iOS, Mac, Android users still vulnerable to bogus certs
Apple and Google inaction in wake of DigiNotar breach
Eight days after the discovery that a fraudulently issued web credential actively targeted Iranians as they accessed their Gmail accounts, millions of people who rely on Google and Apple products remain vulnerable to similar attacks.
The inaction of Google in updating its Android operating system and Apple in making changes to its iOS and Mac OS X is even more striking given a report issued Monday that found that a security breach on Dutch firm DigiNotar minted at least 530 additional counterfeit certificates for domains including addons.mozilla.org, Skype, and various Microsoft update sites.
While updates issued over the past week have protected users of the major browsers and email clients, users of Google Android–based devices, iPhones, iPads, and Apple Safari on Mac remain susceptible unless they take special precautions.
“Apple is characteristically quiet again when it comes to security and at a time when its users need their help most of all,” Andrew Storms, director of security operations at nCircle, wrote in an email. “Users are left going the unofficial route looking for experts outside of Apple to tell them how to protect themselves.”
Apple has steadfastly declined to comment on unpatched security vulnerabilities in its products.
Developers of Google's Chrome browser have done a good job of communicating the risks users face from the fraudulently issued DigiNotar certificates. In the past week, as additional information has come to light, they have issued two updates designed to prevent the bogus credentials from being accepted by the browser when users encounter them.
Google officials have been considerably more inert when it comes to threats the certificates pose to users of Android, the world's most widely used smartphone OS. A Google spokesman declined to comment for this post.
Android users who want to take security matters into their own hands can install the latest version of WhisperCore, a privacy app that will block most SSL certificates signed by DigiNotar. In the next 24 hours, an update will block all remaining certificates, which weren't filtered until the weekend, when the Dutch government backed away from assurances that they weren't affected by the DigiNotar security breach.
A bug in the OS X keychain software makes it hard for Mac users to completely distrust certificates signed by DigiNotar. Until Apple issues a patch, users can follow instructions here to protect themselves. They can also stop using Safari and instead use Chrome or Firefox. It's unclear what steps users of Apple's iDevices can take to block the bogus certificates. ®
Yup, I just saw that in the change requests. They're pulling them in advance of upstream, and even knocked up a little app to allow you to pull your own certs in future.
Nice one guys.
lack of updates
I'm sure you're right that older Android phones won't get any updates for security issues like these. But at least it's possible that others can provide them - and indeed it seems several already have.
It's likely the phone would have to be rooted and a new rom image installed which many people would not be willing or able to do, but for those that care, they can. For everyone else it would be nice to have an auto-updating app that could load and install low-level security patches from a trusted source.
With iOS you are reliant on Apple. If an update comes out for an older device, great, but if not then you're pretty much stuffed.
I guess Google will silently push out an update to all versions like they occasionally do with the market. Be nice to have some notification though.
Cant comment for IOS..