[nSLUG] GnuTLS certificate bug and Apple certificate bug

George N. White III gnwiii at gmail.com
Sat Mar 22 18:30:36 ADT 2014


On Fri, Mar 21, 2014 at 11:08 AM, Julien Savoie <
julien.savoie at usainteanne.ca> wrote:

> On 21/03/14 11:09 AM, Gerald Ruderman wrote:
> > I did oversimplify it. I agree any semi-competent bad guy could find
> > this. I conclude the developers and testers failed to think enough like
> > a bad guy.
>

Developers and testers of ssl implementations aren't doing their jobs if
they
don't think about what bad guys might do, but this was a clear case where
the intended checks weren't being made thru sloppy coding, which is a
problem even if the developers and testers are only thinking about the
the standard.


> No one is perfect, least of all me.  I just wanted to clarify for
> academic/educational purposes lest someone take away the wrong
> understanding of the issue.  I however am not qualified to get into the
> collective heads of Apple developers, but evidently security is not as
> high a priority within Apple as many would like to believe.  And I do
> think it comes down to a matter of priorities, so much so that I doubt
> any real testing of their SSL implementation happened.
>

Whatever testing was done by Apple was clearly incomplete, whether due
to a low priority for testing, NSA "contributions" to the code and tests,
or
just shoddy work may never be known.


-- 
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20140322/a575c8e0/attachment.html>


More information about the nSLUG mailing list