This is Eric Monti's Typepad Profile.
Join Typepad and start following Eric Monti's activity
Join Now!
Already a member? Sign In
Eric Monti
Recent Activity
First off, thanks to Adam Goodman for the extensive analysis and verification of the workaround. Seriously, fine work, Adam. Your additional perspective really helps. As Sorcerer13 suggested, we originally targeted this workaround this for a fairly specific subset of use cases and geared our own validation around those cases. The leaf node validation workaround is admittedly too narrow in scope to proclaim this a general purpose workaround for _all_ use cases. That said, not allowing intermediates _will_ address the vulnerability for some customers if they don't require support for intermediates. However, for some, a more extensive workaround which implements actual DER parsing and correct chain validation is probably necessary for some customers as well. I know of at least one application which has implemented this more or less with a 3rd party API. I should point out, that as far anybody knows the actual DER parsing on iOS is not where the vulnerability existed, so it may still be possible to leverage the Apple core API's to do what you are suggesting without OpenSSL. That said, it could be a dead end. Nobody but Apple knows for sure and they're staying pretty quiet. Since the presentation at Defcon and publishing this followup blog post, we have been digging further into the security update to determine what exactly Apple has fixed. The fact is that it is incredibly frustrating that there is so little actual information out there on where the original flaw existed. We're trying to remedy this first and foremost. Hopefully more on this soon.
Eric Monti is now following The Typepad Team
Nov 24, 2010