Page 1 of 1

Apple SSL flaw

Posted: Mon Feb 24, 2014 6:27 am
by rapier57
Friday we got the notification that Apple released an update to iOS, so I ran the update on the devices we have that run 7.x iOS. I then found out that it addressed a code issue in the SSL code, called "goto fail" and that is also exists in OSX.

The flaw affects SSL when the device or OSX system communicates on the Internet via an unsecured wireless network, and only if you are using Safari (in the case of OSX).

Here's some detail from a Network World article: ... ce=nww_rss

I was a bit worried, until I got more detail, then I quit worrying. My home network uses a secured wireless, and I use Firefox with a number of add-on tools on my laptop, especially when traveling or accessing open wireless at Starbucks. While this is a critical issue regarding SSL, it isn't world-ending and only really affects iOS and OSX users accessing open, unsecured wireless.

The flaw, it turns out, is an extra code line in an if-statement containing the "goto fail" that causes the if-statement to fail all conditions. Somehow, the errant line was overlooked in code review and wasn't caught in compile.

It looked something like this:

Code: Select all

if something-or-other then do-something-or-other else
   goto fail;
   goto fail:

if something-or-other-more then do-something-more else

It's been an interesting weekend keeping up with this one.

Re: Apple SSL flaw

Posted: Mon Feb 24, 2014 8:02 pm
by DaFoxx
it's all over the web, and I suppose this is Android fanbois fantasy, but reality is that someone didn't check their code, and neither did anyone else
it could happen - probably HAS - anywhere else, just took SO long to find it
but even I, and my TOTAL lack of coding skillz could understand what was required v what they actually had :P

Re: Apple SSL flaw

Posted: Wed Feb 26, 2014 1:55 am
by rapier57
One security dude who is currently attending RSA posted a rant a couple days ago complaining about Apple coders using "goto" in program if-statement stanzas.

Problem is, goto's are prevalent throughout most languages. And they are explicit or implied. You either use the word goto (explicit), or just name the label in the stanza (implied).

All If-statements have goto's.

Code: Select all

IF something THEN (go somewhere else and do this) ELSE (go somewhere else and do this)
The THEN condition could send program flow to another routine, passing parameters. Same with the ELSE condition. It just depends on the language syntax as to how it is handled. Otherwise, you have to include the whole THEN or ELSE routine in every if-statement. The goto provides a route outside the current loop to a single routine (in this case labeled FAIL). Handling return and other conditions is up to the programmer.

The point is to have one routine to handle the FAIL condition. If you expect that the program will handle a fail condition the same way in ever case, then it simplifies the program and reduces code and potential errors (and security problems) by having the code appear once, rather than numerous times.

So, for me, the goto isn't a problem. This was basically a case for multiple eyes looking at the code and better code review.

it is also a case for making sure you have all the warning switches set at compile time. Another commentator pointed out that the correct set of switches at compile would have alerted for this issue.

Re: Apple SSL flaw

Posted: Thu Feb 27, 2014 7:27 pm
by DaFoxx
I'll just leave this here :)


Re: Apple SSL flaw

Posted: Fri Feb 28, 2014 5:33 pm
by rapier57
Yeah, saw that earlier. Good one.

Re: Apple SSL flaw

Posted: Fri Mar 07, 2014 1:15 pm
by SirDice
Apple isn't the only one that screwed up. It seems GnuTLS isn't doing things correctly either. ... sdropping/

Re: Apple SSL flaw

Posted: Sun Mar 09, 2014 6:12 pm
by Aspman
I know people from UK gov services that when to the US to offer help to Apple (after an invite) so that Apple kit could be more acceptable for Gov use. When they got there Apple said to them "we don't need any help; we're Apple. We're not changing anything"

They all get the next flight home and iOS7 was released in a more insecure form than iOS6.