“The way that the iPhone handles digital certificates… could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones,” Dennis Fisher reports for threatpost.
“Apple has a list of 224 root certificates that it trusts. As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer. They backed the certificate up to disk, then used iPCU to create a mobilconfig file called ‘Security Update,’ and attributed it to Apple Computer,” Fisher reports. “They then exported it to disk without a signature as an XML file. They then signed the file and its CA trust chain and uploaded it to a Web server.”
Fisher reports, “Opening the file with Safari on an iPhone results in the phone trusting the configuration file.”
Full article here.
John Gruber notes for Daring Freball, “Charlie Miller verifies that it works, but also states it doesn’t lead to remote code execution. What popped out at me is that VeriSign issued a security certificate in the name of ‘Apple Computer’ without, you know, verifying that it was Apple.”
Full article here.
MacDailyNews Take: Yes, why is VeriSign issuing a security certificate in the name of ‘Apple Computer’ without verifying that it’s from Apple?
Not a lot of verifying going on at VeriSign it looks like.
The whole system breaks down if the guardian — VeriSign — doesn’t do it’s job.
Did the good folks the used to work at Arthur Andersen move over to VeriSign?
Hmmmm…. why not get a cert that says Chase Bank?
Yeah, this definitely bodes ill for Verisign.
Double fail on Verisign. Not only did they not verify that it was Apple asking for the certificate, but Apple hasn’t gone by “Apple Computer” for a few years now, it’s “Apple Inc.”
VeriSign just wants to keep its gravy train going. Probably a 6000% or more markup on those certificates so they issue as many as they can to whomever has the money.
224 root certificates
signature certificate
IPCU
mobilconfig file
CA trust chain
I have no idea what it all means. Does anyone?
What ever!!
Huh. When we got our cert we had to prove we were who we said we were. So, WTF is the story now?
Sounds to me like non iPhone issue since you can fool any PC with a bogus cert.
Complacency is the root of all major system failures as people get ever more deeply entrenched in their comfort zones.
I guess VeriSign should get that gas pedal checked… or was it the brake pedal?
My front door is vulnerable to me opening it for people.
Speaking as the real Jeeve Stobs, I think Apple should file formal charges against Verisign.
CourtJester,
That’s why I keep my employees on their toes with cattle prods.
Verisign has absolutely nothing to do with it. They issue toy certificates for test purposes like most other certificate authorities. The security issue lies in the fact that the iPhone trusts such certificates for things like remote phone configuration.
There’s something to add to 4.0.
I hope Apple gives folks that figure out these things a box of chocolates or something tasty…
How bad is this, really? Isn’t the iphone browser sandboxed? What kind of damage is possible from this if it can’t access the rest of the iphone os?
@ cryptopath
Really? So what stops me or any other idiot from requesting a toy certificate?
Are these certificates crippled in any way or are they the real deal?
According to the article, “anonymous researchers” requested the certificate. Doesn’t sound like the proper channels were used for requesting a test certificate.
Nexus uneffected
chances of any iphone being infected in this manner = zero
waste of time for “researcher”
and now the researcher is wasting my time
Sounds like Apple needs to not-quite remove VeriSign from the list of trusted roots. Perhaps pop a dialog box encouraging people to urge the website to do business with a CA that takes its responsibilities seriously.
Let me get this straight. This forgery method requires VeriSign to issue a fraudulent signature certificate? Then the vulnerability is not the phone’s, but rather Verisign’s.