“The way that the iPhone handles digital certificates… could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones,” Dennis Fisher reports for threatpost.
“Apple has a list of 224 root certificates that it trusts. As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer. They backed the certificate up to disk, then used iPCU to create a mobilconfig file called ‘Security Update,’ and attributed it to Apple Computer,” Fisher reports. “They then exported it to disk without a signature as an XML file. They then signed the file and its CA trust chain and uploaded it to a Web server.”
Fisher reports, “Opening the file with Safari on an iPhone results in the phone trusting the configuration file.”
Full article here.
John Gruber notes for Daring Freball, “Charlie Miller verifies that it works, but also states it doesn’t lead to remote code execution. What popped out at me is that VeriSign issued a security certificate in the name of ‘Apple Computer’ without, you know, verifying that it was Apple.”
Full article here.
MacDailyNews Take: Yes, why is VeriSign issuing a security certificate in the name of ‘Apple Computer’ without verifying that it’s from Apple?
So you pay some 3rf party to feel secured about a total stranger. When has that ever failed?
Somebody needs to start a company that certifies the certificates from the 1st certificate company.
…have been involved in SO many scams and unfair dealings with site owners over the years. It’s always something. I wouldn’t touch them with a 10 foot pool made of cheese.
I love the folks here
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
Laughter keeps the Doctor away.
” width=”19″ height=”19″ alt=”LOL” style=”border:0;” />
I understand the negative sentiments towards VeriSign here both in the article and the comments (to disclose, I work for them, so I feel the need to clarify a bit) but the problem was not with the certification process, as the original researcher also points out on the Cryptopath blog:
“It is relatively easy to obtain a signature certificate from many of them [Certificate Authorities] without any sort of verification. A demo signature certificate can be obtained from VeriSign without need for anything other than a valid e-mail address (throwaway addresses work, too) for sixty days at no price and without providing any credit card details… VeriSign is not to blame for this in any way.”
SSL is about encrypting data, not verifying identities (extended validation SSL, on the other hand, does require more robust verification, which is part of what makes it such a better solution). While a VeriSign cert was chosen here, any certificate that chained to any root trusted by the iPhone would have sufficed. There’s more at Tim Callan’s SSL blog, if you’re interested, and I’d be happy to field any specific questions as I’m able:
https://blogs.verisign.com/ssl-blog/2010/02/new_iphone_certificate_attack.php