SlideShare ist ein Scribd-Unternehmen logo

Apple SSL Vulnerability Explained

Als PPTX, PDF herunterladen
Mike Chapple
Mike Chapple

Understand the coding error behind Apple's #gotofail. How one line of code undermined the use of SSL/TLS to secure iOS and Mac OS X communications.

Technologie
1 von 11
Inside Apple’s SSL Vulnerability Mike Chapple mchapple@nd.edu @mchapple
Digital Certificates • Digital Certificates use asymmetric cryptography to facilitate the secure exchange of public keys. • Rely upon the use of trusted Certificate Authorities – Certificate Authorities responsible for vouching for identity of certificate “subjects”. – Usually used for servers, can also be used by individuals. – Organization proves its identity to the CA and the CA provides a signed certificate that can be used to prove identity to others. • To a CA, trust is essential!
What’s in a Digital Certificate? • • • • • • • Name of the certificate subject Subject’s public key Name of the CA Serial number Signature algorithm Validity period CA’s digital signature Source: Apple Computer 3
Using Certificates in HTTPS • HTTPS uses digital certificates to ensure secure web communications • It supplements the standard HTTP protocol with SSL/TLS encryption 1. 2. You access a secure site using your web browser Your browser retrieves the site certificate and verifies it • 3. Your browser then chooses a symmetric key, encrypts it with the server’s public key and sends it to the server • 4. 4 What does a certificate error mean? Why don’t they just communicate using the server’s public key? Everything from that point forward is encrypted with the symmetric key
Apple’s Code The repeated “goto fail;” is the #fail Source: The Guardian
Apple’s Code Because it is always executed, bypassing this check Source: The Guardian
Simpler Version of the Same Flaw Default return value set to 1 Goto bypasses attempt to change return value Source: imperialviolet.org Default value (1) always returned by function
Impact • Digital signatures on ephemeral keys not verified • Certificate itself is verified • Link between certificate and key not checked • Clients always trust presented ephemeral keys because the certificate checked out OK
gotofail.com
Fixes • For iOS, upgrade to 7.0.6 • No fix yet available for OS X • In the meantime, use Chrome for partial fix
Questions? Mike Chapple mchapple@nd.edu @mchapple

Empfohlen

Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...ProgrammableWeb
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform VaultShrivatsa Upadhye
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor AuthenticationPortalGuard dba PistolStar, Inc.
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génératione-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere générationSylvain Maret
 
Swift MEAP Oracle OpenWorld 2014
Swift MEAP Oracle OpenWorld 2014Swift MEAP Oracle OpenWorld 2014
Swift MEAP Oracle OpenWorld 2014Swift MEAP
 

Empfohlen

Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...ProgrammableWeb
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform VaultShrivatsa Upadhye
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor AuthenticationPortalGuard dba PistolStar, Inc.
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génératione-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere générationSylvain Maret
 
Swift MEAP Oracle OpenWorld 2014
Swift MEAP Oracle OpenWorld 2014Swift MEAP Oracle OpenWorld 2014
Swift MEAP Oracle OpenWorld 2014Swift MEAP
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)Apigee | Google Cloud
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack SurfaceAlert Logic
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esbhimajareddys
 
EarthLink Business Hosted Exchange Solution
EarthLink Business Hosted Exchange SolutionEarthLink Business Hosted Exchange Solution
EarthLink Business Hosted Exchange SolutionMike Ricca
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
Token-based uthentication
Token-based uthenticationToken-based uthentication
Token-based uthenticationWill Adams
 
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAASecuring Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAAAlert Logic
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCloudIDSummit
 
Emergic CloudMail - Cloud Based Messaging & Collaboration
Emergic CloudMail - Cloud Based Messaging & CollaborationEmergic CloudMail - Cloud Based Messaging & Collaboration
Emergic CloudMail - Cloud Based Messaging & CollaborationNetcore Solutions
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
The Evolution of Reading List Integrations - Richard Tattersall | Talis Insig...
The Evolution of Reading List Integrations - Richard Tattersall | Talis Insig...The Evolution of Reading List Integrations - Richard Tattersall | Talis Insig...
The Evolution of Reading List Integrations - Richard Tattersall | Talis Insig...Talis
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methodssana mateen
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Getting Started with Talis Aspire Reading Lists LTI - Tim Hodson | Talis Insi...
Getting Started with Talis Aspire Reading Lists LTI - Tim Hodson | Talis Insi...Getting Started with Talis Aspire Reading Lists LTI - Tim Hodson | Talis Insi...
Getting Started with Talis Aspire Reading Lists LTI - Tim Hodson | Talis Insi...Talis
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoftakshay yeluru
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018Greg Foss
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Greg Foss
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
RSA: CSA GRC Stack Update for the CSA Atlanta Chapter
RSA: CSA GRC Stack Update for the CSA Atlanta ChapterRSA: CSA GRC Stack Update for the CSA Atlanta Chapter
RSA: CSA GRC Stack Update for the CSA Atlanta ChapterPhil Agcaoili
 
Collateral damage in cyberwarfare
Collateral damage in cyberwarfareCollateral damage in cyberwarfare
Collateral damage in cyberwarfareMike Chapple
 

Weitere ähnliche Inhalte

Was ist angesagt?

