| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 Jan 2010 12:54:01 -0700 From: cryptopath@...il.com To: bugtraq@...urityfocus.com Subject: iPhone certificate flaws iPhones can be configured over the air by inviting users to download .mobileconfig files from a URL. This feature is used by large companies and universities to distribute various settings to a large number of iPhones. For security reasons, these files need to be cryptographically signed to be trusted and shown as such. It appears that there is a flaw in the trust chain used by iPhones to validate .mobileconfig signers. Any signature certificate issued by a root CA present in the Safari keystore will be trusted. This is the case for e.g. demo certificates delivered by Verisign (Level 1) at no cost and without any verification. Using this, it is easy for a phisher to create a mobileconfig files that re-directs all HTTP traffic to a dedicated server, sign it with a certificate identifying it as issued by an authority of their choice, and having it trusted by the iPhone. These config files also allow to place additional root certificates in an iPhone, making it possible to install man-in-the-middle HTTPS attacks. More information is available from: http://cryptopath.wordpress.com/2010/01/29/iphone-certificate-flaws/
Powered by blists - more mailing lists