Feeds

iOS, Mac, Android users still vulnerable to bogus certs

Apple and Google inaction in wake of DigiNotar breach

The Essential Guide to IT Transformation

Eight days after the discovery that a fraudulently issued web credential actively targeted Iranians as they accessed their Gmail accounts, millions of people who rely on Google and Apple products remain vulnerable to similar attacks.

The inaction of Google in updating its Android operating system and Apple in making changes to its iOS and Mac OS X is even more striking given a report issued Monday that found that a security breach on Dutch firm DigiNotar minted at least 530 additional counterfeit certificates for domains including addons.mozilla.org, Skype, and various Microsoft update sites.

While updates issued over the past week have protected users of the major browsers and email clients, users of Google Android–based devices, iPhones, iPads, and Apple Safari on Mac remain susceptible unless they take special precautions.

“Apple is characteristically quiet again when it comes to security and at a time when its users need their help most of all,” Andrew Storms, director of security operations at nCircle, wrote in an email. “Users are left going the unofficial route looking for experts outside of Apple to tell them how to protect themselves.”

Apple has steadfastly declined to comment on unpatched security vulnerabilities in its products.

Developers of Google's Chrome browser have done a good job of communicating the risks users face from the fraudulently issued DigiNotar certificates. In the past week, as additional information has come to light, they have issued two updates designed to prevent the bogus credentials from being accepted by the browser when users encounter them.

Google officials have been considerably more inert when it comes to threats the certificates pose to users of Android, the world's most widely used smartphone OS. A Google spokesman declined to comment for this post.

Android users who want to take security matters into their own hands can install the latest version of WhisperCore, a privacy app that will block most SSL certificates signed by DigiNotar. In the next 24 hours, an update will block all remaining certificates, which weren't filtered until the weekend, when the Dutch government backed away from assurances that they weren't affected by the DigiNotar security breach.

A bug in the OS X keychain software makes it hard for Mac users to completely distrust certificates signed by DigiNotar. Until Apple issues a patch, users can follow instructions here to protect themselves. They can also stop using Safari and instead use Chrome or Firefox. It's unclear what steps users of Apple's iDevices can take to block the bogus certificates. ®

Build a business case: developing custom apps

More from The Register

next story
4K video on terrestrial TV? Not if the WRC shares frequencies to mobiles
Have your say with Ofcom now, before Freeview becomes Feeview
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
You didn't get the MeMO? Asus Pad 7 Android tab is ... not bad
Really, er, stands out among cheapie 7-inchers
Apple winks at parents: C'mon, get your kid a tweaked Macbook Pro
Cheapest models given new processors, more RAM
YES, iPhones ARE getting slower with each new release of iOS
Old hardware doesn't get any faster with new software
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Nintend-OH NO! Sorry, Mario – your profits are in another castle
Red-hatted mascot, red-colored logo, red-stained finance books
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.