API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)Apigee | Google Cloud
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack SurfaceAlert Logic
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esbhimajareddys
 
EarthLink Business Hosted Exchange Solution
EarthLink Business Hosted Exchange SolutionEarthLink Business Hosted Exchange Solution
EarthLink Business Hosted Exchange SolutionMike Ricca
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
Token-based uthentication
Token-based uthenticationToken-based uthentication
Token-based uthenticationWill Adams
 
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAASecuring Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAAAlert Logic
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCloudIDSummit
 
Emergic CloudMail - Cloud Based Messaging & Collaboration
Emergic CloudMail - Cloud Based Messaging & CollaborationEmergic CloudMail - Cloud Based Messaging & Collaboration
Emergic CloudMail - Cloud Based Messaging & CollaborationNetcore Solutions
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
The Evolution of Reading List Integrations - Richard Tattersall | Talis Insig...
The Evolution of Reading List Integrations - Richard Tattersall | Talis Insig...The Evolution of Reading List Integrations - Richard Tattersall | Talis Insig...
The Evolution of Reading List Integrations - Richard Tattersall | Talis Insig...Talis
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methodssana mateen
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Getting Started with Talis Aspire Reading Lists LTI - Tim Hodson | Talis Insi...
Getting Started with Talis Aspire Reading Lists LTI - Tim Hodson | Talis Insi...Getting Started with Talis Aspire Reading Lists LTI - Tim Hodson | Talis Insi...
Getting Started with Talis Aspire Reading Lists LTI - Tim Hodson | Talis Insi...Talis
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoftakshay yeluru
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018Greg Foss
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Greg Foss
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 

Was ist angesagt? (20)

API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
 
EarthLink Business Hosted Exchange Solution
EarthLink Business Hosted Exchange SolutionEarthLink Business Hosted Exchange Solution
EarthLink Business Hosted Exchange Solution
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
 
Token-based uthentication
Token-based uthenticationToken-based uthentication
Token-based uthentication
 
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAASecuring Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAA
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
 
Emergic CloudMail - Cloud Based Messaging & Collaboration
Emergic CloudMail - Cloud Based Messaging & CollaborationEmergic CloudMail - Cloud Based Messaging & Collaboration
Emergic CloudMail - Cloud Based Messaging & Collaboration
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
The Evolution of Reading List Integrations - Richard Tattersall | Talis Insig...
The Evolution of Reading List Integrations - Richard Tattersall | Talis Insig...The Evolution of Reading List Integrations - Richard Tattersall | Talis Insig...
The Evolution of Reading List Integrations - Richard Tattersall | Talis Insig...
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methods
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
Getting Started with Talis Aspire Reading Lists LTI - Tim Hodson | Talis Insi...
Getting Started with Talis Aspire Reading Lists LTI - Tim Hodson | Talis Insi...Getting Started with Talis Aspire Reading Lists LTI - Tim Hodson | Talis Insi...
Getting Started with Talis Aspire Reading Lists LTI - Tim Hodson | Talis Insi...
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoft
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 

Andere mochten auch

RSA: CSA GRC Stack Update for the CSA Atlanta Chapter
RSA: CSA GRC Stack Update for the CSA Atlanta ChapterRSA: CSA GRC Stack Update for the CSA Atlanta Chapter
RSA: CSA GRC Stack Update for the CSA Atlanta ChapterPhil Agcaoili
 
Collateral damage in cyberwarfare
Collateral damage in cyberwarfareCollateral damage in cyberwarfare
Collateral damage in cyberwarfareMike Chapple
 
The Other Advanced Attacks: DNS/NTP Amplification and Careto
The Other Advanced Attacks: DNS/NTP Amplification and CaretoThe Other Advanced Attacks: DNS/NTP Amplification and Careto
The Other Advanced Attacks: DNS/NTP Amplification and CaretoMike Chapple
 
A Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedA Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedMike Chapple
 
The FBI vs. Apple: Framing the Debate
The FBI vs. Apple: Framing the DebateThe FBI vs. Apple: Framing the Debate
The FBI vs. Apple: Framing the DebateMike Chapple
 
