A subtle mistake in how Apple implemented a basic encryption feature that shields data from snooping also affects many desktop applications that rely on the code, according to a noted security researcher.
Apple released a patch on Friday for its iOS mobile platform but has yet to fix the problem for desktop computers, which often have several applications that rely on the faulty code library, called Secure Transport.
Ashkan Soltani, an independent privacy and security researcher, said many other Apple and non-Apple applications are affected.
Security researcher Ashkan Soltani said several other desktop applications, include Apples Mail, FaceTime and Calendar, use a code library that could allow an attacker to steal data. (Click to enlarge.)
Those include Apples Mail, FaceTime, Calendar, Keynote, the Safari browser, iBooks and its Software Update applications. It would also appear to affect third-party applications, such as the desktop Twitter application and possibly VPN (virtual private network) connections, depending on their configurations, Soltani said.
The Secure Transport library, which handles setting up an encrypted connection for many applications, was contained in iOS 6 and up and OSX versions 10.9 and up, Soltani said via email.
Most websites handling sensitive personal data use SSL (Secure Sockets Layer) or TLS (Transport Layer Security), which establishes an encrypted connection between a server and a persons computer. If an attacker intercepts the data, it is unreadable.
Apples mistake in Secure Transport allows an attacker to perform a man-in-middle attack, and supply fake data that makes it appear an authentic web service has been cryptographically verified.
This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, wrote Alex Radocea, senior engineer with the computer security firm CrowdStrike, on Friday. CrowdStrike analyzed Apples patch for iOS after it was released.
The flaw is deeply buried in a line of code, wrote Adam Langley, a software engineer at Google, on his personal blog.
More:
Apple encryption mistake puts many desktop applications at risk
- Report: NSA building comp to crack encryption types [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Report: NSA looking to crack all encryption with quantum computer [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Sound Advice: Explaining Comcast cable encryption [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- NSA Building Encryption-Busting Super Computer [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- NSA researches quantum computing to crack most encryption [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Advanced Encryption Standard - Wikipedia, the free encyclopedia [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- How Encryption Works - HowStuffWorks "Computer" [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Email Encryption - MB Technology Solutions - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Email Encryption - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Reversible Data Hiding in Encrypted Images by Reserving Room Before Encryption - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Toshiba WT8 Full Disk Encryption, Miracast, Easy Stand - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Australian Encryption | Text encryption software for the protection of your privacy - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- njRAT v0 6 4 server Clean Encryption - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- AlertBoot New Encryption Compliance Reports Prepare Covered Entities For HIPAA Audits [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- BlackBerry denies using backdoor-enabled encryption code [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- What Is Encryption? (with pictures) - wiseGEEK [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- HowStuffWorks "How Encryption Works" [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Gambling with Secrets Part 5 8 Encryption Machines - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- The Benefits of Hosted Disk Encryption - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Quill Encryption - what's that? - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- WhatsApp Encryption - Shmoocon 2014 by @segofensiva @psaneme - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- encryption demo2 - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- encryption demo - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Seven - Encryption Official Lyric Visual - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Quantum Computers - The Ultimate Encryption Backdoor? - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Eric Schmidt: Encryption will break through the Great Firewall of China [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- From NSA to Gmail: Ex-spy launches free email encryption service [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Tennessee bill takes on NSA encryption-breaking facility at Oak Ridge/SHUT. IT. DOWN. - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Substitute for:Measurements. 1 Episode. Strength of the encryption algorithm - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- RSA Encryption Checkpoint - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Gambling with Secrets 8 8 RSA Encryption 1 - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Google chairman says 'encrypting everything' could end China's censorship, stop NSA snooping [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- Ex-spy launches free email encryption service [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- 3 2 The Data Encryption Standard 22 min - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- RSA Encryption step 3 - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- RSA Encryption step 2 - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- aes tutorial, cryptography Advanced Encryption Standard AES Tutorial,fips 197 - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- Townsend Security Release First Encryption Key Management Module for Drupal [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
- RSA Encryption step 5 - Video [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
- Lavabit case highlights legal fuzziness around encryption rules [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- A Beginner's Guide To Encryption: What It Is And How To Set It Up [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- How App Developers Leave the Door Open to NSA Surveillance [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- Intro to RSA Encryption step 1 - Video [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- “Honey Encryption” Will Bamboozle Attackers with Fake Secrets [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Encryption - A Life Unlived (DEMO) - Video [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Baffle thy enemy: The case for Honey Encryption [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- New AlertBoot Encryption Reports Make Dental HIPAA Compliance Easier [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- Encryption - The Protest - Video [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- Encryption - New Life - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Encryption - Intro - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Encryption - Blank Canvas - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Security First SPxBitFiler-IPA encryption pattern for the IBM PureApplication System - Video [Last Updated On: February 3rd, 2014] [Originally Added On: February 3rd, 2014]
- Revolutionary new cryptography tool could make software unhackable [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- viaForensics webinar: Mobile encryption - the good, bad, and broken - Aug 2013 - Video [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- K.OStream 0.2 File Encryption Test - Video [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- Tumblr adds SSL encryption option, but not as the default [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
- Latest Java Project Source Code on Chaotic Image Encryption Techniques - Video [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
- Encryption - University of Illinois at Urbana–Champaign [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- A Beginner's Guide to Encryption: What It Is and How to ... [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- Real Data Encryption Software is More Important than Ever ... [Last Updated On: February 8th, 2014] [Originally Added On: February 8th, 2014]
- Caesar Cipher Encryption method With example in C Language - Video [Last Updated On: February 8th, 2014] [Originally Added On: February 8th, 2014]
- Hytera DMR 256 bit encryption - Video [Last Updated On: February 9th, 2014] [Originally Added On: February 9th, 2014]
- Townsend Security Releases Encryption Key Management Virtual Machine for Windows Azure [Last Updated On: February 10th, 2014] [Originally Added On: February 10th, 2014]
- Unitrends Data Backup Webinar: Utilizing The Cloud, Deduplication, and Encryption - Video [Last Updated On: February 10th, 2014] [Originally Added On: February 10th, 2014]
- Main menu [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- Use of encryption growing but businesses struggle with it – study [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- SlingSecure Mobile Voice Encryption Installation Video for Android - Video [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- Data breaches drive growth in use of encryption, global study finds [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Darren Moffat: ZFS Encryption - Part 2 - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Darren Moffat: ZFS Encryption - Part 1 - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- How do I configure User Local Recovery in Endpoint Encryption Manager 276 - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Symmetric Cipher (Private-key) Encryption - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- SafeGuard File Encryption for Mac - Installation and Configuration - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Fundamentals of Next Generation Encryption - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Tutorial: Einrichten der EgoSecure Endpoint Removable Device Encryption - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- 'PGP' encryption has had stay-powering but does it meet today's enterprise demands? [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- Fact or Fiction: Encryption Prevents Digital Eavesdropping [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- RHCSA PREP:answer to question 20 (Central Authentication Using LDAP with TLS/SSL Encryption) - Video [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- Protect+ Voice Recorder with Encryption - Video [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]