing GIF's :mrgreen:
User avatar
DaFoxx
DaBOSS
 
Posts: 8479
Joined: Sun Dec 25, 2005 1:20 am
Location: 3rd Rock from the Sun

Re: Apple SSL flaw

Postby rapier57 » Wed Feb 26, 2014 1:55 am

One security dude who is currently attending RSA posted a rant a couple days ago complaining about Apple coders using "goto" in program if-statement stanzas.

Problem is, goto's are prevalent throughout most languages. And they are explicit or implied. You either use the word goto (explicit), or just name the label in the stanza (implied).

All If-statements have goto's.

Code: Select all
IF something THEN (go somewhere else and do this) ELSE (go somewhere else and do this)


The THEN condition could send program flow to another routine, passing parameters. Same with the ELSE condition. It just depends on the language syntax as to how it is handled. Otherwise, you have to include the whole THEN or ELSE routine in every if-statement. The goto provides a route outside the current loop to a single routine (in this case labeled FAIL). Handling return and other conditions is up to the programmer.

The point is to have one routine to handle the FAIL condition. If you expect that the program will handle a fail condition the same way in ever case, then it simplifies the program and reduces code and potential errors (and security problems) by having the code appear once, rather than numerous times.

So, for me, the goto isn't a problem. This was basically a case for multiple eyes looking at the code and better code review.

it is also a case for making sure you have all the warning switches set at compile time. Another commentator pointed out that the correct set of switches at compile would have alerted for this issue.
Rapier57.

Jayne: Testing. Testing. Captain, can you hear me?
Mal: I'm standing right here.
Jayne: You're coming through good and loud.
Mal: 'Cause I'm standing right here.


@rapier57
User avatar
rapier57
I've posted HOW many
 
Posts: 3113
Joined: Thu Mar 02, 2006 10:43 pm
Location: Spokane, WA USA

Re: Apple SSL flaw

Postby DaFoxx » Thu Feb 27, 2014 7:27 pm

I'll just leave this here :)

http://xkcd.com/292/

I LOVE XKCD site
Beware of Geeks bearing GIF's :mrgreen:
User avatar
DaFoxx
DaBOSS
 
Posts: 8479
Joined: Sun Dec 25, 2005 1:20 am
Location: 3rd Rock from the Sun

Re: Apple SSL flaw

Postby rapier57 » Fri Feb 28, 2014 5:33 pm

Yeah, saw that earlier. Good one.
Rapier57.

Jayne: Testing. Testing. Captain, can you hear me?
Mal: I'm standing right here.
Jayne: You're coming through good and loud.
Mal: 'Cause I'm standing right here.


@rapier57
User avatar
rapier57
I've posted HOW many
 
Posts: 3113
Joined: Thu Mar 02, 2006 10:43 pm
Location: Spokane, WA USA

Re: Apple SSL flaw

Postby SirDice » Fri Mar 07, 2014 1:15 pm

Apple isn't the only one that screwed up. It seems GnuTLS isn't doing things correctly either.

http://arstechnica.com/security/2014/03 ... sdropping/
Oliver's Law:
Experience is something you don't get until just after you need it.
User avatar
SirDice
I've posted HOW many
 
Posts: 4198
Joined: Mon May 15, 2006 9:59 am
Location: Netherlands

Re: Apple SSL flaw

Postby Aspman » Sun Mar 09, 2014 6:12 pm

I know people from UK gov services that when to the US to offer help to Apple (after an invite) so that Apple kit could be more acceptable for Gov use. When they got there Apple said to them "we don't need any help; we're Apple. We're not changing anything"

They all get the next flight home and iOS7 was released in a more insecure form than iOS6.
"Man will never be free until the last king is strangled with the entrails of the last priest."
- Denis Diderot (1713-1784)
User avatar
Aspman
Frustrated Mad Scientist
 
Posts: 8872
Joined: Mon Jan 09, 2006 10:07 am
Location: Scotland


Return to Tech News Zone

Who is online

Users browsing this forum: No registered users and 11 guests