Forgot your password?
typodupeerror

Comment: Re:Too much sensationalism? (Score 1) 125

by kryptopath (#31007652) Attached to: New iPhone Attack Kills Apps, Reroutes Web Traffic

Verisign as any other Certificate Authority delivers various certificate with different trust levels. If you decide to trust somebody coming with a Level 1 temporary certificate issued without any verification you are in trouble. If you trust this same person to change some of your phone settings you are begging for trouble.

Comment: Too much sensationalism? (Score 2, Interesting) 125

by kryptopath (#31002266) Attached to: New iPhone Attack Kills Apps, Reroutes Web Traffic
Initial (anonymous) author of TFA here:

Do not blame Verisign for issuing a temporary signature certificate without verification: this is stated clearly in their Level 1 certificate statuses and will sure be found with many other certificate issuers. The issue is completely on Apple for trusting a certificate of that kind for an over-the-air update. That kind of certificate is issued without any verification so you could have it delivered to any name you wanted, including your target's IT department. As mentioned in the article Apple should not use Safari's keychain to check the trust chain.

As mentioned in one of the posts below, this is a chicken-and-egg issue that has no obvious solutions. While making an OTA update process secure is a really hard problem, I do believe that Apple has not really looked into all the consequences of their choices. They have released a newer OTA protocol version with iPhone OS 3 which may be harder to subvert than this one.

Asynchronous inputs are at the root of our race problems. -- D. Winker and F. Prosser

Working...