goto fail; INDEEDwww.cs.columbia.edu wrote: As you've probably heard by now, there's a serious bug in the TLS implementations in iOS (the iPhone and iPad operating system) and MacOS. I'll skip the details (but see Adam Langley's excellent blog post if you're interested); the effect is that under certain conditions, an attacker can sit in the middle of an encrypted connection and read all of the traffic.
Here's the code in question:Note the doubledCode: Select all
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail;
goto fail;
goto fail;
That's incorrect and is at the root of the problem.
iOS code bug that even YOU could have spotted
- hamin_aus
- Forum Moderator
- Posts: 18363
- Joined: 28 Aug 2003, 02:00
- Processor: Intel i7 3770K
- Motherboard: GA-Z77X-UP4 TH
- Graphics card: Galax GTX1080
- Memory: 32GB G.Skill Ripjaws
- Location: Where beer does flow and men chunder
- Contact:
iOS code bug that even YOU could have spotted
Re: iOS code bug that even YOU could have spotted
"It is the mark of an educated mind to be able to entertain a thought without accepting it." - Aristotle
Intel i5 2500; AsRock Z77 Extreme 4; Asus GTX580; 4x 2GB DDR3 1333; Intel 520 240GB SSD + 2x WD 3TB + 2TB Samsung; Samsung 22X DVD/RW; 23" LG W2343T-PF; Huntkey 700W
Intel i5 2500; AsRock Z77 Extreme 4; Asus GTX580; 4x 2GB DDR3 1333; Intel 520 240GB SSD + 2x WD 3TB + 2TB Samsung; Samsung 22X DVD/RW; 23" LG W2343T-PF; Huntkey 700W
- rustypup
- Registered User
- Posts: 8872
- Joined: 13 Dec 2004, 02:00
- Location: nullus pixius demonica
- Contact:
Re: iOS code bug that even YOU could have spotted
"closed source is far more secure".....
right..
also, the amount of drama around this is amusing... MitM has been around for some time....
reducing the risks would include: step 1 - don't log in to services over public wif... oh, wait... apple users.... never mind. carry on. the magic apple will protect you from yourself...
right..
also, the amount of drama around this is amusing... MitM has been around for some time....
reducing the risks would include: step 1 - don't log in to services over public wif... oh, wait... apple users.... never mind. carry on. the magic apple will protect you from yourself...
Most people would sooner die than think; in fact, they do so - Bertrand Russel