It is UNSAFE to use Google, Skype, Microsoft and Yahoo on iOS 4.3 or Before

Discussion in 'iPhone' started by SomeDudeAsking, Mar 25, 2011.

  1. SomeDudeAsking macrumors 65816

    Joined:
    Nov 23, 2010
    #1
    http://www.computerworld.com/s/arti...put_Iranian_activists_at_risk_says_researcher

    It is unsafe to use Google, Skype, Microsoft and Yahoo on iOS 4.3 or before if you use it check your e-mail, VOIP, or send anything sensitive when using iOS 4.3 or before because you are vulnerable to man in the middle attacks. Since iOS Safari and derived browsers have no means of updating trusted certificates or blacklisting them, you absolutely MUST upgrade to iOS 4.3.1 released today, which I believe should contain the blacklisted certificates.

    iOS 4.3.1 is *not* optional people, it is a security upgrade.
     
  2. bwrairen macrumors 6502

    Joined:
    Jun 23, 2010
    #2
    I fail to see what this has to do with 4.3.1. These sites would have cleared authentication because they had valid ssl certificates.

    Care to elaborate?
     
  3. Ashin, Mar 25, 2011
    Last edited by a moderator: Mar 27, 2011

    Ashin macrumors 6502a

    Ashin

    Joined:
    Jun 19, 2010
    #3
    The security holes he speaks of are well documented, and this is why 4.3.1 has come out so fast without full beta testing cycles like normal.
     
  4. SomeDudeAsking, Mar 25, 2011
    Last edited by a moderator: Mar 27, 2011

    SomeDudeAsking thread starter macrumors 65816

    Joined:
    Nov 23, 2010
    #4
    The problem is that supposedly nefarious hackers for the "Iranian government", "Israel pertaining to be the Iranian government", or "China pertaining to be Israel pertaining to be Iran" hacked into one of the root authorities that make those SSL certificates and gave themselves valid working ones for Google, Skype, Microsoft, and Yahoo. That means in iOS 4.3 if you use Safari or any other Safari based brower (ie: all of them), you can get all your passwords, data, and communications stolen from those sites if the cellular network or wifi network you are on routes through one of their routers (last week, AT&T 3G data was routed through China for some time) because iOS 4.3 is now vulnerable to man in the middle attacks. iOS 4.3.1 should have the stolen certificates blacklisted so you wouldn't be vulnerable to these specific attacks. And attacks in the wild have already been spotted using these certificates, especially for Yahoo.
     
  5. marksman macrumors 603

    marksman

    Joined:
    Jun 4, 2007
    #5
    Please post evidence that AT&T's 3G data was routed through china for some time last week.

    That defies even knowing how networking works.
     
  6. SomeDudeAsking thread starter macrumors 65816

    Joined:
    Nov 23, 2010
    #6
    http://www.pcworld.com/businesscent...ebook_traffic_takes_a_loop_through_china.html

    You should listen to me when I tell you something. I know more about this stuff than you do.
     
  7. jake4ever macrumors regular

    Joined:
    Jul 2, 2009
    Location:
    Ma'on La'oved, Hadera, Israel
    #7
  8. SomeDudeAsking, Mar 25, 2011
    Last edited by a moderator: Mar 27, 2011

    SomeDudeAsking thread starter macrumors 65816

    Joined:
    Nov 23, 2010
    #8
    Then you don't know what man in the middle attacks are because if you do, you would realize the significance of the stolen SSL certificates from COMODO coupled with routing through foreign countries. iOS 4.3.1 should have blacklisted the stolen certificates to make these attacks not possible.
     
  9. EvanLugh macrumors 68000

    EvanLugh

    Joined:
    Aug 29, 2007
    Location:
    Developer land
    #9
    I had to restrain myself from posting yesterday.. you are posting information you've found on the internet (granted, like most people) with little or no knowledge. If an SSL certificate can't be validated, what do you think happens?


    'Smart' people don't tell others how smart they are, it's usually based on their intellectual posts and/or evidence, unlike yourself reeling off links and as another user said commanding people.

    Also, have a guess how many people connect to i.e. Facebook without https, through Wifi networks, cellular etc. Easy interception. Maybe you should look into this!

    A quote from your link also has the interesting paragraph:
    Do you think this is any different to any other practice?

    So, how does this affect 4.3.1 in anyway, SomeDudeAsking?
    (in regards to the fact they were blacklisted without the need of iOS software (4.3.1)
     
  10. dashrendar macrumors member

    Joined:
    Aug 29, 2010
    #10
    not only that, but I believe that only the Yahoo certificate was used for testing by the hackers. The other ones weren't released yet. And the have all been pulled by COMODO. 4.3.1 has nothing to do with this.
     
  11. PNutts macrumors 601

    PNutts

    Joined:
    Jul 24, 2008
    Location:
    Pacific Northwest, US
    #11
    Hey look! I can cut and paste, too!

    http://www.theregister.co.uk/2011/03/23/facebook_traffic_china_telecom/

    From the article:

    Facebook issued a statement that read:

    We are investigating a situation today that resulted in a small amount of a single carrier's traffic to Facebook being misdirected. We are working with the carrier to determine the cause of this error.

    Our initial checks of the latency of the requests indicate that no traffic passed through China.
     
  12. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #12
    The X.X.1, X.X.2, etc. builds never have a beta cycle. They are just security updates and only fix minor bugs. They don't redo the public APIs.
     

Share This Page