Cybersecurity Health Checks: Safeguarding Your Organisation
Cybersecurity Health Checks: Safeguarding Your OrganisationCybersecurity Health Checks: Safeguarding Your Organisation
Cybersecurity Health Checks: Safeguarding Your OrganisationLinkedIn Learning Solutions
 

Andere mochten auch (6)

RSA: CSA GRC Stack Update for the CSA Atlanta Chapter
RSA: CSA GRC Stack Update for the CSA Atlanta ChapterRSA: CSA GRC Stack Update for the CSA Atlanta Chapter
RSA: CSA GRC Stack Update for the CSA Atlanta Chapter
 
Collateral damage in cyberwarfare
Collateral damage in cyberwarfareCollateral damage in cyberwarfare
Collateral damage in cyberwarfare
 
The Other Advanced Attacks: DNS/NTP Amplification and Careto
The Other Advanced Attacks: DNS/NTP Amplification and CaretoThe Other Advanced Attacks: DNS/NTP Amplification and Careto
The Other Advanced Attacks: DNS/NTP Amplification and Careto
 
A Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedA Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons Learned
 
The FBI vs. Apple: Framing the Debate
The FBI vs. Apple: Framing the DebateThe FBI vs. Apple: Framing the Debate
The FBI vs. Apple: Framing the Debate
 
Cybersecurity Health Checks: Safeguarding Your Organisation
Cybersecurity Health Checks: Safeguarding Your OrganisationCybersecurity Health Checks: Safeguarding Your Organisation
Cybersecurity Health Checks: Safeguarding Your Organisation
 

Ähnlich wie Apple SSL Vulnerability Explained

Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Digital signature
Digital signatureDigital signature
Digital signatureAJAL A J
 
presentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfpresentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfGumanSingh10
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Nicholas Davis
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Nicholas Davis
 
Outlook and thunderbird ii
Outlook and thunderbird iiOutlook and thunderbird ii
Outlook and thunderbird iiBanukaVidusanka
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsDavid Ochel
 
Digital signature
Digital signatureDigital signature
Digital signatureJanani S
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationCleo
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 
Unit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxUnit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxRAMESHMRA21130030110
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonDavid Johansson
 

Ähnlich wie Apple SSL Vulnerability Explained (20)

Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
The world of encryption
The world of encryptionThe world of encryption
The world of encryption
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Https
HttpsHttps
Https
 
SSL
SSLSSL
SSL
 
presentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfpresentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdf
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...
 
Cryptography
CryptographyCryptography
Cryptography
 
Outlook and thunderbird ii
Outlook and thunderbird iiOutlook and thunderbird ii
Outlook and thunderbird ii
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
 
Digital signature
Digital signatureDigital signature
Digital signature
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
Unit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxUnit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptx
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
 

Kürzlich hochgeladen

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

Apple SSL Vulnerability Explained

  • 1. Inside Apple’s SSL Vulnerability Mike Chapple mchapple@nd.edu @mchapple
  • 2. Digital Certificates • Digital Certificates use asymmetric cryptography to facilitate the secure exchange of public keys. • Rely upon the use of trusted Certificate Authorities – Certificate Authorities responsible for vouching for identity of certificate “subjects”. – Usually used for servers, can also be used by individuals. – Organization proves its identity to the CA and the CA provides a signed certificate that can be used to prove identity to others. • To a CA, trust is essential!
  • 3. What’s in a Digital Certificate? • • • • • • • Name of the certificate subject Subject’s public key Name of the CA Serial number Signature algorithm Validity period CA’s digital signature Source: Apple Computer 3
  • 4. Using Certificates in HTTPS • HTTPS uses digital certificates to ensure secure web communications • It supplements the standard HTTP protocol with SSL/TLS encryption 1. 2. You access a secure site using your web browser Your browser retrieves the site certificate and verifies it • 3. Your browser then chooses a symmetric key, encrypts it with the server’s public key and sends it to the server • 4. 4 What does a certificate error mean? Why don’t they just communicate using the server’s public key? Everything from that point forward is encrypted with the symmetric key
  • 5. Apple’s Code The repeated “goto fail;” is the #fail Source: The Guardian
  • 6. Apple’s Code Because it is always executed, bypassing this check Source: The Guardian
  • 7. Simpler Version of the Same Flaw Default return value set to 1 Goto bypasses attempt to change return value Source: imperialviolet.org Default value (1) always returned by function
  • 8. Impact • Digital signatures on ephemeral keys not verified • Certificate itself is verified • Link between certificate and key not checked • Clients always trust presented ephemeral keys because the certificate checked out OK
  • 10. Fixes • For iOS, upgrade to 7.0.6 • No fix yet available for OS X • In the meantime, use Chrome for partial fix