Video Screencast Help
Website Security Solutions

New iPhone certificate attack

Created: 03 Feb 2010 • Updated: 18 Dec 2012 • 2 comments
Tim Callan's picture
0 0 Votes
Login to vote

An anonymous researcher recently outlined a chain of vulnerabilities and attack that was performed on the iPhone using a VeriSign S/MIME Email Certificate in part of the attack. The researcher obtained a Class 1 certificate, which is a low-assurance e-mail certificate that people use for encryption only. The e-mail address is the only authenticated information in the certificate. The identity name is not authenticated, by design.

The iPhone attack exploited a weakness in the iPhone that required a certificate chained to a root that the iPhone trusted. While a VeriSign cert was chosen, any certificate that chained to any root trusted by the iPhone would have sufficed. Contrary to some misinterpretations of the story, VeriSign did not incorrectly issue a certificate in Apple's name, and there was no error in the VeriSign authentication practices.

The Cryptopath blog, which unveilled the flaw, offered this comment:

It is relatively easy to obtain a signature certificate from many of them [Certificate Authorities] without any sort of verification. A demo signature certificate can be obtained from VeriSign without need for anything other than a valid e-mail address (throwaway addresses work, too) for sixty days at no price and without providing any credit card details... VeriSign is not to blame for this in any way.

Comments 2 CommentsJump to latest comment

SSL247's picture

Seems people at Apple are quick to point the finger !

+1
Login to vote
Tim Callan's picture

For what it's worth, I'm unaware of any statements from Apple itself that attempt to dodge ownership of this bug. I have seen statements from other third parties that appear not to understand exactly how this problem occurred. That's why the Cryptopath statement is helpful in understanding the precise causes of the trouble.

+3
Login to vote