SSL risk only on public WIFI?

[CavemanMike]

My IOS6 users who have resisted IOS7 want to know if they are safe if they only use it on their home wifi (not at starbucks, not at hotels), and if they don't do banking.

If an un-patched iphone user is on cellular 3G/LTE, is he safe?

What's the real-world implications of this risk?

Thanks,
Mike

 

[MrGuder]

I'd like to know the "honest" answer to this as well...not just a fear answer to get us to switch to iOS7.

For now I'm not upgrading because I really like iOS6 especially how the music app works. Once iOS 7.1 is released next month and if they change the music app I may upgrade.

 

[CavemanMike]

I'm upgrading! Now convinced . . .

I got my answer. Bottom line: Tim is right, it's not about the wifi.

"It matters anywhere. This isn't someone being able to "snoop" on your communications and hence be an issue on public WiFi but not via cell. It's a flaw that could allow a hacker to trick your system into visiting and accepting as valid an imposter site that looks like a secure (i.e. HTTPS) web site should the attacker be able in some way to misdirect your connection, such as through a fake email or other fake web site.

If you want a more complete explanation without getting too far into the code, see:

http://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug -explained-plus-an-unofficial-patch/"

----------

because there is no mouse-over on an ipad, it's hard (impossible perhaps) for a user to detect a faked link.

Too much trickery out there on the internet.

I'm having my peeps upgrade ASAP!!

 

[MrGuder]

Ok thanks for the link....

but...I've had my iPhone 5 with iOS6 for over a year now...you mean for all this time this risk has been present and just being patched now in iOS7? I'm confused about that part. I don't use SSL websites on my phone and don't use free wifi, I'm mostly on LTE all the time except home wifi, never had a problem all this time.

 

[CavemanMike]

I got a silly analogy:

I smoke cigarettes when I pump gasoline.
I've never exploded.
Therefore, it's ok to smoke cigarettes while pumping gas.

----
I asked this question over at Expert's exchange:

If the victim user gets a faked email from citibank (with genuine graphics copied from their site, a fake from), and clicks the link.

It takes the victim to ci1ibank.com (1 not t).

Could the SSL bug be relevant then?

 

[C DM]

Ok thanks for the link....

but...I've had my iPhone 5 with iOS6 for over a year now...you mean for all this time this risk has been present and just being patched now in iOS7? I'm confused about that part. I don't use SSL websites on my phone and don't use free wifi, I'm mostly on LTE all the time except home wifi, never had a problem all this time.

It might have been introduced by a particular iOS 6 update, not necessarily in the beginning of iOS 6, but, potentially as far as that. And, yes, it just got patched in iOS 7 and iOS 6 as well (along with OS X 10.9).

 

[Rigby]

but...I've had my iPhone 5 with iOS6 for over a year now...you mean for all this time this risk has been present and just being patched now in iOS7? I'm confused about that part. I don't use SSL websites on my phone

Even if you don't visit SSL websites, you are still likely using SSL connections often, e.g. in Mail, iCloud, iMessage, software updates and many other apps that rely on SSL to protect passwords and other sensitive information in transit.

and don't use free wifi, I'm mostly on LTE all the time except home wifi, never had a problem all this time.

Now that this bug is out in the open and tools to exploit it are widely available, many "bad guys" will try to get in on the action. While the risk is highest when using public Wifi hotspots, there are also ways to mount man-in-the-middle attacks deeper in the network.

This bug is so serious because it undermines THE main end-to-end encryption mechanism used for secure web transactions today. You should not underestimate this. I strongly recommend to apply the patch, even if you are not a fan of iOS 7. It is just too risky in my opinion.

 

[CavemanMike]

A good read:

http://www.theguardian.com/technolo...vulnerability-how-did-it-happen-and-what-next

I'm convinced. We're upgrading all our ipads to ios7 !!!

 

[XboxMySocks]

Yes, it is a seriously seriously good thing to upgrade. It's not a 'trick' from Apple.

 

[MrGuder]

This is really bad news for people that really liked iOS6 and now being forced into iOS7. I guess I have no choice then.

