Monday, March 11, 2013

Apple Institutes HTTPS (SSL) At iOS Store,
At Long Bloody Last!
But what about the BEAST Attack?!


An AHA! moment. 

So that's how user accounts at the iOS Store have been stolen! Apple has been foolishly using plain old in-the-clear http transactions at the iOS Store. How the $&%! was that allowed to happen? How incredibly incoherent and ignorant of Apple! Exceedingly Naughty!

After leaving users exposed, Apple fully HTTPS-protects iOS App Store (Updated)
But don't break out the bubbly yet. Apple engineers still have work to do.

Still have work to do?! WHAT?!!!!
It's great that Apple has finally updated its iOS app for App Store to provide this basic protection for the entire site. But the work isn't over yet. SSL Labs, a report card system from security firm Qualys that rates the quality of websites' HTTPS protections, gives Apple's App Store a failing grade. iOS users shouldn't worry too much, since the weaknesses Qualys is detecting aren't easy for the average hacker to exploit. Still, it shows Apple engineers still have work to do to make its customers safe.
SSL Report: (

Overall Rating: F
Certificate Rating: 100
Protocol Support Rating: 0
Key Exchange: 40
Cipher Strength: 60
This server is vulnerable to the BEAST attack.
So, potentially for YEARS, essentially ALWAYS, Apple has had at least part of its iOS store transactions wide open, in-the-clear. This means that whenever someone using an iOS device connected to the Internet over an open WiFi connection, one without any encryption, one which didn't require you to log in or approve a license before you could connect, their IDs and passwords were sent through the air to the location's router for ANYONE to intercept and READ!!! You're literally handing over your Apple account identity to any local Hacker Rat. They've got the goods. You're hosed. They can do whatever they want with that information, including BEING YOU and FAKING that they are the iOS Store. Not good.

Remember the old Firesheep extension for Firefox? Ever heard of WireShark?

Apple has not yet caught up with an over a year and a half old SSL/TLS exploit! The BEAST attack! I provided the link to a Qualys article on the BEAST attack above. Here is a simplified explanation at Wikipedia:
On September 23, 2011 researchers Thai Duong and Juliano Rizzo demonstrated a "proof of concept" called BEAST ("Browser Exploit Against SSL/TLS") using a Java applet to violate same origin policy constraints, for a long-known Cipher block chaining (CBC) vulnerability in TLS 1.0. Practical exploits had not been previously demonstrated for this vulnerability, which was originally discovered by Phillip Rogaway[20] in 2002...

Mozilla updated the development versions of their NSS libraries to mitigate BEAST-like attacks. NSS is used by Mozilla Firefox and Google Chrome to implement SSL. Some web servers that have a broken implementation of the SSL specification may stop working as a result.

. . .

As a work-around, the BEAST attack can also be prevented by removing all CBC ciphers from one's list of allowed ciphers—leaving only the RC4 cipher, which is still widely supported on most websites. Users of Windows 7 and Windows Server 2008 R2 can enable use of TLS 1.1 and 1.2, but this work-around will fail if it is not supported by the other end of the connection and will result in a fall-back to TLS 1.0.
For the serious geek, here is the original report on the BEAST attack (not average-user friendly!):

Daniel Veditz [:dveditz] 2011-06-20 18:03:57 PDT

Thai Dong sent mail to security@ (and Apple, Microsoft, Google, Opera, CERT, and Oracle):
"This is Juliano Rizzo and Thai Duong. We are working on a new attack against SSL implementations on major web browsers and plugins. We are going to publish a preliminary result of our work next month. The published paper will include some browser exploits that can be used to decrypt HTTPS requests sent by browsers." . . .
Note the listed date in the quotation above: 2011-06-20, (June 20, 2011). The rest of the report continues as a comment thread through 2012-03-22, (March 22, 2o12). At that point the entire exploit was known to Apple and everyone else.

And Apple still hasn't finished fixing it.


Bad show Apple. 
VERY bad show. 
Consider me (if I was a Japanese school girl), and many others, kicking you in the ass! 


No comments:

Post a Comment