goto considered harmful – security systems and how they fail

Apple devices are subject to a bug in a core crypto library where one line of errant code – the self-describing bug “goto fail;” – causes SSL connections to be untrustworthy.

IOS systems have a patch (and you should upgrade now); we’re waiting for the OS X hotfix.

Some good analysis on Twitter of late, and this article on Wired: Behind iPhone’s Critical Security Bug, a Single Bad ‘Goto’

Apple released iOS 7.0.6 yesterday to patch the bug in its implementation of SSL encryption — the internet’s standard defense against eavesdropping and web hijacking. The bug essentially means that when you’re e-mailing, tweeting, using Facebook or checking your bank account from a shared network, like a public WiFi or anything tapped by the NSA, an attacker could be listening in, or even maliciously modifying what goes to your iPhone or iPad.

How to test if you are at risk? The aptly named gotofail.com has a simple and non-destructive test.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s