Can someone point me to the links about what to do before you upgrade to iOS7. Since I ignored those...meaning do I do a back up of my phone on itunes before, do I need to save anything that I don't want to lose, do I need so much space available as free space before I do the download?...etc...

 

[CavemanMike]

here's a good upgrade check list

http://gigaom.com/2013/09/18/how-to-prepare-your-ios-6-device-for-apples-ios-7-update/

 

[MrGuder]

I'm mostly concerned with my itunes library/music app...I have so many CD's that I manually added the cover art myself using a higher resolution picture for the cover art by scanning the album artwork myself and loading the photos into my entire itunes library....When I upgrade to iOS7 will this change all my cover art that I added myself? or will it carry over everything I have already embedded into my itunes library. In other words will iOS7 re-sort and re-arrange all my library cover art?

 

[sracer]

I'm mostly concerned with my itunes library/music app...I have so many CD's that I manually added the cover art myself using a higher resolution picture for the cover art by scanning the album artwork myself and loading the photos into my entire itunes library....When I upgrade to iOS7 will this change all my cover art that I added myself? or will it carry over everything I have already embedded into my itunes library. In other words will iOS7 re-sort and re-arrange all my library cover art?

Everything should carry over just fine. My collection is similar to yours and I reluctantly upgraded to ios 7 tonight. The greater concern for me is whether or not apps that are no longer available will continue to run on 7. I have a few apps that I downloaded from the app store before they were pulled... like MAME (for use with my iCade) that I am concerned might not work under 7.

 

[MrGuder]

Everything should carry over just fine. My collection is similar to yours and I reluctantly upgraded to ios 7 tonight. The greater concern for me is whether or not apps that are no longer available will continue to run on 7. I have a few apps that I downloaded from the app store before they were pulled... like MAME (for use with my iCade) that I am concerned might not work under 7.

Great, I spent tons of hours creating my artwork for my CD's and I would hate to lose all that.

I guess I will do this update...not happy about it but have no choice.

That is another thing...I too have a few apps that I want to keep the older version, like the weather channel (don;t like the new version I even saved the ipa file on my desktop so I don't lose it) also I have an app called Mctube (the original one not the new one) that lets you save u tube video to cache, I have like 10 videos saved to cache in 720 res and don't want to lose that app. (I have that ipa saved as well)

 

[curiosity]

I won't upgrade. I think if the user has common sense then he won't visit malicious websites or open links from within fake mails. He won't use public hotspots to do home banking either.

If you insist on patching but hate iOS 7 maybe it's better to jailbreak and install the community patch.

 

[CavemanMike]

How to tell fake emails on ipad?

Although most of my users don't, at least they can mouse-over links in outlook to see if they appear legit.

How do you do that on an ipad?

It seems much easier to get tricked into a fake email (amazon shipping notice, facebook email, etc.)

Mike

 

[sracer]

I won't upgrade. I think if the user has common sense then he won't visit malicious websites or open links from within fake mails. He won't use public hotspots to do home banking either.

That is not sufficient to avoid the dangers of this bug. It doesn't matter where you're getting your access to the internet from but the destination of the site. Spoofing can happen regardless of those suggestions you've made. There's a glaringly large security hole caused by this bug.

If you insist on patching but hate iOS 7 maybe it's better to jailbreak and install the community patch.

Jailbreaking and applying a patch closes the front door, but opens the back door, and every windows on the first floor.

 

[curiosity]

Although most of my users don't, at least they can mouse-over links in outlook to see if they appear legit.

How do you do that on an ipad?

You can touch links for some time, and then a context menu appears, showing the true link.

 

[C DM]

You can touch links for some time, and then a context menu appears, showing the true link.

And that is not going to get around this issue or is even really related to it.

 

[dannyyankou]

Better safe than sorry IMO. Fake emails and websites can be very convincing.

 

[Rigby]

The thing about this bug is that it does not need fake web sites or phishing emails for exploits to work. It allows the attacker to transparently impersonate the real sites, and there is no way for the user to discover that the connection is compromised.