Feeds

iOS, Mac, Android users still vulnerable to bogus certs

Apple and Google inaction in wake of DigiNotar breach

Build a business case: developing custom apps

Eight days after the discovery that a fraudulently issued web credential actively targeted Iranians as they accessed their Gmail accounts, millions of people who rely on Google and Apple products remain vulnerable to similar attacks.

The inaction of Google in updating its Android operating system and Apple in making changes to its iOS and Mac OS X is even more striking given a report issued Monday that found that a security breach on Dutch firm DigiNotar minted at least 530 additional counterfeit certificates for domains including addons.mozilla.org, Skype, and various Microsoft update sites.

While updates issued over the past week have protected users of the major browsers and email clients, users of Google Android–based devices, iPhones, iPads, and Apple Safari on Mac remain susceptible unless they take special precautions.

“Apple is characteristically quiet again when it comes to security and at a time when its users need their help most of all,” Andrew Storms, director of security operations at nCircle, wrote in an email. “Users are left going the unofficial route looking for experts outside of Apple to tell them how to protect themselves.”

Apple has steadfastly declined to comment on unpatched security vulnerabilities in its products.

Developers of Google's Chrome browser have done a good job of communicating the risks users face from the fraudulently issued DigiNotar certificates. In the past week, as additional information has come to light, they have issued two updates designed to prevent the bogus credentials from being accepted by the browser when users encounter them.

Google officials have been considerably more inert when it comes to threats the certificates pose to users of Android, the world's most widely used smartphone OS. A Google spokesman declined to comment for this post.

Android users who want to take security matters into their own hands can install the latest version of WhisperCore, a privacy app that will block most SSL certificates signed by DigiNotar. In the next 24 hours, an update will block all remaining certificates, which weren't filtered until the weekend, when the Dutch government backed away from assurances that they weren't affected by the DigiNotar security breach.

A bug in the OS X keychain software makes it hard for Mac users to completely distrust certificates signed by DigiNotar. Until Apple issues a patch, users can follow instructions here to protect themselves. They can also stop using Safari and instead use Chrome or Firefox. It's unclear what steps users of Apple's iDevices can take to block the bogus certificates. ®

Build a business case: developing custom apps

More from The Register

next story
Kate Bush: Don't make me HAVE CONTACT with your iPHONE
Can't face sea of wobbling fondle implements. What happened to lighters, eh?
The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?
And yes it does need a fat HDD (or SSD, it's cool with either)
Apple takes blade to 13-inch MacBook Pro with Retina display
Shaves price, not screen on mid-2014 model
Apple to build WORLD'S BIGGEST iStore in Dubai
It's not the size of your shiny-shiny...
Steve Jobs had BETTER BALLS than Atari, says Apple mouse designer
Xerox? Pff, not even in the same league as His Jobsiness
Apple analyst: fruity firm set to shift 75 million iPhones
We'll have some of whatever he's having please
TV transport tech, part 1: From server to sofa at the touch of a button
You won't believe how much goes into today's telly tech
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.