Cryptopath

Zeroing in where security hinges

Archive for February 2010

iPhone OS 3.1.3 vulnerable

Just checked: a mobileconfig profile presenting itself as a Security Update from Apple Computer passes all checks on an iPhone OS 3.1.3, as opposed to what is claimed in this article on gulli.com (German). Screenshot below taken on an iPhone registered on a French carrier.

OS 3.1.3 screenshot

OS 3.1.3 screenshot

Advertisements

Written by cryptopath

2010-February-10 at 13:28

Posted in Uncategorized

Leave Verisign out of it!

I keep reading misinterpretations about the previous blog entry and see Verisign buried under a ton of drivel. Just to make things clear:

  • Verisign distributes test certificates for people to try out their service. These certificates are limited to 60 days, delivered without any kind of verification, and clearly labeled as such. People use them mostly to validate that PKI-enabled software like browsers or mail clients can handle them fine.
  • These certificates come with all bells and whistles. If you read the fine print, it is clearly indicated that these are intended for test purposes only.
  • Many other certificate authorities offer the same kind of service for users to test. The same proof-of-concept could have been realized with any other certificate provider offering test tools, as long as they relate to a root CA trusted by iPhones.

You do not have to believe me: browse any certificate provider web site and look for test certificate generation.

The WTF lies in the fact that an iPhone would accept this kind of toy certificate as a token of proof to authenticate a remote configuration received over the air.

Hope that clarifies things a bit.

Written by cryptopath

2010-February-4 at 14:10

Posted in crypto, iphone

Tagged with