goto

No Image

The epic “goto fail” in Apple’s SSL implementation

Security and Privacy I wrote here about the SSL bug and what it could do for your security and privacy… There is a website which helps users checking if they are affected by this bug: gotofail.com. Here are more details about the gotofail bug.  Here is a pretty good explanation about how this bug “works” (courtesy of gotofail.com): Normal SSL/TLS: Client (browser): Hey server, let’s speak in private. Here is a list of ciphers I know that we could use. RealServer: Okay, we can speak in private, here is my identification paperwork. Client: Your paperwork looks good, lets continue. RealServer: Let’s use cipher XYZ. Please encrypt the conversation key you want to use to this public key. I have signed our conversation so far with the key from my identification paperwork to prove everything is legit. Client: Okay, your signature looks good, here’s the conversation key encrypted so only you can read it. I am switching to cipher XYZ with that key now. Client and RealServer converse privately. SSL/TLS with a vulnerable Apple product: Client (browser): Hey server, let’s speak in private. Here is a list of ciphers I know that we could use. FakeServer: Okay, we can speak in private, here…


%d bloggers like this:

By continuing to use the site, you agree to the use of cookies and to its Privacy Policy more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close