SSL Labs: Testing for Apple's TLS authentication bug
On Friday, Apple released patches for iOS 6.x and 7.x, addressing a mysterious bug that affected TLS authentication. Although no further details were made available, a large-scale bug hunt ensued. This post on Hacker News pointed to the problem, and Adam Langley followed up with a complete analysis.
I've just released an update for the SSL Labs Client Test, which enables you to test your user agents for this vulnerability.
This bug affects all applications that rely on Apple's SSL/TLS stack, which probably means most of them. Applications that carry with them their own TLS implementations (for example, Chrome and Firefox) are not vulnerable. For iOS, it's not clear when the bug had been introduced exactly. For OS X, it appears that only OS X 10.9 Mavericks is vulnerable.
What you should do:
- iOS 6.x and 7.x: Patches are available, so you should update your devices immediately.
- OS X 10.9.x:
Apple promised a fix would be available soon. Update as soon as it is released.The vulnerability has been fixed in 10.9.2. Update immediately.
Update (10 March 2014): If you want to build your own test (e.g., to deploy on your intranet), I have published the instructions here.
MY BOOK: If you like this blog post, you will love Bulletproof TLS and PKI. For system administrators, developers, and IT security professionals, this book provides a comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI and will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks. It's available now. |