Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Comment Re:Too much sensationalism? (Score 1) 125

Verisign as any other Certificate Authority delivers various certificate with different trust levels. If you decide to trust somebody coming with a Level 1 temporary certificate issued without any verification you are in trouble. If you trust this same person to change some of your phone settings you are begging for trouble.

Comment Too much sensationalism? (Score 2, Interesting) 125

Initial (anonymous) author of TFA here:

Do not blame Verisign for issuing a temporary signature certificate without verification: this is stated clearly in their Level 1 certificate statuses and will sure be found with many other certificate issuers. The issue is completely on Apple for trusting a certificate of that kind for an over-the-air update. That kind of certificate is issued without any verification so you could have it delivered to any name you wanted, including your target's IT department. As mentioned in the article Apple should not use Safari's keychain to check the trust chain.

As mentioned in one of the posts below, this is a chicken-and-egg issue that has no obvious solutions. While making an OTA update process secure is a really hard problem, I do believe that Apple has not really looked into all the consequences of their choices. They have released a newer OTA protocol version with iPhone OS 3 which may be harder to subvert than this one.

Slashdot Top Deals

Garbage In -- Gospel Out.

Working...