[nSLUG] GnuTLS certificate bug and Apple certificate bug
George N. White III
gnwiii at gmail.com
Sat Mar 22 18:30:36 ADT 2014
On Fri, Mar 21, 2014 at 11:08 AM, Julien Savoie <
julien.savoie at usainteanne.ca> wrote:
> On 21/03/14 11:09 AM, Gerald Ruderman wrote:
> > I did oversimplify it. I agree any semi-competent bad guy could find
> > this. I conclude the developers and testers failed to think enough like
> > a bad guy.
Developers and testers of ssl implementations aren't doing their jobs if
don't think about what bad guys might do, but this was a clear case where
the intended checks weren't being made thru sloppy coding, which is a
problem even if the developers and testers are only thinking about the
> No one is perfect, least of all me. I just wanted to clarify for
> academic/educational purposes lest someone take away the wrong
> understanding of the issue. I however am not qualified to get into the
> collective heads of Apple developers, but evidently security is not as
> high a priority within Apple as many would like to believe. And I do
> think it comes down to a matter of priorities, so much so that I doubt
> any real testing of their SSL implementation happened.
Whatever testing was done by Apple was clearly incomplete, whether due
to a low priority for testing, NSA "contributions" to the code and tests,
just shoddy work may never be known.
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nSLUG