As any parent knows, success and failure roll out slowly over the course of time, each moment arriving with the slow motion clarity of a car crash. That said, secure socket layer has been with us for 19 years and you’d think someone would have figured it out by now. Yes, Apple’s “go to fail” SSL bug is ugly, but hardly unique.
There he/she is, your 19 year old child, face down in a puddle of coffee and Red Bull on the side of the road. An embarrassing farce, but hardly criminal.
Or, at least that is how The Register tells Apple’s go to fail story.
“It’s apparent that Apple suffered a double slip: someone’s command-V slipped, and it wasn’t caught in any code review,” writes El Reg’s Richard Chirgwin.
A bleary eyed coder “slipped,” just that simple, with big implications.
The go to fail bug is present in both iOS (mobile) and Mac OS X (desktop). While Apple has already delivered patches for iOS 6 and iOS 7, effectively protecting hundreds of millions of users, a Mac OS X patch is coming “very soon,” says Apple.
As noted in the lede, however, Apple’s bad parenting isn’t unique. Router maker Belkin and WhatsApp (yes, that WhatsApp) have also been caught out schlepping bad SSL certificates.
Before you get too bent out of shape, at least as far as Apple’s go to fail is concerned, the attacker needs to be on the same local network, which greatly limits the practical threat level.
UPDATE: Mavericks Update: OS X 10.9.2 Ships with Go to Fail Fix, More
Go to Fail: Coffee Culture
In the growing wake of Ed Snowden’s ongoing NSA revelations, it is assumed that any and all software faults, flaws and flubs are actually backdoors crafted by nefarious spooks, spies and hackers that live in our midst — this is proof.
However, El Reg sees Apple’s epic go to fail SSL bug with different, though equally uncharitable eyes. In a nutshell, Apple’s SSL code sucked because all code sucks and that comes to down culture.
[T]here’s … not a company or government department so boring that staging a Hackathon won’t bring it some hipster credibility. Throw in a trophy and a boxed set of steak knives as first prize, and coders will show up, work ruinous hours and happily turn over their output for free.
Just add coffee, then rinse and repeat with lots and lots of coffee.
“There’s another reason to think it was an accident: it’s not very subtle,” adds Columbia University, security researcher Steven Bellovin. “That sequence would stick out like a sore thumb to any programmer who looked at it…”
The problem is no one actually looked at it until last week. Why bother? El Reg notes that standard debugging procedures, using industry standard debuggers didn’t find Apple’s go to fail SSL bug.
Lastly, does anyone honestly believe that the NSA is less stupid than Apple, Belkin, WhatsApp, etc? Like their private sector counterparts, NSA coders have been up for days, guzzling coffee and eating cheese curls, too…
What’s your take?