Tuesday, April 22, 2014

Wish you were encrypted

It's getting worse for secure sockets in 10.8 and 10.9: may I call your attention this time to the so-called triple handshake. (As such, this famous album image seemed appropriate.) The "triple handshake" technique is a way for a malicious server to act as a man-in-the-middle and intercept encrypted communications by impersonating you, taking advantage of several design flaws in many SSL implementations including Mozilla/Google's, Apple's and Microsoft's.

It does not appear that the OpenSSL-based SSL library prior to 10.8 has this problem (Apple's security note indicates that the problem is not in 10.7 or earlier versions and my cursory source code audit agrees). However, if you are using a very old version of TenFourFox, it is affected; this problem was fixed in 10.0.6 and no version of 17 or 24 is vulnerable. Do upgrade if you have not already.

No comments:

Post a Comment

Due to an increased frequency of spam, comments are now subject to moderation.